Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plotdemo.exe

Overview

General Information

Sample name:plotdemo.exe
Analysis ID:1531073
MD5:fbce37d191eb18a9b005539336aea939
SHA1:37588e9f8796a0480638a4ff00d305dbdb472146
SHA256:60f39e5220113596f51c5eabca7d6f81c603487971d58b7df9b8dbc093edbfae
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Drops HTML or HTM files to system directories
Sets file extension default program settings to executables
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • plotdemo.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\plotdemo.exe" MD5: FBCE37D191EB18A9B005539336AEA939)
    • msiexec.exe (PID: 6756 cmdline: MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msi" SETUPEXEDIR="C:\Users\user\Desktop" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 6856 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6992 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8C8A1754951F47B4EB3715E07FE2E622 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • InstPost.exe (PID: 7092 cmdline: "C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe" MD5: AEE180154B6C0A64DB80E8824B9DED9A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: plotdemo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\readme.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\README.TXTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\README.rtfJump to behavior
Source: Binary string: pscript5.pdb source: PSCRIPT5.DLL.7.dr, PSCRIPT5.DLL0.2.dr
Source: Binary string: f:\InstPost\Release\InstPost.pdb source: InstPost.exe, 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmp, InstPost.exe, 00000007.00000000.1956464551.0000000000428000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: pscript5.pdbH source: PSCRIPT5.DLL.7.dr
Source: Binary string: MicrosoftWindowsGdiPlus-10100-gdiplus.pdb source: GdiPlus.dll.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041744C CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,0_2_0041744C
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\_is8C78\0x0409.iniJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\_is8C78\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\Jump to behavior
Source: ALIGN.PS.2.dr, WRFONT.PS.2.dr, FONT2PCL.PS.2.dr, GS_RES.PS.2.dr, PDF_FONT.PS.2.dr, GS_EPSF.PS.2.dr, WFTOPFA.PS.2.dr, GS_DPS.PS.2.dr, GS_LGO_E.PS.2.dr, GS_CCFNT.PS.2.dr, MARKHINT.PS.2.dr, GS_KANJI.PS.2.dr, GS_LL3.PS.2.dr, UNPROT.PS.2.dr, GS_WL5_E.PS.2.dr, GS_FRSD.PS.2.dr, GS_ICC.PS.2.dr, GS_DPNXT.PS.2.dr, MARKPATH.PS.2.dr, PPHS.PS.2.dr, PDF_BASE.PS.2.drString found in binary or memory: http://www.artifex.com/licensing/
Source: ALIGN.PS.2.dr, WRFONT.PS.2.dr, FONT2PCL.PS.2.dr, GS_RES.PS.2.dr, PDF_FONT.PS.2.dr, GS_EPSF.PS.2.dr, WFTOPFA.PS.2.dr, GS_DPS.PS.2.dr, GS_LGO_E.PS.2.dr, GS_CCFNT.PS.2.dr, MARKHINT.PS.2.dr, GS_KANJI.PS.2.dr, GS_LL3.PS.2.dr, UNPROT.PS.2.dr, GS_WL5_E.PS.2.dr, GS_FRSD.PS.2.dr, GS_ICC.PS.2.dr, GS_DPNXT.PS.2.dr, MARKPATH.PS.2.dr, PPHS.PS.2.dr, PDF_BASE.PS.2.drString found in binary or memory: http://www.ghostscript.com/licensing/.
Source: PDF_SEC.PS.2.drString found in binary or memory: http://www.ozemail.com.au/%7Egeoffk/pdfencrypt/
Source: GdiPlus.dll.2.drBinary or memory string: DirectDrawCreateExmemstr_52bd2abf-e
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0040D4FC GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,7_2_0040D4FC
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00416579 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,0_2_00416579
Source: C:\Users\user\Desktop\plotdemo.exeFile created: C:\Windows\Downloaded InstallationsJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile created: C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile created: C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5ee891.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{CF7D8275-38F3-42CF-AF3D-29B1BF918926}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED35.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\PSIPLOT.INIJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\ARPPRODUCTICON.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut1_E57AF06D4375496697A2B3227B8F52A3.EXEJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut6_B94EC0BE542B4F308679E8D52BAD769F.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDFJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5ee893.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5ee893.msiJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\drivers\x64\3\PSIPSCRP.PPDJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\PSIPSCRP.PPDJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\PS5UI.DLLJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT5.DLLJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.HLPJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.NTFJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\5ee893.msiJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_004211500_2_00421150
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_004263C60_2_004263C6
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_004077970_2_00407797
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0040ECDE7_2_0040ECDE
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004260217_2_00426021
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004250A07_2_004250A0
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004169607_2_00416960
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004249E07_2_004249E0
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00416AF67_2_00416AF6
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004213327_2_00421332
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00417BC97_2_00417BC9
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0041739D7_2_0041739D
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0042449E7_2_0042449E
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00419F477_2_00419F47
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00423F5C7_2_00423F5C
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00416FC97_2_00416FC9
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0041DFFE7_2_0041DFFE
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004177A97_2_004177A9
Source: C:\Users\user\Desktop\plotdemo.exeCode function: String function: 0041C340 appears 129 times
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: String function: 00415DFE appears 68 times
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: String function: 00416904 appears 47 times
Source: PSCRIPT5.DLL.2.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: PS5UI.DLL.2.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: PS5UI.DLL.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: PSCRIPT5.DLL0.2.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: PSCRIPT5.DLL0.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: PS5UI.DLL0.2.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: PS5UI.DLL.7.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: PSCRIPT5.DLL.7.drStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: plotdemo.exe, 00000000.00000000.1667542232.0000000000438000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesetup.exe vs plotdemo.exe
Source: plotdemo.exeBinary or memory string: OriginalFilenamesetup.exe vs plotdemo.exe
Source: plotdemo.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: sus36.winEXE@8/327@0/0
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00416579 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,0_2_00416579
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00415C4F LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,0_2_00415C4F
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00408489 CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString,0_2_00408489
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00408223 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00408223
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSIJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\Public\Desktop\PSI-Plot Working Demo.lnkJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile created: C:\Users\user\AppData\Local\Temp\~8C68.tmpJump to behavior
Source: plotdemo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\plotdemo.exeFile read: C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INIJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile read: C:\Users\user\Desktop\plotdemo.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\plotdemo.exe "C:\Users\user\Desktop\plotdemo.exe"
Source: C:\Users\user\Desktop\plotdemo.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msi" SETUPEXEDIR="C:\Users\user\Desktop"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C8A1754951F47B4EB3715E07FE2E622 C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe "C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe"
Source: C:\Users\user\Desktop\plotdemo.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msi" SETUPEXEDIR="C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C8A1754951F47B4EB3715E07FE2E622 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe "C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe"Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeSection loaded: textshaping.dllJump to behavior
Source: psiplot.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE
Source: Readme.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\PSI\PSIPLOT\readme.htm
Source: TUTORIAL.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\PSI\PSIPLOT\TUTORIAL.PDF
Source: PSI-Plot Working Demo.lnk.2.drLNK file: ..\..\..\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE
Source: C:\Users\user\Desktop\plotdemo.exeFile written: C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INIJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plotdemo.exeStatic file information: File size 21190666 > 1048576
Source: Binary string: pscript5.pdb source: PSCRIPT5.DLL.7.dr, PSCRIPT5.DLL0.2.dr
Source: Binary string: f:\InstPost\Release\InstPost.pdb source: InstPost.exe, 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmp, InstPost.exe, 00000007.00000000.1956464551.0000000000428000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: pscript5.pdbH source: PSCRIPT5.DLL.7.dr
Source: Binary string: MicrosoftWindowsGdiPlus-10100-gdiplus.pdb source: GdiPlus.dll.2.dr
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0040E3D8 __EH_prolog,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_0040E3D8
Source: gdiplus.dll.2.drStatic PE information: section name: Shared
Source: GdiPlus.dll.2.drStatic PE information: section name: Shared
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041C340 push eax; ret 0_2_0041C35E
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041C310 push eax; ret 0_2_0041C33E
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041CA5C push 880041CAh; retf 0041h0_2_0041CA61
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00416949 push ecx; ret 7_2_0041695C
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00415E9D push ecx; ret 7_2_00415EB0
Source: gdiplus.dll.2.drStatic PE information: section name: .text entropy: 6.8196811563189135
Source: GdiPlus.dll.2.drStatic PE information: section name: .text entropy: 6.825071221107194

Persistence and Installation Behavior

barindex
Drops HTML or HTM files to system directories
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.DRVJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSDLL32.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PS5UI.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\System32\spool\drivers\x64\PS5UI.DLLJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\System32\spool\drivers\x64\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\ICONLIB.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSMON.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXEJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PS5UI.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\gdiplus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA4B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDFJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\GdiPlus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSWIN32C.EXEJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\System32\spool\drivers\x64\PS5UI.DLLJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeFile created: C:\Windows\System32\spool\drivers\x64\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDFJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.DRVJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDFJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\readme.rtfJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\README.TXTJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\PSI\PSIPLOT\README.rtfJump to behavior

Boot Survival

barindex
Sets file extension default program settings to executables
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PSIData\shell\open\command C:\Program Files (x86)\PSI\PSIPLOT\psiplot.exe %1Jump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PSIGraph.PSIPlot.8\shell\open\command C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE %1Jump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PSIReport\shell\open\command C:\Program Files (x86)\PSI\PSIPLOT\psiplot.exe %1Jump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PSIProject\shell\open\command C:\Program Files (x86)\PSI\PSIPLOT\psiplot.exe %1Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-PlotJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\psiplot.lnkJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\Readme.lnkJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\TUTORIAL.lnkJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004011E0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,PostMessageA,7_2_004011E0
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0040ADDE MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,7_2_0040ADDE
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00417252 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00417252
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.DRVJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSDLL32.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PS5UI.DLLJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeDropped PE file which has not been started: C:\Windows\System32\spool\drivers\x64\PS5UI.DLLJump to dropped file
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeDropped PE file which has not been started: C:\Windows\System32\spool\drivers\x64\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\ICONLIB.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSMON.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXEJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htmJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PS5UI.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\gdiplus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT5.DLLJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA4B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDFJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSWIN32C.EXEJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\PSI\PSIPLOT\GdiPlus.dllJump to dropped file
Source: C:\Users\user\Desktop\plotdemo.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041744C CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,0_2_0041744C
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00411E38 GetVersionExA,GetSystemInfo,0_2_00411E38
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\_is8C78\0x0409.iniJump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\_is8C78\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\plotdemo.exeFile opened: C:\Users\user\Jump to behavior
Source: GS_RES.PS.2.drBinary or memory string: (END CATEGORY) VMDEBUG
Source: GS_RES.PS.2.drBinary or memory string: (END MISC) VMDEBUG
Source: GS_RES.PS.2.drBinary or memory string: (END GENERIC) VMDEBUG
Source: GS_RES.PS.2.drBinary or memory string: (END FIXED) VMDEBUG
Source: GS_RES.PS.2.drBinary or memory string: (BEGIN RESOURCES) VMDEBUG
Source: GS_RES.PS.2.drBinary or memory string: (END ENCODING) VMDEBUG
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeAPI call chain: ExitProcess graph end nodegraph_7-19107
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeAPI call chain: ExitProcess graph end nodegraph_7-19358
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004195B5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_004195B5
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0040E3D8 __EH_prolog,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_0040E3D8
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00402C48 GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00402C48
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00421C4C SetUnhandledExceptionFilter,0_2_00421C4C
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_00421C3A SetUnhandledExceptionFilter,0_2_00421C3A
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0041F842 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0041F842
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0041AABB SetUnhandledExceptionFilter,7_2_0041AABB
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_004195B5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_004195B5
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00414E70 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00414E70
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041664E GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_0041664E
Source: plotdemo.exeBinary or memory string: Shell_TrayWnd
Source: plotdemo.exeBinary or memory string: %s SetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLogShell_TrayWndArialCancel%x,ALLCANCELDescriptionMSlovenianBasquedefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyISScript.MsiCacheFolderCacheRootLocationTypeScriptVerSuppressWrongOSSuppressReboot dotnetredistSp2.exelangpack.exeMicrosoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /C:\"J#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/c:\"\" /q:a" DotNetFxCmd" /c:" /ver: /q:a /l%d /q:a /c:"install /q"vjredist.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\Installer1.01.1J#OptionalJ#InstallOptionIfSilentISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1ISScript10.Msiinstmsi30.exeRunAsLaunchingUser]
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_00421F05 cpuid 7_2_00421F05
Source: C:\Users\user\Desktop\plotdemo.exeCode function: GetLocaleInfoA,0_2_004167D1
Source: C:\Users\user\Desktop\plotdemo.exeCode function: GetLocaleInfoA,TranslateCharsetInfo,0_2_00416774
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: _strcpy_s,GetLocaleInfoA,__snprintf_s,LoadLibraryA,7_2_00407DFE
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,7_2_0042641C
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: GetLocaleInfoA,7_2_00423D63
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exeCode function: 7_2_0041B36D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_0041B36D
Source: C:\Users\user\Desktop\plotdemo.exeCode function: 0_2_0041DB0C EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_0041DB0C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		132
Masquerading		2
Input Capture		1
System Time Discovery		Remote Services2
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		2
Process Injection		1
Access Token Manipulation		LSASS Memory21
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		2
Process Injection		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets11
Peripheral Device Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials4
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync36
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1531073 Sample: plotdemo.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 36 5 msiexec.exe 132 340 2->5         started        9 plotdemo.exe 18 2->9         started        file3 18 NewShortcut3_B94EC...679E8D52BAD769F.htm, PE32 5->18 dropped 20 C:\Program Files (x86)\PSI\...\PSIPLOT.EXE, PE32 5->20 dropped 22 C:\gdiplus.dll, PE32 5->22 dropped 24 12 other files (none is malicious) 5->24 dropped 32 Drops HTML or HTM files to system directories 5->32 34 Sets file extension default program settings to executables 5->34 11 InstPost.exe 91 14 5->11         started        14 msiexec.exe 5->14         started        16 msiexec.exe 8 9->16         started        signatures4 process5 file6 26 C:\Windows\System32\spool\...\PSCRIPT5.DLL, PE32+ 11->26 dropped 28 C:\Windows\System32\spool\...\PS5UI.DLL, PE32+ 11->28 dropped 30 C:\Users\user\AppData\Local\...\MSIA4B2.tmp, PE32 16->30 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
plotdemo.exe2%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSDLL32.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSWIN32C.EXE0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\GdiPlus.dll0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\ICONLIB.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PS5UI.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.DRV0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT5.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSMON.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PS5UI.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT5.DLL0%ReversingLabs
C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA4B2.tmp0%ReversingLabs
C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htm0%ReversingLabs
C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDF0%ReversingLabs
C:\Windows\System32\spool\drivers\x64\PS5UI.DLL0%ReversingLabs
C:\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL0%ReversingLabs
C:\gdiplus.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.ozemail.com.au/%7Egeoffk/pdfencrypt/PDF_SEC.PS.2.drfalse
    		unknown
    http://www.ghostscript.com/licensing/.ALIGN.PS.2.dr, WRFONT.PS.2.dr, FONT2PCL.PS.2.dr, GS_RES.PS.2.dr, PDF_FONT.PS.2.dr, GS_EPSF.PS.2.dr, WFTOPFA.PS.2.dr, GS_DPS.PS.2.dr, GS_LGO_E.PS.2.dr, GS_CCFNT.PS.2.dr, MARKHINT.PS.2.dr, GS_KANJI.PS.2.dr, GS_LL3.PS.2.dr, UNPROT.PS.2.dr, GS_WL5_E.PS.2.dr, GS_FRSD.PS.2.dr, GS_ICC.PS.2.dr, GS_DPNXT.PS.2.dr, MARKPATH.PS.2.dr, PPHS.PS.2.dr, PDF_BASE.PS.2.drfalse
      		unknown
      http://www.artifex.com/licensing/ALIGN.PS.2.dr, WRFONT.PS.2.dr, FONT2PCL.PS.2.dr, GS_RES.PS.2.dr, PDF_FONT.PS.2.dr, GS_EPSF.PS.2.dr, WFTOPFA.PS.2.dr, GS_DPS.PS.2.dr, GS_LGO_E.PS.2.dr, GS_CCFNT.PS.2.dr, MARKHINT.PS.2.dr, GS_KANJI.PS.2.dr, GS_LL3.PS.2.dr, UNPROT.PS.2.dr, GS_WL5_E.PS.2.dr, GS_FRSD.PS.2.dr, GS_ICC.PS.2.dr, GS_DPNXT.PS.2.dr, MARKPATH.PS.2.dr, PPHS.PS.2.dr, PDF_BASE.PS.2.drfalse
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1531073
        Start date and time:2024-10-10 20:17:11 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:11
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:plotdemo.exe
        Detection:SUS
        Classification:sus36.winEXE@8/327@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 132
        • Number of non-executed functions: 219
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtSetInformationFile calls found.
        • VT rate limit hit for: plotdemo.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Config.Msi\5ee892.rbs

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:modified
        Size (bytes):32691
        Entropy (8bit):5.781577984414057
        Encrypted:false
        SSDEEP:192:d7wCCZ4TZUrgtllanj9zerc9bsIel3DQC4yVV8Wnc3i0JSwRv3yRgKa5QDcs62/5:d7fS4T9tazHsIBuTdW2/CXj2Xjj1H
        MD5:646EEC09315EEA73C66E6722F6203A42
        SHA1:4D909790C3CD23B7A6A95A85BF08FC89D5AF2188
        SHA-256:75AFBA54B74D6AFC535C051E974B093062B8A6BC622ADD0626D0A62F5C4ADB78
        SHA-512:594FF18DD89E8ED912BBDB444ACBA91305C385813B69E0C5E75BE8E14CBBEA5B22715084D9DD791095F5BA4C9D4D4338B8C0F1EE4AC639919A2563E138395944
        Malicious:false
        Reputation:low
        Preview:...@IXOS.@.....@NrJY.@.....@.....@.....@.....@.....@......&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}..PSI-Plot Ver 10.5 Working Demo".PSI-Plot Ver 10.5 Working Demo.msi.@.....@..2..@.....@......ARPPRODUCTICON.exe..&.{96644CA9-8EA3-446B-8568-6E1624759883}.....@.....@.....@.....@.......@.....@.....@.......@......PSI-Plot Ver 10.5 Working Demo......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B9B49F47-72FB-4C42-A0F9-9E4492A71FE0}&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}.@......&.{BAB24BF8-D4F6-4030-9A13-DC98383C6B25}&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}.@......&.{B45E55D7-6469-4A47-B74A-0003A25261EC}&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}.@......&.{C24FD770-3983-48C6-B5EE-AB03577F5AA3}&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}.@......&.{B22CF873-FF8A-4C96-B1FE-77651757BC4C}&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}.@......&.{80B39869-648A-4015-949B-FBBA64623D42}&.{CF7D8275-38F3-42CF-AF3D-29B1B

        C:\Program Files (x86)\PSI\PSIPLOT\$LASTTSM.TSM

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):73
        Entropy (8bit):4.277278890558361
        Encrypted:false
        SSDEEP:3:RKuQrr1oDQYJz3PYBEaD9w9:ouZxFgD9w9
        MD5:F0F6107B2F5CF96E75518FC3AA3EDCA8
        SHA1:A25EE660CE84BE74B4130F82E08FCE8E7C8254B8
        SHA-256:281D523C374D935B8D63AFEA6CAB79D5DBA5BBD8C0152F4A147B64BF137E1CA5
        SHA-512:75C38B1434463097D663658E3EC4A758FAAFA1EF4F1817A0BA1ED2DAF5DBAFF607295FB66AFD1F5AB4C3FD5E94035A97021AF2F34DBF7CD857F31D4C1C13F46F
        Malicious:false
        Reputation:low
        Preview://comment..number=time*speed..profit=price-cost..total=number*profit.....

        C:\Program Files (x86)\PSI\PSIPLOT\$PSFIT.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):148
        Entropy (8bit):4.872098408960154
        Encrypted:false
        SSDEEP:3:I4oc4PKIfkJ4maOqKNX4H1x09KNf3cALCrrUGaF:Focj6mkY9K4rkF
        MD5:6C16CD34FE54EE62DC82220CCAD2E769
        SHA1:EAFA9266C70A00E46C83D683F59FA3947B983D2E
        SHA-256:85D09253113F8F7FE9920357E26D1B97A198BE804EC115C49163517F146E476D
        SHA-512:4C2A6813B802861767B79CAE489193F70F67F93556C18FF7E6C1EBB9C81722DCF6B43B4C7AEC13A1DE45C9ECD7ABDECBB19B20F67917073F958CC4E810468506
        Malicious:false
        Reputation:low
        Preview:[INDVAR]: T..[DEPVAR]: Y..[PARAMS]: A, B, C, D..[EQUATIONS]:..Y=A/(1+EXP(B*(TT-C)))+D....[INIT PARAMS]:..A=115..B=0.12..C=110..D=42....ENDMODEL....

        C:\Program Files (x86)\PSI\PSIPLOT\BLUE.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):4.02302278826183
        Encrypted:false
        SSDEEP:48:UgZiQ53uFZspZQU4pH2Z3018phLgZiQ53uFZspZQU4pH2Z3018pegZiQ53uFZspq:lsRbvYzcsRbvY1sRbvYgIYfB97P
        MD5:B4EEE8FFE5BFA6842D360156D9C6E584
        SHA1:B745A8FC02C0E26F006570FDAF581C623323449E
        SHA-256:11166646F05BBF7B19523A81D038858EF7D8097DEFAC2BAA0B1474E7D7B3A431
        SHA-512:7BF314B37F7EE160E09170241DF0B33F9104FDEB4C59D6D6F4B34EF09A0F95F393C27D075CBB1022C428978F1EA00D4E553B1F7142A6A47C644D55D1D991B1D9
        Malicious:false
        Reputation:low
        Preview:[SYMBOL_COLOR_RGB]..Color1=0,0,255..Color2=7,7,255..Color3=15,15,255..Color4=23,23,255..Color5=31,31,255..Color6=39,39,255..Color7=47,47,255..Color8=55,55,255..Color9=63,63,255..Color10=71,71,255..Color11=79,79,255..Color12=87,87,255..Color13=95,95,255..Color14=103,103,255..Color15=111,111,255..Color16=119,119,255..Color17=127,127,255..Color18=135,135,255..Color19=143,143,255..Color20=151,151,255..Color21=159,159,255..Color22=167,167,255..Color23=175,175,255..Color24=183,183,255..Color25=191,191,255..Color26=199,199,255..Color27=207,207,255..Color28=215,215,255..Color29=223,223,255..Color30=231,231,255..Color31=239,239,255..Color32=247,247,255....[LINE_COLOR_RGB]..Color1=0,0,255..Color2=7,7,255..Color3=15,15,255..Color4=23,23,255..Color5=31,31,255..Color6=39,39,255..Color7=47,47,255..Color8=55,55,255..Color9=63,63,255..Color10=71,71,255..Color11=79,79,255..Color12=87,87,255..Color13=95,95,255..Color14=103,103,255..Color15=111,111,255..Color16=119,119,255..Color17=127,127,255..Color18=1

        C:\Program Files (x86)\PSI\PSIPLOT\BLUE_INV.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):4.02302278826183
        Encrypted:false
        SSDEEP:48:UNpCJ6PAloBOm/vEBQRrW+gLNpCJ6PAloBOm/vEBQRrW+hNpCJ6PAloBOm/vEBQD:A1Dgr1DF1DjPyCd
        MD5:8D131F7E3D69BA7AE7B07040F941C3B6
        SHA1:6C1F4A04F1CC4528E21956B898B385A316212841
        SHA-256:6A9182AC03CDC279EFC53B2ED903C3089D554D9911F3A2E979C54953357BB685
        SHA-512:587B62182C504023DFFDF17D0D77E67789A5AACFA3CFFED8A88172E04D287589DED152207391A8EAB9E375921EA6B4C810FFE34DBE6BAC28F7962A8C0A703DD4
        Malicious:false
        Reputation:low
        Preview:[SYMBOL_COLOR_RGB]..Color32=0,0,255..Color31=7,7,255..Color30=15,15,255..Color29=23,23,255..Color28=31,31,255..Color27=39,39,255..Color26=47,47,255..Color25=55,55,255..Color24=63,63,255..Color23=71,71,255..Color22=79,79,255..Color21=87,87,255..Color20=95,95,255..Color19=103,103,255..Color18=111,111,255..Color17=119,119,255..Color16=127,127,255..Color15=135,135,255..Color14=143,143,255..Color13=151,151,255..Color12=159,159,255..Color11=167,167,255..Color10=175,175,255..Color9=183,183,255..Color8=191,191,255..Color7=199,199,255..Color6=207,207,255..Color5=215,215,255..Color4=223,223,255..Color3=231,231,255..Color2=239,239,255..Color1=247,247,255....[LINE_COLOR_RGB]..Color32=0,0,255..Color31=7,7,255..Color30=15,15,255..Color29=23,23,255..Color28=31,31,255..Color27=39,39,255..Color26=47,47,255..Color25=55,55,255..Color24=63,63,255..Color23=71,71,255..Color22=79,79,255..Color21=87,87,255..Color20=95,95,255..Color19=103,103,255..Color18=111,111,255..Color17=119,119,255..Color16=127,127,255..

        C:\Program Files (x86)\PSI\PSIPLOT\CHEMSTIF.ODE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):509
        Entropy (8bit):5.581417522428557
        Encrypted:false
        SSDEEP:12:jEXPK+FTJQjbmcTWGQlGqw3smMXYcv9L+BnKYnuPOwVn08u9b:yS6TJGmc4lGxg9ixKxdy8u
        MD5:4526AB013F56DC93B69CC822A811443B
        SHA1:A5271C89CC76DA359DC4B598A23182F6D9292EEF
        SHA-256:95D38D7D24BE4185A13C4B12D92FE97A037F0F69F66DB3F785CF474A0D8A72C1
        SHA-512:19A6B2692E919B92D6F10ED309640AB6790E277D88CFF800FC47069ABDCC434DAF51897EFC58AD9A13660EE1C9D734BF94A642C02FE4F40110A3D890C68BC531
        Malicious:false
        Reputation:low
        Preview:// A very stiff problem: can only be solved by Kaps-Rebtrop Method..[MODEL NAME]: CHEMICAL OSCILLATOR..[INDVAR]: T..[DEPVAR]: A,B,C..[PARAMS]: P1,P3,P2,P4....[EQUATIONS]:..A'=P2*(B+(1-P3*A-B)*A)..B'=(P1*C-(1+A)*B)/P2..C'=P4*(A-C)..END OF EQUATIONS....[PARAMS VALUES]:..P1=1.2..P2=70..P3=7.0E-5..P4=0.2....[INIT CONDITION]:..T=250..A=2.563..B=1.638..C=2.128....// specify the step size to collect data:..[STEP SIZE]: 0.1....// specify the stop value for independent variable:..[STOP VALUE]: 280....ENDMODEL....

        C:\Program Files (x86)\PSI\PSIPLOT\DEFAULT.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2529
        Entropy (8bit):4.033352216943422
        Encrypted:false
        SSDEEP:48:Uo+iA3iA9LohLFlaJLFZcN2g5WZ1c0CvWLVKrQMMZlosLapH5g3j8RPxgno5ZL2e:YqQ3MQ3+kXga0EqhIg8bS
        MD5:8E9B26C7BD8899F41F6BA451440B45A4
        SHA1:52BA4249D04932C9008FE08B66F875193302932C
        SHA-256:D2D1625AD66748843CEDC2A87B7187CEF60B675DB4BCCE153151A55BC4738917
        SHA-512:355C66CD9FD63EA885366A2C5B17EF81EFD293E32CA1C9F0CED776F8BAC6C4D963293D0BF62BBBDE15CA8223CF1A21A69AFD63FFB50324DECE891802E144A450
        Malicious:false
        Reputation:low
        Preview:[SYMBOL_COLOR_RGB]..Color1=0,255,0..Color2=255,0,0..Color3=255,255,0..Color4=0,255,255..Color5=255,128,255..Color6=128,128,255..Color7=255,128,64..Color8=192,192,192..Color9=0,128,0..Color10=128,0,0..Color11=128,128,0..Color12=64,128,128..Color13=255,0,128..Color14=0,0,160..Color15=198,64,0..Color16=128,128,128..Color17=128,255,128..Color18=255,128,128..Color19=255,255,128..Color20=128,255,255..Color21=255,128,255..Color22=85,170,255..Color23=255,170,130..Color24=212,212,212..Color25=0,83,0..Color26=74,0,0..Color27=79,79,0..Color28=0,100,100..Color29=145,0,72..Color30=0,0,100..Color31=74,37,0..Color32=51,51,51....[LINE_COLOR_RGB]..Color1=0,0,0..Color2=0,0,160..Color3=0,128,0..Color4=128,128,0..Color5=0,0,64..Color6=64,128,128..Color7=128,0,128..Color8=64,0,128..Color9=128,128,128..Color10=0,64,128..Color11=128,0,0..Color12=0,64,64..Color13=255,128,0..Color14=255,255,0..Color15=255,0,0..Color16=255,0,255..Color17=255,0,0..Color18=0,255,0..Color19=255,255,0..Color20=0,255,255..Color21=0,

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\A010013L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWGothicL-Book 1.05)
        Category:dropped
        Size (bytes):34871
        Entropy (8bit):7.957826990293074
        Encrypted:false
        SSDEEP:768:8LkA9WAuruHw3IW1/E6+WHUtSPk/LT7h4ehkFDaVBXc7IH6In8e:8LkA9WAuS2D1/E6oLHp2FDglx8e
        MD5:37495C1E231421084D87820806D42CDC
        SHA1:BCAB93E05FB8B75F426C53DE982281F695A2F2F3
        SHA-256:443B90AEDD8CB6EE4166437B24D51C7B46A6CE60564910F00664C5C7A9F405E8
        SHA-512:5B8B92F39786F3BED91B3B42D232B516473FB5957EEF3D4097B8C52249DC5E44509378439AC735DEE5DF09B5DB27707A4C9D316DE4E8BC3DCAAD93DC73E2434C
        Malicious:false
        Reputation:low
        Preview:..T...%!PS-AdobeFont-1.0: URWGothicL-Book 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\A010015L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWGothicL-Demi 1.05)
        Category:dropped
        Size (bytes):36354
        Entropy (8bit):7.960665400749304
        Encrypted:false
        SSDEEP:768:PLkA9WAuC7e4P/oCxXepQHVsrnf+TiCPFB/dhN/VBI/PWXrEd:PLkA9WAuce43ZerfUiCPbdRBImXG
        MD5:F20BEE7D266AC21E410927874882A384
        SHA1:B8A5CEF1DCCA5E974F8F64E373A20652A6946023
        SHA-256:9A93E4EFECE0BD91AAB95F553F30FFB6D5A72E364566E6BC05D6C2FE634C471A
        SHA-512:0106DE07E5ED433FAC26927CCA09599742CC2D2261750A046620ABF04E216E76D12FC519AEDC6C71FFFFE9F07BC598254D796D617E2A25A49429A5802633ED77
        Malicious:false
        Preview:..U...%!PS-AdobeFont-1.0: URWGothicL-Demi 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\A010033L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWGothicL-BookObli 1.05)
        Category:dropped
        Size (bytes):35156
        Entropy (8bit):7.957974716902106
        Encrypted:false
        SSDEEP:768:0LkA9WAuvwlPAPVyjtDNBjxMNAlHWjMlNTWdZJ2ytboWbyW6QhKASG6g:0LkA9WAu2EVyjBNBsAwhBT/DVKk
        MD5:6BE160BB20A31B7567BB4E0A57B376F1
        SHA1:3894176A336C9E3D5E026F8A377536C38C07C84A
        SHA-256:9D42FB992D17449E10812D12CDBDA225186170BA6AEE791D71BF17DF5B1E3138
        SHA-512:9F62AFA14FA72D7861B48E8633A55D4C4DA31D24EE5E05A403E04FC581CDFEEB9049F5CA8ECFDFEF76FD1E54AFB3657DD211907506759F3F0799895A0E95FBB6
        Malicious:false
        Preview:..f...%!PS-AdobeFont-1.0: URWGothicL-BookObli 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\A010035L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWGothicL-DemiObli 1.05)
        Category:dropped
        Size (bytes):36128
        Entropy (8bit):7.96169784918038
        Encrypted:false
        SSDEEP:768:XLkA9WAuEoyiJM/TQMJTZuw1VTSRj4t1ND4m5DQJkrzNpAkt:XLkA9WAu1yGM/TQMJfSRsSmyJOzNpAkt
        MD5:596CC9C168C3050C9C2005C6220625CE
        SHA1:756FBF56CEC9B93F032753C43CD76E0C791A801B
        SHA-256:AAA813E40638F164D0BC39DF608247A62AC0433EE01702286911EC3D87E7A491
        SHA-512:BE02369A97BFA014C027477A50301891879745219CCFC6594B53E8B6F333F947703C912B60F874812CA1A9879531D8C2B36086B3ED041ED054BE602117976F49
        Malicious:false
        Preview:..g...%!PS-AdobeFont-1.0: URWGothicL-DemiObli 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ACCTEST.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):4432
        Entropy (8bit):4.661831765301954
        Encrypted:false
        SSDEEP:96:mrvlBrJiCk+DC3NVgoNZ6dvu7VcNewTwtwWwZw7w2wqHwuB3wZ:CvzJi733fWT5
        MD5:8FED6C0DA44A275A2C8CA8518558D5B0
        SHA1:906595CE045508EB6CAD0E52B47D57B691FFD65F
        SHA-256:1805C90E1D3BEA603DA01431459EAAD8265BCE50F923FF19968BD5D7A883DA3A
        SHA-512:8F2B2FFE8BA6113A655296BA65DB7E0CDC1B77B9D3511D8093E6823F4FA8CDF73F259CC4AB4F90A003C7768FC957A22479994B40D01716BFA8EDFC548490A598
        Malicious:false
        Preview:%!..% Check that operators do their access tests correctly...% $Id: acctest.ps,v 1.1.6.1 2002/04/10 09:22:58 giles Exp $....% proc dotest => .../dotest.. {.. dup.. mark.. exch.. stopped not % False if error, true if no error... { (Allowed access: ) print cleartomark == }.. if.. clear.. }..def....0 0 moveto % So the show commands don't bomb because of nocurrentpoint.....{ [1 2] executeonly aload }.....dotest ..{ (string) executeonly (seek) anchorsearch }...dotest..{ (string) (seek) executeonly anchorsearch }...dotest..{ 100 101 (string) noaccess ashow}....dotest..{ 100 1 array readonly astore }.....dotest..{ 100 101 102 103 104 (string) noaccess awidthshow }..dotest..{ 1 dict noacess begin }.....dotest..{ 1 array executeonly 1 array copy }....dotest..{ 1 array 1 array readonly copy }....dotest..{ 1 dict noaccess 1 dict copy }.....dotest..{ 1 dict 1 dict readonly copy }.....dotest..{ 1 string executeonly 1 string copy }....dotest..{ 1 string 1 string readonly copy

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ADDXCHAR.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):10211
        Entropy (8bit):4.859725757396087
        Encrypted:false
        SSDEEP:192:Tl24LWkZIjLMhblTcqec64x86l2E6BFRopV0M:TlSjLybRcqec6H6220M
        MD5:39F595A328C4BAF269E541F91FF0BD86
        SHA1:E0D1174AB4024EE6C35DFE24FFD6B1DA87586EFC
        SHA-256:95791D5F9D9FD72E8D10B580A72727E8BE71E4DC0AC0172D86B7DD8A72B58200
        SHA-512:F25FA781EBEA12DE6EAB567CF58A9AAAA01859FCB01F601F68AB704CDDD8C22DED29AEAF67F6E4DCCF04FE864F9247257B5315767C818973E07CC333BA110586
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: addxchar.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Add the Central European and other Adobe extended Latin characters to a..% Type 1 font...% Requires -dWRITESYSTEMDICT to disable access protection.....(type1ops.ps) runlibfile....% ---------------- Utilities ---------------- %..../addce_dict 50 dict def..addce

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ALIGN.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2392
        Entropy (8bit):4.92063498198027
        Encrypted:false
        SSDEEP:48:tnReQ6v6Ui5AahZk8i7gn9lQUEPOGWTD+ZetkzJ8:tn4pzyjZi7e2HT+D+ZtzJ8
        MD5:B0525EFB4B7DCE7B2C472B8FB3E565E0
        SHA1:E4BC6293066BCBF75327CA2A2A6A50970D0D9168
        SHA-256:028C00F7EEDE3DD1AF79D0BDF4A817EF710D154A425D35E90059A5E49E82AB4E
        SHA-512:73A85CD3FAFC06BF11741D8E19BA41C62FB4322E50D609DA940877EE8E86ED40EE43F7E0360C7E23CF94D05B3B4D305727648AD967949E34BB51699A07465B0A
        Malicious:false
        Preview:% Copyright (C) 1989, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: align.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Print a page that indicates the proper settings of Margins and HWMargins..% for a given device. Requires a Level 2 system.....% Reset the offset and margins.....<<.. /PageOffset [0 0].. /Margins [0 0].. /.HWMargins [0 0 0 0]..>>..setpagedevice..<<.. /I

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\Agrement.rtf

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
        Category:dropped
        Size (bytes):21511
        Entropy (8bit):4.860649949778474
        Encrypted:false
        SSDEEP:384:8LfABmdrRVA46Ac/w4B+MKPu4BK14cMOWCVnsfTc:8TSmQVg9YdvVnsbc
        MD5:B8AEF13B43DF936E040839E635288558
        SHA1:F8DF69D81F482BE9F140549405385A989F798019
        SHA-256:DE43F8310756C2E96EF36C41CEB16A22CC4850AF2D7911AF7510480CF0DB62EE
        SHA-512:58A2CA56038B940760D40CF56C2C3825AB08444B314B822D5337E53B0F9E60AB134556289DF9D8C2245BE2CB1580086663853084014A7B19BEF2B0C6D304E356
        Malicious:false
        Preview:{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f16\froman\fcharset238\fprq2 Times New Roman CE;}{\f17\froman\fcharset204\fprq2 Times New Roman Cyr;}..{\f19\froman\fcharset161\fprq2 Times New Roman Greek;}{\f20\froman\fcharset162\fprq2 Times New Roman Tur;}{\f21\froman\fcharset186\fprq2 Times New Roman Baltic;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;..\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;..\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright \fs20\cgrid \snext0 Normal;}{\*\cs10 \additive Default Paragraph Font;}{\s15\li360\ri360\sb144\nowidctlpar\widctlpar\adjustright \fs20 \sbasedon0 \snext15 ..Body text

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\B018012L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWBookmanL-Ligh 1.05)
        Category:dropped
        Size (bytes):44934
        Entropy (8bit):7.97263173649933
        Encrypted:false
        SSDEEP:768:BLkA9WAuuFaE/AvC6ZKyoKb5fFvD8qh8OIRu2ka3py4MA7q1awDYgSD/bCz6dxEP:BLkA9WAuVrvC6TXb9us8n3LAawDYg6De
        MD5:6B22CEA7B9558C69BAC00CBDC55A9953
        SHA1:BCD9D42F3BDC9F63C1B378E773D7612920589B51
        SHA-256:77898454FCF5A5226107CAA4F032C98144C6F95E544F7D568207F0F683E9DEF5
        SHA-512:6A1343EC7169D9B8165407E378A43EB7DDF8789ACBC4511A4E2B6F8DEF2DC3E5035102A540B3844D1F1B7D00F6B7EEEB7BECB878709B1FF61A0A300B6783D4A5
        Malicious:false
        Preview:..]...%!PS-AdobeFont-1.0: URWBookmanL-Ligh 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license a

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\B018015L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWBookmanL-DemiBold 1.05)
        Category:dropped
        Size (bytes):44768
        Entropy (8bit):7.970588558190771
        Encrypted:false
        SSDEEP:768:4LkA9WAuP4ItsJqGVBwRGI+MtpXGvxioDZhECVgWg0ZrOZtjniWtY:4LkA9WAu9tsU2BwUIBTGvJZ3GYUdiWtY
        MD5:F7F73D132286E7860B4A7010DE7F597C
        SHA1:AD720FFBA556F298FCBA8F7F86ECF7F7838A967D
        SHA-256:4B743E4FDE6068212099F2E66045C9584C0C969F891252D14A61B06FBA831DBA
        SHA-512:4DA2FF4DD7257E84DB2076C09B4E09385A2A48924D5475589A59638BC98BA445A193636256A54731B8176AEE807DD961F04C5CE8124F3528FA1EAA5B66B90E14
        Malicious:false
        Preview:..f...%!PS-AdobeFont-1.0: URWBookmanL-DemiBold 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licen

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\B018032L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWBookmanL-LighItal 1.05)
        Category:dropped
        Size (bytes):44162
        Entropy (8bit):7.9720696663868775
        Encrypted:false
        SSDEEP:768:KLkA9WAudQq9TzRQWHL5aFAwfdOXNqUcREB6ADBqssRT77r/Mciooq2mNf5/x4mS:KLkA9WAut5zRZIuwlgkUcaB6A7sRXVf4
        MD5:E6F462FE4E2C0D41F03E92355604B703
        SHA1:6D6E59FB96279FEB1EECEF68631499563280C7B8
        SHA-256:3D2632C5D818E01817030B1D8D52CCADB5F1B1241DFC50099BC4B4179C08737F
        SHA-512:554A1171F482A7FFB920266DA0402F154B36725C09441FAAE132C67AD1B917B3549B81F387274AD84652A4EA176B4C246045DE22F35E5AC9FB2CC323AFF75DD2
        Malicious:false
        Preview:..n...%!PS-AdobeFont-1.0: URWBookmanL-LighItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licen

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\B018035L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWBookmanL-DemiBoldItal 1.05)
        Category:dropped
        Size (bytes):44950
        Entropy (8bit):7.9716677582800495
        Encrypted:false
        SSDEEP:768:JLkA9WAurm5R+v03OmeEis7GX4Ln2hEiQOm2OmUENt4FcPAMF5ptLBfv2EACn0Z/:JLkA9WAuuR+uis3YEi2mTtbImptLRAZN
        MD5:29EE82A2C9F6E409ECA46F5AA0177C43
        SHA1:072D3DCECBACFF3A7E574D72D3FB175B2ADB34E0
        SHA-256:2FDB17B2C73ECC2B7A2228EA3E6605E0BCA561DA0528B97733FDB0639869F487
        SHA-512:8C740F5F87E8B3AB114C81C12DCBA4B1CB7019479D683E4CC9C536122146197356B38C50747281F375CE39E2DBE309B00260E31FA2FF1156E90722ED30A69C75
        Malicious:false
        Preview:..w...%!PS-AdobeFont-1.0: URWBookmanL-DemiBoldItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or l

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\BDFTOPS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):24208
        Entropy (8bit):4.730715008711202
        Encrypted:false
        SSDEEP:384:xu4Js4bLXqHaQbE2mjcw17E9mr6RFFRhUW4rwcO6jCpH+egGJ:xu4JsEU7kCmmrUW4rwcXupHzJ
        MD5:DF04A87E51664C96EA8A663FAED078F7
        SHA1:363C5CF56BD339EA72F1BC88833CB96F56534535
        SHA-256:0A6D5C64D12E48893AC37BE750E3C1F6756222D51197CDA75C62ACF9CB67018B
        SHA-512:B26A00589CED75B83D92E08F6C07213611D30A7A12FDC8A59388C1A9C58165B2CE4B4F5DDD3A4D270AF86499470FDB2BFE94C76D85BDBBB9C41A0669D7B7C62B
        Malicious:false
        Preview:% Copyright (C) 1990, 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: bdftops.ps,v 1.3.2.2 2002/04/02 13:57:27 mpsuzuki Exp $..% bdftops.ps..% Convert a BDF file (possibly with (an) associated AFM file(s))..% to a PostScript Type 1 font (without eexec encryption)...% The resulting font will work with any PostScript language interpreter,..% but not with ATM or other font

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\C059013L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (CenturySchL-Roma 1.05)
        Category:dropped
        Size (bytes):46830
        Entropy (8bit):7.974354922976264
        Encrypted:false
        SSDEEP:768:dLkA9WAu4mt0ZyhoNGUhWWtgveOSO5HapRqEh0L08h30wE/RU1VTu8RphV1WLSHu:dLkA9WAuNt0ZZGUhWW2SO5HapRqEyIoq
        MD5:624E2AFDF1987AF1003E0FA8F7D5D313
        SHA1:D7EEB0FFE9FF6A1F231B92F91FC3F7A45AA7EB51
        SHA-256:B28FB9A7DF64C496ED834F38AB5EF7B4741F8DC6977B06B9F97721841EB3EC43
        SHA-512:B5FDC78445966F44CE395231BD9A81EB5DF6C5737D3B38CB6096393B8EA16BF4473AB1C40F5EFD5B513C82C9AB334120C60023D99B91E547A0CCBF58CF56B95F
        Malicious:false
        Preview:..i...%!PS-AdobeFont-1.0: CenturySchL-Roma 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license a

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\C059016L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (CenturySchL-Bold 1.05)
        Category:dropped
        Size (bytes):48864
        Entropy (8bit):7.974730243639886
        Encrypted:false
        SSDEEP:768:6LkA9WAuReFfEyuSqQSlcppdc/47nR4ac4Fyly0zbUJSrUB88XgpVMJnk7qNfKH6:6LkA9WAuUFzuStGMXR4acz5zAJV6qNf3
        MD5:96901A485F69890F3D64B5F7B7218EB3
        SHA1:288D5E34251DD4A0B5382EAD7B34221185D6255B
        SHA-256:02C98BE2C553F9FA46A584F30C182BE0D56FC5A6A2A3F70B0A06DDAC6B50F624
        SHA-512:BEDB259076D4C0EF03EE717B546B67C2DF10A52EAD2E3563735CB40ACA4C4A6F8E81AFF7563527F020870E46216F936EE1827CA4F4B8BD6A71F94820949AF8C8
        Malicious:false
        Preview:..h...%!PS-AdobeFont-1.0: CenturySchL-Bold 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license a

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\C059033L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (CenturySchL-Ital 1.05)
        Category:dropped
        Size (bytes):45832
        Entropy (8bit):7.973778542760178
        Encrypted:false
        SSDEEP:768:rLkA9WAuihyb41uJpVp8GzD76tmzz+IBD5B7SuEnfnfUhdIwK2JkGA96xEkvkRnk:rLkA9WAuSzE5GGzD7HGo9B7SuhdIt2Jp
        MD5:E347AAF9B53B931665EC33B7DDE3A94C
        SHA1:353C187162B28D1883B7D53DC6E102EA83A1486C
        SHA-256:B57348E25CB8C86416E77CF455539EF94479B638400E60EF89C5CB7656B9F2C3
        SHA-512:572200D304E55B398C954D3A8902D9A6CFEB2176933EBB1138571C31AF76FA1AD4265D9B784CEAD38284A9F53750846EEBBB87C61225F820486B2724102310F9
        Malicious:false
        Preview:..n...%!PS-AdobeFont-1.0: CenturySchL-Ital 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license a

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\C059036L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (CenturySchL-BoldItal 1.05)
        Category:dropped
        Size (bytes):47083
        Entropy (8bit):7.974008236466879
        Encrypted:false
        SSDEEP:768:yLkA9WAuce0/xmILNGVToeUpCcb0iDTT8LvIUA5y50hTjqyEL0onDenfOxolkSgG:yLkA9WAu10ZBLNsvUrtv8LBA53DEL0os
        MD5:475A89D73CB41D055C51F6904E5C8480
        SHA1:16917A1FFAF53B2455A0465787C318A377DD401C
        SHA-256:C02EBD9626A3DE7A216A6B4227F34787C11E9BC7ED951A55FE37B3EB3A959206
        SHA-512:6BAF80E2BD49081E06DC134963DD09166AB0C47A4B2766B39D84D22C930F261C70A2AB6A327BA4BF4982255B192E6B5DA90221072E82DDF0AFD19D11A799FF24
        Malicious:false
        Preview:..x...%!PS-AdobeFont-1.0: CenturySchL-BoldItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licen

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\CAPTION.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):1783
        Entropy (8bit):4.936873656576734
        Encrypted:false
        SSDEEP:24:vOZZReQK8avvv6XDIQZZ6zdMGp6O/7omMdsomIx+3TaF5OFazLTZxvwyodp:GnReQ6v6UiUWGpZ/k7dsO+jaF0AvwySp
        MD5:30C8715E29EAC93784C8202A0DC6F105
        SHA1:D401DFD5CCAFF76291E7DA304F845C82D7739A28
        SHA-256:AE9AC3168C8B632A3AEF7E4A25AE58CA1D2B212A7CCDFC777216899E9BB18BD1
        SHA-512:73A0D643C9672E218544749E0A18493364AF036F38D89061C24ED0B545FFFA21B83CDE5B5BDBCD8666D3FAFAAA85A2A9BFAC7760FDCDB32F8FCAAE18C9FF7702
        Malicious:false
        Preview:%!..% Copyright (C) 1995 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: caption.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Add a "caption" to the bottom of each page.../captionsize 20 def../caption.. { /Helvetica //captionsize selectfont.. (Printed by Aladdin's XXYYZZ) show.. /Symbol //captionsize selectfont.. (\324) show..% trademarkserif.. /Helvetica //captionsize sel

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\CID2CODE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4641
        Entropy (8bit):4.833700698931721
        Encrypted:false
        SSDEEP:96:0n4pzWUvJMV6Kx2+rcyg6x5YI6lTc5jTU0RmiUEiBO4:evBx2+oB+YIiY5jTU1iUEJ4
        MD5:0B71169D613D81277951CE14F19C3719
        SHA1:071F4E348140C6188420E5A0613DA03A25526010
        SHA-256:2893EF8B6D10BCB4453AAEA63E63E8C499B16494B3D0D165725A433099C987AE
        SHA-512:DB4778D1D7CB99B7CC2092258B802FAEEED4B8C3C709D07420CCAC930AA87F64713CC38777B064632D10AE158AD1E747A28D4B331B0D5344A268DD3115DB67F2
        Malicious:false
        Preview:% Copyright (C) 1998, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: cid2code.ps,v 1.3.4.1 2002/02/22 19:45:55 ray Exp $..% Construct an inverse map from CIDs to codes.....% Create an inverse map from CIDs to code values...% We only use this for 16-bit Unicode, so it has some limitations...% After invoking .cmap2code, loading a CMap file prints out the map..% instead of doing

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\COPYING

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):18332
        Entropy (8bit):4.736582899910517
        Encrypted:false
        SSDEEP:384:lq2PmwEPb6k1iAVX/dUY2ZrEGMOZt7o0sDT2:lzuVLiY+rTZo0sDT2
        MD5:46AAF69A91703493B666F212A04F2D8D
        SHA1:B9E28040DE9D8773C5B0CC8108869E8F3F287798
        SHA-256:DA0ECA0FB517AC939D167924C9D4B3F8750A6B7191932EF2CB145ACFA624AC7E
        SHA-512:4338956981EDED4D243272DD8B6F7D35B62EC3759609DE1A94FDE7AA427C8F976DD7CA838A818DC7286576C760A10B5A7D44BC343483A246F289099814472C88
        Malicious:false
        Preview:.. GNU GENERAL PUBLIC LICENSE.... Version 2, June 1991.... Copyright (C) 1989, 1991 Free Software Foundation, Inc... 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Everyone is permitted to copy and distribute verbatim copies.. of this license document, but changing it is not allowed........ Preamble.... The licenses for most software are designed to take away your..freedom to share and change it. By contrast, the GNU General Public..License is intended to guarantee your freedom to share and change free..software--to make sure the software is free for all its users. This..General Public License applies to most of the Free Software..Foundation's software and to any other program whose authors commit to..using it. (Some other Free Software Foundation software is covered by..the GNU Library General Public License instead.) You can apply it to..your programs, too..... When we speak of free software, we are referring to freedom, not..price. Our General Publi

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\D050000L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (Dingbats 001.005)
        Category:dropped
        Size (bytes):45955
        Entropy (8bit):7.904606392685223
        Encrypted:false
        SSDEEP:768:VAWLAn115Wi345RBZ/TKIPDvuW8qVRr4NK1zPr91f0fhBNxaeU3gilQh9HwS10:VAMA1IBp+4vuW5oK1vXfMNgT3gil+9HI
        MD5:6DFCB282CF470CEB18D57D017B7898D6
        SHA1:C0A5A91281F38149B0ABE84E578FA48F4EF2D4D9
        SHA-256:1ED716566691399AAEE420B07FB18CE0AFFBD883091862C68184997A8D6F1A7A
        SHA-512:EE22023F31ACAB7D026DF58A9CDB68199D15E7CA84882383F6F406E4028B63ECB59F29B32D2B96BCAF585B07D623705EA22F6BF29C29C19FACEB4741B267E587
        Malicious:false
        Preview:......%!PS-AdobeFont-1.0: Dingbats 001.005.%%CreationDate: Tue Oct 19 1999.% Copyright URW Software, Copyright 1997 by URW.% URW Software, Copyright 1997 by URW.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (001.005) readonly def./Notice (URW Software, Copyright 1997 by URW. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license applying to the document itself.) readonly def./Copyright (C

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\DECRYPT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):369
        Entropy (8bit):4.851429279059027
        Encrypted:false
        SSDEEP:6:g6dUOebgWUP9sRTHbS1dHB+unzEcVqxDHOLdnnGmUAUhM7lRF4WGHbik8zvYon:g6dVWgWUslHbth5HkxBUAUq7LbMi+o
        MD5:44C04AE5562FC25FE44358E94C5F69D8
        SHA1:2CA2F2F0F3BE964732E379C23BD9DEECCB4B59B5
        SHA-256:9E853B7BB2AD959C75DCFCB6B21B0DAE5CC02CAAC4E3A0A483E8DDEE4D9AA12B
        SHA-512:DCA81B3F526C0CACF62945D1AEE6C21488A1F8D149FDC5DAE2ACA69B7B1F593D1BC26E3569FE09CC1FA8ED6E24819C238B45F8FA3EDC4D9C6571CD1DDA4FB9C2
        Malicious:false
        Preview:% Decrypt an eexec-encoded file...% $Id: decrypt.ps,v 1.1.6.1 2002/04/10 09:22:58 giles Exp $....(t.in) (r) file /in exch def..(t.out) (w) file /out exch def..256 string /buf exch def..55665..% eexec encryption seed.. { in buf readhexstring /more exch def.. dup .type1decrypt out exch writestring.. more not { exit } if.. } loop..in closefile..out closefile..quit..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\DOCIE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7230
        Entropy (8bit):5.066374626915039
        Encrypted:false
        SSDEEP:192:0pYq4tI3Tt1uz7Wiqxz6fw9eTPBJSiKx4:0Cq4tICvfV1Js4
        MD5:5563BC03639500829BC75BD42A48B248
        SHA1:2BED51FA6246DF8704A297F1437FE72D5A9C8625
        SHA-256:23919773D62D8EFB29F273DAAFD783FDB1661F910952541813A1B21AB92905DA
        SHA-512:D354AB50EF9573BD23FAE2C1161D696F96AD6A55644AFE28922688E0A39E3F7383B6BE27835299F27D2A9A0277C3570C66E1FDFD87831207692CA129FACC6E38
        Malicious:false
        Preview:% Copyright (C) 1995 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: docie.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% docie.ps..% Emulate CIE algorithms in PostScript.....% ---------------- Auxiliary procedures ---------------- %..../r1default [0 1] def../r3default [0 1 0 1 0 1] def..../apply3..% <u> <v> <w> [<pu> <pv> <pw>] apply3 <u'> <v'> <w'>.. { { 4 -1 roll exch exec } for

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ERRPAGE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):8962
        Entropy (8bit):4.6917086666676004
        Encrypted:false
        SSDEEP:96:pn4pzFi1WrEaUt6gjsSrWeA+08DpGyrqXx8ZPbwlDhC0NVM4yDwFoOksk0zapUx:k0WIaUt6gj5VZJDr/wlFC0Ni50t
        MD5:F1723E84BE1CC68389769074C70C0476
        SHA1:B00DCE9F805EE71E5FA5FA5F7BBCBAA40A763D89
        SHA-256:A84B8968D2D269382A000C7F335EF925FB4CA0C7C02FC4C4E9D54FC34EAB3DB5
        SHA-512:26A5C91A9DF4A9020853D48D7CF97287C6D95757155ED4CE6E699AA1045D246252BEA5FD3F18A767D2670E1A8A1A918F080CC8605CB8088302440DE4DED41E5F
        Malicious:false
        Preview:%!..% Copyright (C) 1992, 1996, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: errpage.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Print an informative error page if an error occurs...% Inspired by Adobe's `ehandler.ps' and David Holzgang's PinPoint...../EPdict 80 dict def..EPdict begin..../escale 12 def../efont /Helvetica findfont escale scalefont def../eheight escale 1.2

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\FONT2C.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):20126
        Entropy (8bit):4.818864827640037
        Encrypted:false
        SSDEEP:384:Zigu1SM5SUy/uPdjXOdAteqPrdjBqN2kS3R9Ir1:0T1SMMN/uPBXOdAtv5wN2kS3ROZ
        MD5:3D916AD7127AC660FED04747661FC8C1
        SHA1:60B9870BDD96AD61BB0E1D5FBAA0C2E86690B0E7
        SHA-256:DADC709704F30427D591C9362EDE0AA04E9C7159AEDB445DB00289E8871D8A3A
        SHA-512:2724F07CC6B052F6591CFEA59ABDEC991FECE75C658FE5ED1DA93E4E8EED4A1B009E41BC24A16595B1BF8371D7D02FDB3CCCBFE8B816CB189CD9EB8484723D74
        Malicious:false
        Preview:% Copyright (C) 1992, 1993, 1994, 1995, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: font2c.ps,v 1.3.2.1 2002/02/22 19:45:55 ray Exp $..% font2c.ps..% Write out a PostScript Type 0 or Type 1 font as C code..% that can be linked with the interpreter...% This even works on protected fonts, if you use the -dWRITESYSTEMDICT..% switch in the command line. The code is reentrant

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\FONT2PCL.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):18182
        Entropy (8bit):4.871704618037998
        Encrypted:false
        SSDEEP:384:91EC9zYGGo6OG9hA+k3aF1JMPb7g6sMEQbhCzR44DzUUuLTU+/AB7gIW2C:3EC9WOG9hA+kqFTC7g37Vuvj/TN
        MD5:77E64092CDA129F47AAA4296C0CDC410
        SHA1:5B7F511E9C10C06CCE98625257535E642CEF2BD7
        SHA-256:C85CB5F24D5460E82849B6FD35A21AE67878330169BCB71A4ACF871E7E2435C5
        SHA-512:F5ADF1A87B645094A62F548330EC4478ED0A8DBCFE28FCEBFFB431FCB68A628DAE4C214F4D273B7F7E811A55CAEAD12F8A33C0799CEE03B73D6BEEED927AD8D9
        Malicious:false
        Preview:% Copyright (C) 1993, 1994, 1995, 1997 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: font2pcl.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% font2pcl.ps..% Write out a font as a PCL bitmap font...../pcldict 60 dict def....% Write out the current font as a PCL bitmap font...% The current transformation matrix defines the font size and orientation...../WriteResolution? false de

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\Fontmap

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):86
        Entropy (8bit):4.528512221350288
        Encrypted:false
        SSDEEP:3:hooA0LLhivFRSvttw5veyNjhailQ9UMHv:v9RoRuttmeeoyKv
        MD5:3C0EA1D0E7EAB2295940CAE73F8826FB
        SHA1:9C204F8B730DB4407652B24F5BAC2C1ADAE382B4
        SHA-256:2DA65C8ACC7C21BBA085EC91994DC20CBA7755D39ADEB890529B751B4FAC083D
        SHA-512:54B17B373CDCD1C68BE7BC15E49EF9541CA3C40AB8F1060DAB82E024EB262609983A50C3E5B7ABB9463F9DB8BE4A2C8BD6F26E2BBA68FBC42EE37E5FCE4E9430
        Malicious:false
        Preview:%!..% See Fontmap.GS for the syntax of real Fontmap files...(Fontmap.GS) .runlibfile..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\Fontmap.GS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):13936
        Entropy (8bit):5.306577294772025
        Encrypted:false
        SSDEEP:192:1wRqq8p9s1lfgp2hDK8JPDN7a6VPSyHD7+DrbS3XGJP9yhCFQJ3G7:1Wqqiqlfgp28mpTJSE+XbSHGR
        MD5:E9B9A5BBA746ADE946A12EC0850E5586
        SHA1:8CB5A06B3635F564386EC914EE29A36CB33C0DC7
        SHA-256:9A20047CF6F1938E223ECA9B7D78B327993AD4121C2A857FDAAFB39DC51A1F82
        SHA-512:46DF46FA44C1E8FA5D78F444D2F1D9EDE3D9F97EBF91A1E9CECC41B0BC052A09D17E8CA777766787EB4D12EB046B5E640CF2F3104CDA9E8DC789D7C7CA914231
        Malicious:false
        Preview:% Copyright (C) 1996, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: Fontmap.GS,v 1.2.6.1 2002/02/22 19:45:54 ray Exp $..% Fontmap - standard font catalog for Ghostscript.....% ----------------------------------------------------------------....% This file is a catalog of fonts known to Ghostscript. Any font..% that is to be loaded automatically when named must be in this catal

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSDLL32.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):3510272
        Entropy (8bit):5.469394416349492
        Encrypted:false
        SSDEEP:98304:xaRWCPfikhjlynXY+5c0IY/hcRz8YoUskuVhsamTI4TL9ePG+kb8pNrowMZ:xatPhjlyno+5c0IY/hcRz8YoUskukaQ5
        MD5:5DC008B8D2082D1846D0AF80B26F06C1
        SHA1:1B2891392C87579791135642B5C6FF45572DFA66
        SHA-256:02F35C8DF735E28D31645D789A4BF5D3131F18AE9D8E90A6239646053A03D59C
        SHA-512:9D4AF54F22B652B51F4192B1A5F90A424357FE12C4995A23815A14362D07377D899910B253D0E758E35363653568C8144A3D1881EE72D326D8947B1EC23E6C8A
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!k%.@.v.@.v.@.v>c"v.@.v.c.v.@.v.@.v4@.v.d.v.@.v.dEv.@.v.d.vbB.v.d:v.@.v.d@v.@.v.d8v.@.vRich.@.v........PE..L...a..>...........!.....0(...........&......@(...............................5......................................H/.......3.......3.L.....................4......@(............................................. .3..............................text...+!(......0(................. ..`.rdata.......@(......@(.............@..@.data....)...P/......P/.............@....idata........3.. ...P3.............@....rsrc...L.....3......p3.............@..@.reloc........4.. ...p4.............@..B........................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSLP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):20290
        Entropy (8bit):4.85264465727119
        Encrypted:false
        SSDEEP:384:GyAXtwPLCQ8XSgpGVW7/HnfdoN9WMXKfW3GQM1cbXi:PAdwPLCQ8XSgl7/HnVbg4QMC7i
        MD5:827185965C85951B68E6A4272A262124
        SHA1:9C5290EA74FAE8DF934D43FAF0D8FF243AE09341
        SHA-256:4F8A1643AF738B38B1DE0E237A4318B7795E79C3291900272792812381BA2417
        SHA-512:B48D4EA042835BA828BEE5F42760FAAB4B6A260E25A907C7B9274172981FE0D195A0CEBB3AAA657FF01EE6DA37F47C63940BEE2B36B11230A416C5BB834A62A6
        Malicious:false
        Preview:% Copyright (C) 1991, 1995, 1996, 1997, 1998, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gslp.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% gslp.ps - format and print text....% This utility provides functionality approximately equivalent to the Unix..% `enscript' program. It prints plain text files using a single font...% It currently handles tabs and formfeeds, but

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSNUP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):2745
        Entropy (8bit):4.920305745393005
        Encrypted:false
        SSDEEP:48:ynReQ6v6Ui5HRi5fQUQSlIaehkk9xRA6OlMKCKlH95cG3Hsgn:yn4pzacneh7TA6OlMClH9iSp
        MD5:5F3CA54F417DD02299B8DCFDD1BF231E
        SHA1:E91D71E39962E5E3B6A450092228759FDA977433
        SHA-256:2F5AC268D5B0E2A0B075F0980AFB27BA215D50AC228AB45F21671C87247121EA
        SHA-512:FB2ADBD5C08610318FC9BC2E7F81D77D7A5DCFB84D0B69D3AFF908A496BE2F351ABE2C4831F47DCB3C211A47C079F32F2B5A1A6C2C67931D5F9A398B01FD7FB6
        Malicious:false
        Preview:%!..% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gsnup.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Prefix this to very well-behaved PostScript files for n-up printing...../cdef { 1 index where { pop pop } { def } ifelse } def....%%%%%%%%%%%%%%%% Begin parameters %%%%%%%%%%%%%%%%....% All parameters are also settable from the command line with -d, e.g.,..%

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GSWIN32C.EXE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):192512
        Entropy (8bit):4.7706334358102715
        Encrypted:false
        SSDEEP:1536:ZHtdamouH3tfQGlZi9Ohh4VjqBijTWgb/LD+vIOSkbPrVv+rcFEaO7EaO:ZvuuBzAjT3/v+FSCPBkcFjKj
        MD5:CCA6B52049582CDC9F57BAC1D3337454
        SHA1:D126C8731C9DD94C14133FBF54C1A9F514B4094D
        SHA-256:4B9421448B243C86ED96F72DAC50D5E48C58FD02B91F19DAB2F8B1D27BDDA8B1
        SHA-512:CCB090DE66977B2B65EBE32E0195F628028E04A4783B88E2D83894CBF5E8988DC40359DAC88DDF102F94862D1DE74B401471A86BE9DCEE7E1F147B9852B6C80F
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............hy..hy..hy.wK^..hy.GLd..hy.GL9..hy..hx.'hy.GK`..hy.GLe..hy.GLF..hy.GL<..hy.GLD..hy.Rich.hy.........................PE..L...l..>.................`...........x.......p....@.....................................................................?.......x....................................p..............................................,................................text...WV.......`.................. ..`.rdata...,...p...0...p..............@..@.data....=.......0..................@....idata..f........ ..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_AGL.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):29683
        Entropy (8bit):4.898032404169802
        Encrypted:false
        SSDEEP:768:9D5+xsEaYGRpXvZhdKoIV5uZ87Yu4xwiqTNI1q2rKtXjGD56:H8sLpOVwZ8714xwiqTNIutXj456
        MD5:60F39522A1D42CCB20B005ED81A779BE
        SHA1:2131D1C6B8FF2991A83CC920B2B7CBB4EA8E8248
        SHA-256:F297D294B755AF3A224E4F776A3AC133FDBAD47734187CE77F05A9E43FBC7969
        SHA-512:42F5B492C8E8A3C30AF193FD8C390BEC7AA1D01891EA43E95F43961C1F32411F70616B47A934750F87E224A6A6FB2DF6E55642900BDED77CAE02E2FE7CFAE897
        Malicious:false
        Preview:% Copyright (C) 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_agl.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $....% This file was derived from the Adobe Glyph List, version 1.2, dated..% 22 Oct 1998, at..%.http://partners.adobe.com/asn/developer/typeforum/glyphlist.txt..% That file does not contain any copyright notice.....% The AdobeGlyphList dictionary maps glyph names to

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_BTOKN.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):11118
        Entropy (8bit):4.9236602058947545
        Encrypted:false
        SSDEEP:192:14oC11iVwvLKgo871smtAH4SAFQS3VPfPzv9EZw5NMhb9DGtvS002B9WZb:uoC11EwvL1o8SmtAYYS3FD7ob9DGlbS
        MD5:D06B2E8C400608D4574936AC3DC867BC
        SHA1:1EDFB533D4C38CE107DC6A56950300E12A477111
        SHA-256:8F6ED675FF20A0FDE2FAC9896D73C4221F9793CE4FDC756709AC031012B4CBA2
        SHA-512:488CB309915B259B7B6392220EB1B70ACB628E478000CFB0F5CC7793E6B29BD6E091581ACE4BD178F60B1642023D61A0C5CB3FA7FA3E023E8FE651DACB35E010
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_btokn.ps,v 1.5.2.1 2002/02/22 19:45:55 ray Exp $..% Initialization file for binary tokens...% When this is run, systemdict is still writable,..% but everything defined here goes into level2dict.....% Define whether or not to allow writing dictionaries...% This is a non-standard feature!../WRITEDICTS false

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CCFNT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2240
        Entropy (8bit):4.8089937969864796
        Encrypted:false
        SSDEEP:48:LsnReQ6v6Ui8YrnkuCRfnIXv1aaHP9VBacLrs2NgrkZ+s/OX5LoN:In4pzpYouQ6N9Vn7gyOX5LoN
        MD5:C8807EA573DF0421AF5593277BDC19EF
        SHA1:74DCB97285C4733334DCC816440A2561A2316EEE
        SHA-256:27F60F3618AEE87B5EF4749DEE3E2925660CDC5E8F74A2A201C221A4CB74597D
        SHA-512:7DA3D0BA4AED87D6B697926CC2B9DA9285220752946A5F9150F6C6EB8AD2E3AA9B58F7F6C912D38889E70D16586B1A103A82628BB3EEEC2CE73DBBB299DFAB62
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_ccfnt.ps,v 1.5.2.1 2002/02/22 19:45:55 ray Exp $..% Find and register all the precompiled font operators in systemdict...../registerfont...% <fontname> <fontdict> registerfont <font>.. { DEBUG { (Registering ) print 1 index = } if.. dup begin.. Encoding type /nametype eq.. { Encoding .findencod

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CE_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2417
        Entropy (8bit):4.867575252146677
        Encrypted:false
        SSDEEP:48:xnReQ6v6UiPHPQkQr0vXQ1UNQ/UmF7R55itJ61dZ6RxF3N6PZJtd5utKQA:xn4pz8Y/AAB/bd7AtJZxxNTtKj
        MD5:8FC79B129D06BC0FBBBB6C5AE4E1B236
        SHA1:B28E08140C6D4DF8DB64E20F749F5475B26348D6
        SHA-256:4F64AB97250536A09492692D6198DC677E751FF8E0CF91A80F97FF32C7DB48D3
        SHA-512:6701AF9FCDA5488E2B3F70992DCF9D8722902DE1199204303906E9F286CB5741FBE7D579D88A6C46020882B5CE72E594228A40682C1623CB16021B14A59019F4
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_ce_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Adobe CE (Central European) encoding vector...% We define it by differences from the ISOLatin1Encoding vector.../CEEncoding..ISOLatin1Encoding 0 39 getinterval aload pop..% 047.. /quotesingle..ISOLatin1Encoding 40 56 getinterval aload pop..% 140..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CFF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):22026
        Entropy (8bit):4.997484238392294
        Encrypted:false
        SSDEEP:384:1wQHD8uKkc/mJMMDg5K+KMM82xxLDbA/UM3fYa8dNRpo4o+Ak2/AhDRmrLT+49zg:ZGtabA/nABzpJBp2SRIpzg
        MD5:39EE2681D108309082582EEFD40C999C
        SHA1:257CA0ED664B739A4C2F65CB5951C234DDE0D86D
        SHA-256:E938BEB2F74AD88DA99C4ABA65E056DCACE7047639A5A31D5A2DB2051B845E49
        SHA-512:B93180AF39A52B6EC71C399ED44379D9376744DB793E7358C49076F5B06B18302AAB716EACC40B77DFF0BB5EFF91F748749CC9F26A581EBE9C66C8103F10AC6F
        Malicious:false
        Preview:% Copyright (C) 1997, 1998, 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_cff.ps,v 1.10.2.1 2002/02/22 19:45:55 ray Exp $..% Loader for CFF (compressed) fonts, including OpenType CFFs...% The following are not implemented yet:..%.Deleted entries in the Name Index..%.Embedded PostScript..%.Multiple Master fonts..%.Chameleon fonts..%.Synthetic fonts....% -------------

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CIDCM.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):19389
        Entropy (8bit):4.310646675956112
        Encrypted:false
        SSDEEP:192:n1PTAtJloIKX/dWc1EeO85gJS1xiWf6lvINSRzJIYjPCdB08ydnJcr3nGFp0Tm+P:1PaJlaeV37NJbmrAmT2O5jUEX6v4vekL
        MD5:E41DDB3BE65E36DC5388BB0672C91F00
        SHA1:121D05CDB988A35BF78249ED0CB2A7E5D6E9E482
        SHA-256:0255DCF902969D5AA82F9857B4C0A1232E4AA7D2E2E9D1BC12C51FF4CF22565C
        SHA-512:6FD95CE362A7DC00ECF7319745BC81FCB9CA28D67AB2F559526D533CFFD12748B5FE417F4261BF58475D9BE33690847419875B5437C13AF9A93107BD5AE248EB
        Malicious:false
        Preview:% Copyright (C) 2000 artofcode LLC. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_cidcm.ps,v 1.5.2.2 2002/04/02 13:55:47 mpsuzuki Exp $..% Extending Font resource category with CIDFont-CMap fonts.....languagelevel 2 .setlanguagelevel currentglobal true setglobal......% In the comments below, 'CSI' is an abbreviation/acronym for CIDSystemInfo...% We pre-scan resource files to retrieve the CSI from

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CIDFN.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):21609
        Entropy (8bit):4.9242026971131425
        Encrypted:false
        SSDEEP:384:Ko6mAe1eF9w9bBFwC4kH0xnbWjixKI5sROKriHJaddvh:RPcF9wNbwC/GbWmcI56aHJazvh
        MD5:0FE39F82639ABF7A107D09CD3F0EF6B5
        SHA1:DC534903A7ABBC9456CEED73C6AF73563D7A4A3C
        SHA-256:E6D1BCF862E6404EF72C8AA86E32C3B5CAB8D85A815F08F098D1042B76DB1523
        SHA-512:67B7FE88F8847CC1423736C4A232C0AC8C86E99F5E3096A6C1559B9FF84272C65EC338211785CE4A2B844FDF1E28850CC90C6E08790D171A36D109CD0D479BC3
        Malicious:false
        Preview:% Copyright (C) 1995, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_cidfn.ps,v 1.18.4.5 2002/04/03 07:31:14 mpsuzuki Exp $..% ProcSet for implementing CIDFont and CIDMap resources...% When this is run, systemdict is still writable.....% ---------------- Defining CIDFont resources ---------------- %....% Define a CIDFont resource. This is the defineresource implementation

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CMAP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):17706
        Entropy (8bit):4.875569672586294
        Encrypted:false
        SSDEEP:384:9+nMNXelbruziEms7H/Ki0C0KSmuHlup2tIBviiFrdliRGWWx:UnM1vnBvjdliBWx
        MD5:52087AEEB62CD61B5BC8F238FDDCFAED
        SHA1:34687D7908C91717848FB3B694E8E5FC77D361B6
        SHA-256:B4E2997EDC53D8F7CDB403D9DC24D8E161088855D5A9965DC6E25891882BEB42
        SHA-512:3CC64D57D9A6FB149DE3B8B151F3D0A14502056C989FA678863517B4176E167E6A772035A91BE8325A104EF330AF9AF6378C736B3C074553BEA4E99257D19FC8
        Malicious:false
        Preview:% Copyright (C) 1995, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_cmap.ps,v 1.11.2.4 2002/04/02 13:26:37 mpsuzuki Exp $..% ProcSet for implementing CMap resources...% When this is run, systemdict is still writable.....% NOTE: Rearranged fonts are not implemented yet.....[.. /CMERGE_DEBUG.. /USE_CIDCHAR_AS_RANGE..] {dup where {pop pop} { currentdict exch false def po

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CMDL.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5030
        Entropy (8bit):4.863963377625408
        Encrypted:false
        SSDEEP:96:fn4pzMxBww7QtZom+5giTOgWenjMku33gI:Pxaw7Qtqm+PTpjxY
        MD5:B75FB6C3E35EFCD1A82F341DFF940C11
        SHA1:6DA338B627C4D016AD93DD70AA202063AA949EA0
        SHA-256:E57051428A14DEA7C83B8FBE8AFBD61AE77EF59B0E3FD87CBF2D336E20B28AEB
        SHA-512:D83F43DD3A1967478AF138C70862DE4A6AA8F56CD99E1A582B6A07E572A5D1A796F2F51819AF245EDD4A25DB4663FC8135BACF96C1FA969F3B1C36C82B7A4D4D
        Malicious:false
        Preview:% Copyright (C) 1994, 1996, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_cmdl.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Parse and execute the command line...% C code handles the following switches: -h/-? -I -M -v..../cmddict 50 dict def..cmddict begin....% ---------------- Utility procedures ---------------- %....% Get the next argument from the parsed argument list.

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_CSS_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5071
        Entropy (8bit):4.742860899369326
        Encrypted:false
        SSDEEP:96:xn4pzlYq8FWyf0TdrwlrisaqUgng9Q5/xdqGNZ1GgScXtpPoLj1GQFg7UIc0wrcg:aYGnsvqoZH1Ggr9Fa1dFg7UIc0wrcSSE
        MD5:39BCF1CFF315A5301AE0F1B8EC086CCB
        SHA1:80AC780EEBED1B6A9D936322E8903CFB5992EF43
        SHA-256:CA9B5AB379B4B9A6CD5AFA5D7126FBE3386912CD69120A7AFB566E479E01FE98
        SHA-512:DF9D06681288FC708C6774B506D8805F515F057442A2EFB44A6D0F8C2D25C45DCCE4113D54ACCAA3747395915BC56A02054CD037E85984546E8333B0BCA8BD08
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_css_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the CFF StandardStrings that represent characters...% This is a pseudo-encoding.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../CFFStandardStrings mark....% 0.. /.notdef /space /exclam /quotedbl /numbersi

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DBT_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2349
        Entropy (8bit):4.769469715931955
        Encrypted:false
        SSDEEP:48:wnReQ6v6Ui/YVOOPSZm/Nyf8hMqHrkNba73MZmZHvYN/PgwgF/+6d0FNOUf:wn4pzCYVOFjfurkJ4YNgwgFW1nxf
        MD5:C58D507B14CA5166DA2A22571F13E12C
        SHA1:2D6A3DD47847C96A30439F764DEE4B2095A24645
        SHA-256:BBCD949B115C607526DFC9B0C1A408439B7DC8C04B4EC3B0218E9963C59C392E
        SHA-512:5D55C502442448C1547F8DEBBF90787F17788F8BD4E8D7776E200CF46EAF04CDCBD86CA40AF0C6CB97C974EE9AFD57194E519887F15A64E9AEF45987DD79516E
        Malicious:false
        Preview:% Copyright (C) 1993, 1994 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dbt_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Dingbats encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../DingbatsEncoding..% \000.. StandardEncoding 0 32 getinterval aload pop..% /.notdef..% \040.. /space /a1 /a2 /a202 /a

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DISKF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7810
        Entropy (8bit):4.766307880078295
        Encrypted:false
        SSDEEP:96:An4pzz75W8l4EXdTbPi9dgPGn7Ox9lEXCX9zaIxhH2gtgKTrALMsiCvuaBnX609:HEdEtTbgCOCxAXCXFaI3xSWkL9/X609
        MD5:0BCA381FD316A49D1D89C4937A26C83F
        SHA1:51BC825547C8BEAAB89FBBFED8A2431D8F2722EA
        SHA-256:5D0E3ED36DF8F90A9FBC0FCB0D74BE95914339E7E693F5BA40276DDCC5C621FE
        SHA-512:DA60A9F7303B1C78FCBFED026ADDEAA982E2022162EBEFCADEA155553AEF89A085651AA28DB46CC5F7C6DBD026111F884D5F6ED993E8559B796606AD888D30BD
        Malicious:false
        Preview:% Copyright (C) 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_diskf.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Support for converting Type 1 fonts without eexec encryption to..% Type 4 fonts that load individual character outlines on demand.....% If DISKFONTS is true, we load individual CharStrings as they are needed...% (This is intended primarily for machines with ve

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DPNXT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4490
        Entropy (8bit):4.935666456662469
        Encrypted:false
        SSDEEP:96:An4pzOrB91uNxX2EQ2DPl7pLy79ie53Y86XV0IiilOw20nc:KrB9MNd2ifLy7hY8PilOwBc
        MD5:22B0438C71E152F8FFE4C2B441035B16
        SHA1:F5E13F5727E0335C5460F6487FB1BB10096D33B0
        SHA-256:60B0311A8984DD7607E0BF02BD85930507CE430E8112612BCB1BA071C4EDAA73
        SHA-512:ED5C027E3F83326244A51CA9177EA34638557799F3EC328DE6C7E8075C68E5E91CD611891AE9A0577AA1C73BEF236A86A5FD0491142AB8E61448F7D7D946492F
        Malicious:false
        Preview:% Copyright (C) 1997, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dpnxt.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% gs_dpnxt.ps..% NeXT Display PostScript extensions....% Define the operation values for compositing. These must match the values..% in gsdpnext.h, which also are the ones from the NeXT documentation...% We put them in systemdict, which seems like as good

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DPS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7579
        Entropy (8bit):4.820128307667993
        Encrypted:false
        SSDEEP:192:IevEsT/7o7TdPNdFP2kY5PX15OIzzsQXH:npDGTjdFP2kY11LzV
        MD5:A0ED280BAFB8AF1AACDE5384A1147781
        SHA1:7374539221A00744FA8ED8CB7820BBC4285591F4
        SHA-256:E2A157BBE2081DA42370D731285CBBCC1E8FF61F322B73AA12B6FCFE3C454D20
        SHA-512:4E01E78F5E524529E4D8E5A8B17E4BBFD3061E41F1D5787596F742917F1F2B2CAC418D4980CEDFA51F884F4351E47729754721816D1AA8FC459165971CD70CF2
        Malicious:false
        Preview:% Copyright (C) 1997, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dps.ps,v 1.4.6.1 2002/02/22 19:45:55 ray Exp $..% Initialization file for Display PostScript functions.....% ------ Contexts ------ %....% To create a context with private local VM, we use the .localfork..% operator to actually create the context, the new VM, and an empty..% userdict, and then we call the

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DPS1.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4719
        Entropy (8bit):4.858450343337417
        Encrypted:false
        SSDEEP:96:zn4pzcaAow/ric9cgvSAeppKjxt18PoKD7LHoj5+mOJB+CH:raAoqLG2SAepa98PfLIjw+CH
        MD5:ECD5D5259C34039EBCCD24FB5B1AFC70
        SHA1:75B5ABEB032C0EEEEF9C08491A7FBF6F3B854A4D
        SHA-256:86C84C64F61EDA97D091FF33FD120205C6F7127920782FED7089F67EB096594F
        SHA-512:04EF399C12F7F632253B042E6DB645BE6218E1B389A69203CC0B1340EBD62A6DD80801C087F87EC5DE08823F584007937E3B82B427B7ED034405E3EF81909209
        Malicious:false
        Preview:% Copyright (C) 1997, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dps1.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Initialization file for most of the Display PostScript functions..% that are also included in Level 2.....level2dict begin....% ------ Virtual memory ------ %..../currentshared /.currentglobal load def../scheck /.gcheck load def..%****** FOLLOWING IS WRON

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DPS2.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7195
        Entropy (8bit):4.926063746176709
        Encrypted:false
        SSDEEP:192:V1h72U3kdy4S7OXAp7HouVTCcV6xoHKTYPx:V1hSU0s6wp7PCJ0TPx
        MD5:71ACFD7BC491A8CDA464EA798057D81A
        SHA1:3D49D7D949A0F83A46A0394A87A342E926CF50D6
        SHA-256:F890CE27E01AC8848520E985A30E67355A925CED39FA0E1785912E2917E77BF0
        SHA-512:A6587D156956DB94AF8860FF85D8B87FBFEA2323921FDB08F26B85187E163D3A2AFDB9C7F84388D8C8C14C4108B3058CBE9863442A364B64002767044C95F67F
        Malicious:false
        Preview:% Copyright (C) 1990, 1996, 1997, 1998, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dps2.ps,v 1.3.4.1 2002/02/22 19:45:55 ray Exp $..% Initialization file for basic Display PostScript functions..% that are also included in Level 2.....level2dict begin....% ------ Halftones ------ %..../.makestackdict...{ { counttomark -1 roll } forall .dicttomark...} bind def../currenth

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_DSCP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4056
        Entropy (8bit):4.868947941521893
        Encrypted:false
        SSDEEP:48:KPReQ6v6Uie2iSAAlWiz66sCVCgOFsjCvN54AB0aDsjAX+OKDhiBZmPPhp4K75PW:W4pzsLAgj66sCVCgqsWvglMXUdAKGOMp
        MD5:D7C87C98D8EE91FBBB27AB0F3CBD9FBD
        SHA1:CB8861603F5DDFEDA99204FE18B845631CE78123
        SHA-256:50B703F45D3DC7A3344CA838D7843AC2E5E7498B36F2312FDDF24EF51CC84F31
        SHA-512:87F7BFC7925F7B9AFEBE2BDDDF74AE53FB97E6EBC3CCF91C8E4D0295A5BAE70D422F24C4B99E90C9A6BA80BF60B3C617A25D801E174AD063D5A5003ACF2B0027
        Malicious:false
        Preview:% Copyright (C) 2000 Artifex Software Inc. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_dscp.ps,v 1.4.2.1 2002/02/22 19:45:55 ray Exp $..% Postscript interface routines to DSC parser..../send_orientation {...% <orientation> send_orientation -...% .parse_dsc_comments returns -1 for an Orientation key with an...% unrecognized value... dup 0 ge {.. << /Orientation 2 index >> setpagedevice.. } i

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_EPSF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7324
        Entropy (8bit):4.886837453149439
        Encrypted:false
        SSDEEP:96:/hn4pzMF3YDG7hb+1Jd9S37jast3gKD11is2fP0OZyWLxYqBqh/vJuDbeMs:VF3mM+1q7jau/D11MfPnlYqBqh/oDY
        MD5:CD363FAC8FAAE5212B63F2400F5368D4
        SHA1:941A701B34617D9DCC2FAFB135F371F62168BAB4
        SHA-256:B4475641A03EEE7BBB7D1C83D91A92853E8ECA546DBEB21BC0ABEF3CF810F63A
        SHA-512:C989C4F56D9A7D3E6677EEA6C00E4A8227388B83C53488091C0291475F322FE066F2AA2CD9E07E9EFD5435D4C233595BFAADF32EE68EC7E8CE1B5566AC30F819
        Malicious:false
        Preview:% Copyright (C) 1989, 1996, 2002 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_epsf.ps,v 1.2.6.11.2.2 2003/03/31 13:02:22 giles Exp $..% Allow the interpreter to encapsulate EPS files, to recognize MS-DOS ..% EPSF file headers, and skip to the PostScript section of the file.....% Encapsulate EPS files and optionally resize page or rescale image...% To display an EPS file cropp

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_FFORM.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3260
        Entropy (8bit):4.803556333812148
        Encrypted:false
        SSDEEP:48:fnReQ6v6UitGqwawG8mrSVPYArFknr2EBf9iw6QdglX1VjbNPZo3xu3aCzJN:fn4pzEG3Gc7rFkZf9PctbNPZoqhdN
        MD5:3D948A3867F8E0CA108EFE8EB97C5E36
        SHA1:B218261C2DC1B69AB90FD5B67CB2CCD228BF648E
        SHA-256:240FD95A02CC65449C651B410232A810F6B87593574483AAAE1DB8595954D97A
        SHA-512:D5E1DF061BCC5ACCEB59D4331400F1741DD49257740AB7EC89E15920E30357AB7F44818BDECCAB068C145EF1F7B2A995381F5AFA949D769F8C0D8B3628664633
        Malicious:false
        Preview:% Copyright (C) 1995, 1996, 1998, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_fform.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Form caching implemented in PostScript.....% This implementation doesn't do the right thing about halftone or..% Pattern phase, but the Pattern cache doesn't either........% The Form cache key is the Form dictionary; the value is an array..%

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_FONTS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:assembler source, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):33596
        Entropy (8bit):4.892084347154004
        Encrypted:false
        SSDEEP:768:wXQSQhN0Njtn//q9UCaEcUgAYFcPAS2X/:wFQhN0Njtn//qhaEcUWWPASG/
        MD5:EF93417B6F43CE383807C6028773FE5F
        SHA1:DC2BB634D36CA5547E827E0D1AA46BB1902E4148
        SHA-256:B2807B33BB91110D9E18ECB1AB0B77CEA6AC23FC121C9BC794750FAE44068156
        SHA-512:FAFAE644B14C54B93BED2A9A2A97BB8603D68E378570F30396E76F44A9295EC162C617203BE6411B0365083590797B32D7EEB8B2F72EC0F1579D78987D5FDE9A
        Malicious:false
        Preview:% Copyright (C) 1990, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_fonts.ps,v 1.13.2.3 2002/04/02 13:57:27 mpsuzuki Exp $..% Font initialization and management code.....% Define the default font.../defaultfontname /Courier def....% Define the name of the font map file.../defaultfontmap (Fontmap) def....% ------ End of editable parameters ------ %....% Define the UniqueID

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_FRSD.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3050
        Entropy (8bit):4.805911151905837
        Encrypted:false
        SSDEEP:48:KsnReQ6v6UihKvpsvGvfeP0PPBPPpJVERYyN8etBMM6SSEq5u936g3uUGx5yJj0f:jn4pzUOsIwtl6MV6Dkx2
        MD5:68E806B3143D1007EC1AF900D9E3B29A
        SHA1:5FD8DE811092A1A2B1E7752B823F302C951E3B02
        SHA-256:C3C01A1CDFCA1BDFC3A1097632511AF150A870B2884879E1BD30FCAEFE3527AD
        SHA-512:0EFA5F45954313DBB80A0233A0690C366DA81EEF086E3397EF42641A9DE3EF54A77B1D99382B5DBADAC855C53179191FF96C1903B190A893B38113FA3C22C7C4
        Malicious:false
        Preview:% Copyright (C) 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_frsd.ps,v 1.4.6.1 2002/02/22 19:45:55 ray Exp $..% Implementation of ReusableStreamDecode filter...% This file must be loaded after gs_lev2.ps and gs_res.ps.....level2dict begin....% ------ ReusableStreamDecode filter ------ %..../.reusablestreamdecode {.% <source> <dict> .reusablestreamdecode <file>......% <so

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_ICC.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3562
        Entropy (8bit):4.4327259506332055
        Encrypted:false
        SSDEEP:48:wnReQ6v6UiSvdgzATtW/ldHrFuKB6/UYmpCF2/vzLsiCfPckSvCBMBdurt9:wn4pzzvW4WNLDS0uJKvvBEz
        MD5:91DBA0CBED49EF9AAC6E5AA7060DE7B6
        SHA1:74D838B6A3628D62EC4AD5ECAAEA3E73E0F78DE2
        SHA-256:2CECE0AC98232B509451B2A3D32D4493D66D33E68D48B9F5FA5A8F6291B63CA4
        SHA-512:130197BF8F4EADB4AD8C32B31C0FCB2450DFC75BD3114A0EF721DD2C6399C05DA6B9AE8D7215B779F504530DF79F4F070CD815A9EA406D20E995AD81FEB88818
        Malicious:false
        Preview:% Copyright (C) 2001 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_icc.ps,v 1.2.2.1 2002/02/22 19:45:55 ray Exp $..% PostScript portion of ICCBased color space support....//userdict /.icc_comp_map_dict.. << 1 /DeviceGray 3 /DeviceRGB 4 /DeviceCMYK >>..put....colorspacedict /ICCBased.. {.. % Verify that the source object is an array, that it is at least of length.. %

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_IL1_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2868
        Entropy (8bit):4.88530498862548
        Encrypted:false
        SSDEEP:48:InReQ6v6UiFEjiQp4p/FDfjKAvSWWWWWWwWWWWWWc54dHx0nYKruXQmwZAgU9k/l:In4pzMQpmpfWAvSWWWWWWwWWWWWWcg0V
        MD5:56723C7B243741A2CD912578FB2EFDDC
        SHA1:747A67192179D8288C443798F940CA6BC351A313
        SHA-256:1683FA4C1ADECA4A70177825764DB747ADE77F5CF6B381E0516F52C25D8B47A4
        SHA-512:E9600CC1525662567FF7D5720FF9716C45A16AB9B14B8C3884D048AB083963D3602937766AC55C70871796663E286FF47F7E311AF3AA043A43312AFD0610B2D3
        Malicious:false
        Preview:% Copyright (C) 1993, 1994, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_il1_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the ISO Latin-1 encoding vector...% The first half is the same as the standard encoding,..% except for minus instead of hyphen at code 055.../ISOLatin1Encoding..StandardEncoding 0 45 getinterval aload pop.. /minus..StandardEncoding 46 82

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_IL2_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2846
        Entropy (8bit):4.9682945461459225
        Encrypted:false
        SSDEEP:48:xnReQ6v6UiiENJBxQHESa2RwgFZZK3qX4GJjNQdNSWWWWWWwWWWWWWdkikhEOINc:xn4pzbQOHZLZK3+4GUPSWWWWWWwWWWWK
        MD5:8A16EA2F107E1A7887F8260BE89029AE
        SHA1:C29FD95C04248D8923A4C8A9D805E7F1A83095E8
        SHA-256:11E16F13D38A435664AE7FCE01495D6D7301711343584518E064A4916E2E9CC3
        SHA-512:74F6B8EA237806E6932F75CD38348EC106FE6B18469998D30B9CDA770C1DF763260E1CB2E866E4D55FCC2C065302F1A83420DC0F527EDCF0270021727A3ED97A
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_il2_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the ISO Latin-2 (8859-2) encoding vector.....% The original version of this encoding vector used Unicode names, rather..% than Adobe names, for many characters. Here are the names that appeared..% in the original version:..%.\047./quoteright./apostroph

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_INIT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):62277
        Entropy (8bit):4.958900036815414
        Encrypted:false
        SSDEEP:1536:uC8gKI61XJqXa9IKka2mzfBGUhWCBSOSOOOcOE3doaooB6Y:qJ2KTfgUhW
        MD5:D4EBA9FC1659FDB5974D18EC504C7B8C
        SHA1:AAED62241FB077486F2DFC20A258CD3A998586BD
        SHA-256:2CF039BA6F9F924F19D220137A4434BCE77152479D804F672D47696B3AD00993
        SHA-512:6B412CE1C1AF044E7AC16FCEDEDB0183252064813061AC7EC8A3B0CA15A4520AC969D56D0779DBCBEA19044705F53D2FD843481E38AC89940967D7489B985177
        Malicious:false
        Preview:% (C) 1989, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_init.ps,v 1.40.2.12.2.1 2003/03/31 13:02:22 giles Exp $..% Initialization file for the interpreter...% When this is run, systemdict is still writable.....% Comment lines of the form..%.%% Replace <n> <file(s)>..% indicate places where the next <n> lines should be replaced by..% the contents of <file(s)>, when creating

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_KANJI.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4106
        Entropy (8bit):5.182643371930601
        Encrypted:false
        SSDEEP:96:bn4pz8I7OaBuXIC95HC6pXt5MdmI3fvbSD1WXwissP:87OwhklbTCvbi1MnP
        MD5:5E4BD8E7D14890B0E01893B4603C7810
        SHA1:9FBB0DA3084D202142349DEC039476BF604BB479
        SHA-256:9EBE55288AC012C5201D32F20B53AC4DAF0DC5EEE7FF11173BBA9252884B5983
        SHA-512:915082F87133181753E16CB16A5F072AEECB56C8BF1D45DD62F879CD3AAC885DE5D87BEF863F906C12853134A2E0C3FA887D847DA0D375CEAB5FB3DD26ED8577
        Malicious:false
        Preview:% Copyright (C) 1994, 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_kanji.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Scaffolding for Kanji fonts. This is based on the Wadalab free font..% from the University of Tokyo; it may not be appropriate for other..% Kanji fonts...../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_KSB_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3361
        Entropy (8bit):4.218372791909571
        Encrypted:false
        SSDEEP:96:an4pzUXeWWWWWWwWWWWWWwWWWWWWwWWWWWWMGy4Ao2GZMIWWWWWWwWWWWWWwWWWA:qXRIzpiuz6
        MD5:25988684C5E18D110739CF668D77629D
        SHA1:E8D029D97DB73B43E7FB65F501629DE503D32FA4
        SHA-256:41A141E11E8A5FDCC219205C3712F72166415A2079698B724DA176A8A2F601C7
        SHA-512:7673D53F0D3E96680086867C8D422904E96EA63E00FFD9693938B153C3872F529A9F531119A36BBD5894445C1BD5F4FD31BB2E6F598C4C465175659CF3EB6E06
        Malicious:false
        Preview:% Copyright (C) 1994 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_ksb_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the KanjiSub encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../KanjiSubEncoding..%\x00.. /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef.. /.notdef /.notdef /.no

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_L2IMG.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5821
        Entropy (8bit):4.808588557676167
        Encrypted:false
        SSDEEP:96:0n4pzqohm+IUJW+aY5BUpAGpFzddWdpdZga5diYCgljgvSZFsO:bhPIUQ+LcjpFpdWdpdZndiY9gvSkO
        MD5:CEFB7654985F929B1E53004224375B2C
        SHA1:7D5DE78987BAE633A717B7D450DA55BA6C77785C
        SHA-256:C3DC096444980950DFCD6AFDC8D24D2C990D2B01C8F1A6B9AB772EA8FDF15466
        SHA-512:5149F4E4A7612EC336692EA058D00DA38F1BDE90B05A17EC58104718CFE2E0E55777AE9594AD164C1CF8C5BB852E72C9202152FAB5327C0721D56764D18EA56F
        Malicious:false
        Preview:% Copyright (C) 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_l2img.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Emulate the Level 2 dictionary-based image operator in Level 1,..% except for Interpolate (ignored) and MultipleDataSources = true;..% also, we require that the data source be either a procedure of a..% particular form or a stream, not a string or a gene

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_LEV2.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):32497
        Entropy (8bit):4.836255233841022
        Encrypted:false
        SSDEEP:768:qZft+6zPdppnRbNhn26I8bpR83BPJnzFf13PxncXofl:It+6zPdppnh/20NG3fPxncXo9
        MD5:1383F8D072D4D1A6ABBF92967CFB8657
        SHA1:64B2948BA754ED6270BC8EDD338AE870B8A3F196
        SHA-256:A494FC34D787FF3F79F6A59CC7307D33FBD90E7C5B9724B93E6C7FFD819B0E79
        SHA-512:BB708416AF95469BD355499036FEE00373CD564A1A168CE5E42F6F86D7CEFE4BE1FE04FFA1B5179ACA58CB61D016AEFB67F80432BB9744BB594803E5486CDE0F
        Malicious:false
        Preview:% Copyright (C) 1990, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_lev2.ps,v 1.7.2.4.2.2 2003/03/31 13:02:22 giles Exp $..% Initialization file for Level 2 functions...% When this is run, systemdict is still writable,..% but (almost) everything defined here goes into level2dict.....level2dict begin....% ------ System and user parameters ------ %....% User parameters must

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_LGO_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2983
        Entropy (8bit):4.850066776163909
        Encrypted:false
        SSDEEP:48:ysnReQ6v6UigE++JgZJtZKJJ+9eeKsJBdE8hLIrggEP5VExhlR1nNlVSddokstY:7n4pzXE++JKtwJ09t3pCrggETEZRXlkf
        MD5:2914FDAF3AA6D1C0DB50B8977652509A
        SHA1:2A4BB012AA34474FC0F64233A850043C17E27175
        SHA-256:A865E403706EEC827BD0B62BCD08618737C51210B25EA6A5B70B0A5FAF50C4A3
        SHA-512:52C039DFE9455A0E49F6A49F8D604DFED49CE742E098A775E89A91D43F17FFFCA74BB07EE9C620BD03275227B32D5367BCC73EE6B57DC14941DE098143CBF68F
        Malicious:false
        Preview:% Copyright (C) 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_lgo_e.ps,v 1.3.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Adobe "original" Latin glyph set...% This is not an Encoding strictly speaking, but we treat it like one.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../AdobeLatinOriginalGlyphEncoding mark..../.

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_LGX_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1978
        Entropy (8bit):4.894550205994637
        Encrypted:false
        SSDEEP:48:xnReQ6v6UiIov++T8aO7RxjcULGFvGM/EkY:xn4pzxov++4aOxjcU8vGMMkY
        MD5:05F6408939413221AD0ABC235B7A6E40
        SHA1:D0515F2076806F6B9CF3C6974B161D8F779FC397
        SHA-256:529FD1C73A55033B1CBBAB020B9089BFA8C4C51F7CF13860D280A2B5A1ED643C
        SHA-512:A371479717EED9FC0490CF7B8836EAB283A3C730E7300338B183D18E72E001272C027CAC2878724477A6B9C013F5B54A56C9466AD21FD4B4C35BFD183B77C84C
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_lgx_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Adobe "extension" Latin glyph set...% This is not an Encoding strictly speaking, but we treat it like one.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../AdobeLatinExtensionGlyphEncoding mark..../Abrev

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_LL3.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):15650
        Entropy (8bit):4.925174779459201
        Encrypted:false
        SSDEEP:384:iymsX2wGEIqXa99NUrZt2cJIX+XhozgdIfG7M:i1cGEI8a99NWZ36X+XhoU4UM
        MD5:300B794C57702C479C93B2D240F61204
        SHA1:CC94E85DEB8F0589B60044714D2849D8BDCB45BD
        SHA-256:EAC4B82F4C6E729FDCFE28DD8AEB7F301ABEC995B039C55AD1016F3E29DD0074
        SHA-512:72429F1DE204F2FB9D01553FC2B55C95FD054B963E32DC587B8978054D99700746B600144E8EBBF4AF9903082D48560F85D6A130C765D881DC679CE11A7282E9
        Malicious:false
        Preview:% Copyright (C) 1997, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_ll3.ps,v 1.10.2.2 2002/04/02 13:57:27 mpsuzuki Exp $..% Initialization file for PostScript LanguageLevel 3 functions...% This file must be loaded after gs_lev2.ps and gs_res.ps...% These definitions go into ll3dict or various ProcSets...% NOTE: the interpreter creates ll3dict.....ll3dict begin....% We nee

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_MEX_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4065
        Entropy (8bit):4.715092019194635
        Encrypted:false
        SSDEEP:96:an4pzCjDSWWWWWWwWWWWWWwWWWWWWwWWWWWWzkGNZBGeKSWWyWsWWWWLcTtoIUaG:sjZBGe7/pokAqFU0rNmOXKZS/2PMTY
        MD5:AF70B8807E6F25B9A12FE85752DEBF04
        SHA1:334B38B64D55C331C02958CEB71220A9BF8F7519
        SHA-256:3CF8D6E8E8A0B9534FEF254ADB59F1803E83A10A03E13B0BF1136215FF16FEC7
        SHA-512:A568B7062B609CFC83C37EBB0F315B9C9B312EEF0387EACDA3820BF307E761C1C37E2F7A2DBBE81A3BA91F6DDF7BD5B7AB8DEBF5742D64C181CC202DF3285980
        Malicious:false
        Preview:% Copyright (C) 1994, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_mex_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the MacExpert encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../MacExpertEncoding..% \00x.. /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef.. /.notdef /.no

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_MGL_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2259
        Entropy (8bit):4.972368961465668
        Encrypted:false
        SSDEEP:48:ysnReQ6v6UiT+eTcS24FU6zgbDlVbThvbsOq9lRcpilgnjY:7n4pzm+lSWkKWOalRcIYY
        MD5:05ECAF2BA23D77AC2C3ED9C49318F264
        SHA1:F9F9B9F06AEE7DBA1A3C86E641D8C5168F3A2BFA
        SHA-256:293F9227ED92DA52E9536D0B9501B7FFE933341173A97CA294C50E360CA98C12
        SHA-512:C46D57F422F002A706D7CF6EF0747057D5E37C476CBFFEE5A4039F2C34BC653EBFF044793DF7A2441B923E85A6E013C7A5931175003F8FC79C4061135CA10B64
        Malicious:false
        Preview:% Copyright (C) 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_mgl_e.ps,v 1.3.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Macintosh standard glyph encoding vector...% This is not an Encoding strictly speaking, but we treat it like one.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../MacRomanEncoding .findencoding../M

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_MRO_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2602
        Entropy (8bit):4.865835953768507
        Encrypted:false
        SSDEEP:48:anReQ6v6UidcCM0ZS68U3Kj+g+YJhOjNwWRqQ6LhjAmLtUGdCG/7SnZ4g9NAofY:an4pzYcCrD8ogJhOjNwWRqQ6L2QtXCGn
        MD5:48CE14B59B43C43F0CA6DFC18E295DEF
        SHA1:A51288588F4A78AB7F3F9303E1D1DF1FA3DF7967
        SHA-256:B7D16E130EEC6D6FF2036974F213E90C911580BC627F31CCFCDC46A76D4D667F
        SHA-512:B37B3626FEB4F21B21377CB8DFD8787CB236C5B7DDE02094443CD9FCABB5C1EFDF2219F5FF0F49D37ABE3FAEA7B2424E504B5DDD6FFE5C8DEE85B19DD1852E08
        Malicious:false
        Preview:% Copyright (C) 1994, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_mro_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the MacRoman encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../MacRomanEncoding..StandardEncoding 0 39 getinterval aload pop.. /quotesingle..StandardEncoding 40 56 getinterval aload

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_PDF_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1755
        Entropy (8bit):5.01580453672402
        Encrypted:false
        SSDEEP:48:0nReQ6v6Ui/sBQW0qqeQ0sXQRwQllQ/U3WKDQHvQTGrQCq:0n4pzGsCzxNApk/oWKF31
        MD5:6AF5F9467AE5BB007E50880524831BA4
        SHA1:0D6310D14729BF5EC7AA7F538A58E999332BCD3B
        SHA-256:CCBAD15115D1BFE29061A2BC4F6EFA06778C491C85627CC3E04004147B670FF3
        SHA-512:3ED6FE24DDE1E97E18E6ADBE6D228065433E71431E6C7B3BF670167FB94DE0624C2CDAEFFAD1E8D91682AD03BD3F0F122EC7137F46112EBD7459D1BD6E7293E8
        Malicious:false
        Preview:% Copyright (C) 1994, 1997, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_pdf_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the PDFDoc encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../PDFDocEncoding..ISOLatin1Encoding 0 24 getinterval aload pop.. /breve /caron /circumflex /dotaccent /hungarumlaut /

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_PFILE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4475
        Entropy (8bit):4.890253739533297
        Encrypted:false
        SSDEEP:96:+n4pzChWT2PQYGJe9WVJe2C/UAdcSEmIxB0Xpz2:AhpyegVcOocSJIxBul2
        MD5:4D98C149985DF6C3994AFD5330F13F3D
        SHA1:6072F0401428B835B329820ACC1682856C853573
        SHA-256:6E69FB6BBFDA550CC3EBA1EB2D49B3D0B70A3FBEA2BD8314CFC8871EA1B8C745
        SHA-512:19343F16FDA856A97AE12B0C439B24249F255CF3D8A6F899D80C460FBD214A94D97D554F2756AFB45D45C2488A97302B164EF373E1CCAA9780AE866864379626
        Malicious:false
        Preview:% Copyright (C) 1994, 1995 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_pfile.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Runtime support for minimum-space fonts and packed files.....% ****** NOTE: This file must be kept consistent with..% ****** packfile.ps and wrfont.ps.....% ---------------- Packed file support ---------------- %....% A packed file is the concatenation o

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_RDLIN.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):888
        Entropy (8bit):4.950717551253107
        Encrypted:false
        SSDEEP:12:gDnOC2tnRoxswU/coK8axaCjW/vqv6XDAtQZZ6lblQCFueOQeZIbc:AOZZReQK8avvv6XDIQZZ6fdF+t
        MD5:AA56231A2DA1B18C0899EF5EB22B3AB6
        SHA1:FFA4E484C2080BAE2A4B0C842130FCAFA72F9338
        SHA-256:69FDE1916C810DA51BDDDFDBC97972707171DEC3B4DA0CF953DFC05688FE446A
        SHA-512:2C77074A86696BA15F7B5608C7BF457E8061D3EDE97215621E59F60289CD4CAF1EAF6C12EBA82FB34E41D36F903DDCA4E87FF8C7B1069BC62B4F0A600A530FE7
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_rdlin.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Patch for systems with readline support in the interpreter.....% Disable the prompt message, since readline will generate it.../.promptmsg { } def..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_RES.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):29882
        Entropy (8bit):4.838867347008787
        Encrypted:false
        SSDEEP:768:ZVHMlDBRxQp2CPxzVkRaiRB3EuFvpnaJq+qUoi:ZVHMdBRxQp9PxzussBUuFvpnaJqli
        MD5:498BAF57FEE806645BD6EAC073F393D8
        SHA1:27E74F6C01C048845D8BACBB219E62DBC81A3A6E
        SHA-256:84FF68FF0DB9C74B0FA78A959B35C8A5C1977234808E4BCC292D2C88C0A78A6C
        SHA-512:C39DB65C93EF9FA988D35F49BC9E7564498FE71CFE4071628FCE3582CF6D5D4C18F9DDE4B30B1180D4F608BFAD7588C237651E7B9EA34DC9BD2812A3DF785D7E
        Malicious:false
        Preview:% Copyright (C) 1994, 1996, 1997, 1998, 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_res.ps,v 1.16.2.2 2002/11/18 20:31:52 ghostgum Exp $..% Initialization file for Level 2 resource machinery...% When this is run, systemdict is still writable,..% but (almost) everything defined here goes into level2dict.....level2dict begin....(BEGIN RESOURCES) VMDEBUG....% We keep

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_SETPD.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):25392
        Entropy (8bit):4.8270943477444925
        Encrypted:false
        SSDEEP:768:i5C2CkE3mwW3gRNjUQEO6NfCeAlOFuw4hwFa+Dju:iEWE3XUrlClbmu
        MD5:88440097233791ACE031E92333125B3E
        SHA1:B1B8162AED9D5E6DBDCB81F219B980AA028EC31B
        SHA-256:2094781FFC5D17E062D57D296E3C7788CA0A985918461CBBE3028C7C89C302E1
        SHA-512:D24D2D2AF18B73A381930ECDE98F9D24F6EEC9B8A3185ED1151760B360CD37076A2715F7CE4C1DFC90F78EB8389E32D3E657780AEE1BC2C4CE9BDFA660A0CFC3
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_setpd.ps,v 1.8.2.2.2.1 2003/03/31 13:02:22 giles Exp $..% The current implementation of setpagedevice has the following limitations:..%.- It doesn't attempt to "interact with the user" for Policy = 2.....languagelevel 1 .setlanguagelevel..level2dict begin....% ---------------- Redefinitions --------------

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_STATD.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):13466
        Entropy (8bit):4.927182824605581
        Encrypted:false
        SSDEEP:384:Nz7TsNbHSSlXfT9vdr8er1NX3xNSHwWIf2ZmbwgTu:NzvsNbHSSlvT9vdr8er1NX3xNcwP/PTu
        MD5:32BCEFB6BE91979CF81FDB0591D8D90C
        SHA1:FD508A417A7C52DD21BC77D39A600357D6BFEA07
        SHA-256:1FA01585BEDDE03A4312494BA047A8E45FA57ADAA7C36F1A2133F3B85FA2A255
        SHA-512:4F600E8BA342ED59D31825D6B6FD883B34A55E4917B7B7C28DEEA9573A97F49BA03E4E67DDC08F9294226FAE85DC466E54922903195C3EA49F514F765ABDF088
        Malicious:false
        Preview:% Copyright (C) 1989, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_statd.ps,v 1.5.2.2 2002/07/18 10:43:42 ghostgum Exp $..% This file provides statusdict, serverdict, and assorted LaserWriter..% operators, mostly for the benefit of poorly designed PostScript programs..% that 'know' they are running on a LaserWriter.....systemdict begin...% We make statusdict a little lar

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_STD_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3318
        Entropy (8bit):4.673817770324367
        Encrypted:false
        SSDEEP:96:wn4pznfySWWWWWWwWWWWWWwWWWWWWwWWWWWWzkD0RtzRQPUSZ0EvSWWWWWWwWWWa:7ftKRzCqs6UG5k
        MD5:E079B6BB3944ED323D9F468EF0FD7FA0
        SHA1:52E7CFEDD4C099C51A9218BD62D64D929005C0EC
        SHA-256:B69CD62EFA763D615A1DABEECF6039812AAAE216FA586C94CC0CA62B2CF10033
        SHA-512:352AD1BA96DE0ABDEB935E0ADC42A4FE7924BC9635680581E39E9E4F9841290957EFE8E6B96470868BC32BC6DE78B868DE2427DA79500ADC9029F7027D4F8EF6
        Malicious:false
        Preview:% Copyright (C) 1993, 1994 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_std_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the standard encoding vector.../StandardEncoding..% \00x.. /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef.. /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef.. /.notdef /.notdef /.notdef /.no

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_SYM_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3187
        Entropy (8bit):4.855139457601993
        Encrypted:false
        SSDEEP:96:tn4pzNwo7Rrcfk708FB4qYJnYRwbcgZNC6yRSol6aDf:ywo6870VqPRwbvOjDf
        MD5:2B15B931932DAF952CFEEAA7C4853443
        SHA1:F029E7A5EB8CC683CE841C6DCBB6E156379594F7
        SHA-256:5DBD15EA944B318E57E75EC652AEB842CEAF5459774818D63C5BD3022D8665F5
        SHA-512:C2A80BAE8309B80D9C042A2F66E3B42FE4942167D3DCF3F148AC58852113608F7A2326738C610B477A257ED5C9CF97B6324554194108C0D5366948818E41F300
        Malicious:false
        Preview:% Copyright (C) 1991, 1994, 1998, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_sym_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Symbol encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../SymbolEncoding..% \000.. StandardEncoding 0 32 getinterval aload pop..% /.notdef..% \040.. /space /exclam

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_TRAP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3147
        Entropy (8bit):4.9594664485449895
        Encrypted:false
        SSDEEP:48:ysnReQ6v6UigQ/ak4pT2VSOm11El/pG7WAV4rqMA9e9liVV9svijElMvJ7voLHWF:7n4pzpQsCm1qnG74M9TgYbAHWZE/C
        MD5:12A6DCA67A07F8D08D5F592E895BC359
        SHA1:495CD78F2AD4B5B7938D693294429997729E6907
        SHA-256:798BD2AFEA78BDE44C1A3CD84647AFB3EC7337A43316441F8BD3624440F9091B
        SHA-512:650DB4A35A949F4E84A74DAD1AC9858372EB183C6A9BDB087BDCA168B780CAAB2869092BD1570A912CAE0E0974BA8B92E6CA392BE30EE3AE3E3AA625EC350479
        Malicious:false
        Preview:% Copyright (C) 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_trap.ps,v 1.3.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% PostScript LanguageLevel 3 in-RIP trapping support.....ll3dict begin....% We need LanguageLevel 2 or higher in order to have setuserparams and..% defineresource...languagelevel dup 2 .max .setlanguagelevel....% ------ Trapping ------ %....% The PostS

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_TTF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):54974
        Entropy (8bit):4.922033256761191
        Encrypted:false
        SSDEEP:1536:A9Bhp0zFfqdAc3KIXUMo8oCGZbI4K7dHbp:A9B5Os8Mo8oCQbIN7dHbp
        MD5:FC984EF2DB13A3AECCDFAD0D576640F9
        SHA1:A9A85B2A44748DFA6BD8280C2AD6578CB5EF7743
        SHA-256:5468FABEF2F60AE8736748D43E032E8E01CC6C516B8DA9EBFB1DB3215E1EA4A3
        SHA-512:BE89A0D52C353325E66CA393DA598769F263993A5007603D80DAEEDE1B7F72F3F41322B5D5634B78331D41DFD1872BC347AD19E0457BE5E9BCA155AD6C1327DB
        Malicious:false
        Preview:% Copyright (C) 1996, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_ttf.ps,v 1.9.2.4 2002/09/22 12:43:55 igor Exp $..% Support code for direct use of TrueType fonts...% (Not needed for Type 42 fonts.)....% Note that if you want to use this file without including the ttfont.dev..% option when you built Ghostscript, you will need to load the following..% files before this o

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_TYP32.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4351
        Entropy (8bit):4.974835052289962
        Encrypted:false
        SSDEEP:48:znReQ6v6UiXJYQBZ3JIUOhCxoJqhogxoRLsRHo3yo3tEMr/8CCzYmpXF3ddNQ+MY:zn4pzKjjGUOh5JqqgKRywDMRXjdNb
        MD5:8B120CA2C3445DC323730BB953174706
        SHA1:F336CFD114B949ABAE1A39BBADB27CB348EEB2DF
        SHA-256:A4C013209DEDB09F5EB5DD5F5E5D68657ED286095F6A58CD7A930E32AB59FB50
        SHA-512:8DECE2408ECFEE1A71E337823BA705F488BDA6788457C421A01999BBF89DE7B6E4D257BC2AAFD38338EEDB9774C43A91984E2CA4F808AB0DBED3B06D6BC18F6D
        Malicious:false
        Preview:% Copyright (C) 1997 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_typ32.ps,v 1.3.2.2 2002/04/02 13:57:27 mpsuzuki Exp $..% Initialization file for Type 32 fonts.....% ------ Type 32 fonts ------ %....% We need LanguageLevel 2 or higher in order to have defineresource...languagelevel dup 2 .max .setlanguagelevel..../BitmapFontInit mark..../.makeglyph32 systemdict /.makeglyph32

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_TYP42.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1679
        Entropy (8bit):5.043750134635788
        Encrypted:false
        SSDEEP:24:FOZZReQK8avvv6XDIQZZ61dBrKb1f1C8fukPwOfFFhYopABfugYHcl30g/mfXbLz:AnReQ6v6UiEXi1QejtulfabL6y
        MD5:265C930147E688DFD3D851A2AB054849
        SHA1:058F0C88F9700995604F4208AF8DCFEF125A5FAC
        SHA-256:AEEBB937877BD285BEEC3808ABE60C9A3BB1104D6D051F1A00EC5F9224A76B37
        SHA-512:5298A53CE53AFA653DC746407C7F69E8471A5F5838A0F56B47BED9B8A6D2D5C01DAE3737BA20AB7A2D908ABADFDE08B654280D04E2D62C292F383C34076A6C46
        Malicious:false
        Preview:% Copyright (C) 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_typ42.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Type 42 font support code.....% Here are the BuildChar and BuildGlyph implementation for Type 42 fonts...% The names %Type42BuildChar and %Type42BuildGlyph are known to the..% interpreter. The real work is done in an operator:..%.<font> <code|name> <name> <gl

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_TYPE1.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):6874
        Entropy (8bit):4.867560407291819
        Encrypted:false
        SSDEEP:192:FA41t43K2DdF/Jm/QHOzwwoEjVC16lTbl:FA4Q3K2DdF/Jm/QsVk0
        MD5:7833C296F9F7BE49A12A73123CBEA1E4
        SHA1:4E6F724164D3716F3247C04FB0EE10963F3244E8
        SHA-256:45C3E70401CE3C6A8B3236D5B6A7BF4C38A09371E2B4A038DA6DAB32044AC1BE
        SHA-512:2F94752C938F9348E240F8C3A0CD6CDA7AD72A2F2875AE6C4785F6BED2783C33CE1FB07EE5861DAC5784ABECEB6999D0F8BAC92B7B09C517C495D5BF86177F51
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_type1.ps,v 1.5.2.1 2002/02/22 19:45:55 ray Exp $..% Type 1 font support code.....% The standard representation for PostScript compatible fonts is described..% in the book "Adobe Type 1 Font Format", published by Adobe Systems Inc.....% Define an augmented version of .buildfont1 that inserts UnderlinePosit

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_WAN_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1735
        Entropy (8bit):5.042128626721956
        Encrypted:false
        SSDEEP:48:1nReQ6v6UibhAQr0sXQRwQllQ/hZwQ6LR8C4QIA7Y:1n4pz+h7xApk/v6tLn7Y
        MD5:741E48B77570DC89093A1AD601644945
        SHA1:9D35BDBC8A1AB2C3B204F96EC0F30EFB6D7DB3AC
        SHA-256:A99316161290E18CA7E03D172D84E43CCCB4A01CF966F5D9F12AB183D914B61E
        SHA-512:51F76D472BC973D8E92485A5890D93D0EB46BD9F431088015206FE670C3CD1FA22E35AF0BAB58497CE7BFF02CB1EFDCD3E1296EABBFA575F82FE5C28E5A1A36C
        Malicious:false
        Preview:% Copyright (C) 1994, 1996, 1997, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_wan_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the WinAnsi encoding vector.../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../WinAnsiEncoding..ISOLatin1Encoding 0 39 getinterval aload pop.. /quotesingle..ISOLatin1Encoding 40 5 getinte

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_WL1_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2602
        Entropy (8bit):4.901156755921307
        Encrypted:false
        SSDEEP:48:AnReQ6v6UiH+QbOQ8Qr0sXQRwQllQ/hnSn9WXyZInYKjqXQmwZAgU9ALzE5VhH9u:An4pzG+QbxXxApk/5Sn9WXyCnVj1mN96
        MD5:4CDD6EB27A3999A37BC3C7D910411E32
        SHA1:8FE1A1D836FC17015C14F652C781DF00D4FB5945
        SHA-256:CCB2C2DA5AF3A436FD76303FDD755E59D13AF820C53F9FCB4C5D741185BC664B
        SHA-512:13206652DB9A8CAA2E9665C9C7513FB6F0C7CB008E858FCF2EF9AADD1CDD7BF9AF1ABBD895283671D790B47953A0DCCE18C267431BF9C2BA336E2A0E8DC1C2DE
        Malicious:false
        Preview:% Copyright (C) 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_wl1_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Windows 3.1 Latin 1 encoding vector (H-P Symbol set 19U).../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../Win31Latin1Encoding..ISOLatin1Encoding 0 39 getinterval aload pop.. /quotesingle..ISOLatin1En

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_WL2_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2600
        Entropy (8bit):4.912960974497802
        Encrypted:false
        SSDEEP:48:AnReQ6v6Ui47K65+Qr0sXQRwQllQ/hnSdxI5DNqQjCs97ZyRxF3hXPt75GtYQQ:An4pzZ7K65hxApk/5SHSoQjCs4xJhutu
        MD5:B4E89CCFC9025AD76F98E0748F289F69
        SHA1:0B5E789B281C84FFE1ADACFF12DE62E9D438D3CA
        SHA-256:AB54D0D14BB46887A50F65A4CF35FD066DA58C1063463BFDDB24B57DF2103248
        SHA-512:88D325384A5714CBE118CFA4969CA24CE065A1210B75B8AC0ED8782DA40A67BD2E1AA5F6B7A2151F4FAE4DC1E1F5C78FB157AB3067E84D72FD1C16DEFC62FC0B
        Malicious:false
        Preview:% Copyright (C) 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_wl2_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Windows 3.1 Latin 2 encoding vector (H-P Symbol set 9E).../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../Win32Latin2Encoding..ISOLatin1Encoding 0 39 getinterval aload pop.. /quotesingle..ISOLatin1Enc

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\GS_WL5_E.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2618
        Entropy (8bit):4.8993643190586065
        Encrypted:false
        SSDEEP:48:AnReQ6v6Uin76QIcQr0sXQRwQllQ/hnSn9WXyZInYKjqXQmwZ6gU9ImLzE5VnH9U:An4pz276QI3xApk/5Sn9WXyCnVj1mx91
        MD5:EC6B23E70504A23D73A1316A299A0AB5
        SHA1:BB8C58023F10B2C875F44C3752F6A069E81C15B6
        SHA-256:A0BB5F05236AF8747EF3A3B3EEAED60A9D92A3C32B7DE5FB9ACA24E7D471A1CD
        SHA-512:66F5A52B970A5117BE55765CFFCA57DD6B8DBA92BB8C3821EA7086436FFD89BA9C58C103B2A8268601242C78EFBEB56ED4FEB8B10F5B3CB23917F8D376478992
        Malicious:false
        Preview:% Copyright (C) 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_wl5_e.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Define the Windows 3.1 Latin 5 encoding vector (H-P Symbol set 5T).../currentglobal where.. { pop currentglobal { setglobal } true setglobal }.. { { } }..ifelse../Win32Latin5Encoding..ISOLatin1Encoding 0 39 getinterval aload pop.. /quotesingle..ISOLatin1Enc

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\Gs_pdfwr.ps

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):15914
        Entropy (8bit):5.0480359404249695
        Encrypted:false
        SSDEEP:192:q33b4kWmvNwkPlFqo9FTUNl4cO3PfWZkHK1Q6VGgogh0FctCQ/OpGOx/ZxU3Az/C:81vNwktYoLylHO/MxQ6VVV9IKP
        MD5:5A0900A651F8C2F1193E954DA2B31206
        SHA1:6E7E5FAFA113E5E8801963CF310355FA7EA40468
        SHA-256:40F8ED533A7909BFE96794E4AC85B014F2FC9892DA3BA6339214EC8C9C9408A8
        SHA-512:51DCD952290D46ED29183D6F80B3E79CC540D4CFF6E0A2D925F57B55AD5C279EE43044179D6A524DB071B96FF9155493FE3ABDA09BC135540DEF05A7F8CB3431
        Malicious:false
        Preview:% Copyright (C) 1996, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: gs_pdfwr.ps,v 1.11.2.1 2002/02/22 19:45:55 ray Exp $..% PDF writer additions to systemdict.....% This file should be included iff the pdfwrite "device" is included..% in the executable.....% ---------------- Predefined configurations ---------------- %....% These correspond to the 3 predefined settings in Ac

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\HT_CCSTO.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):231085
        Entropy (8bit):4.031966539990605
        Encrypted:false
        SSDEEP:6144:6s/VOgVj4nwaQ5qddcHyunE0pCWbB/hdJeEk9lPvTrE9JskQbiu7VlY3t/WKP3Ud:1tOgVjiwaMqmLnE8fBabnE9Js/97E3t4
        MD5:2CA39E10F82EEC47FEC33E15ED998356
        SHA1:7E7A03662FCCAE2AF9588FE5D12E253540AE2828
        SHA-256:0FCA7F8186A539816E08B0408F4CFC65BDDDAB6E39820F201BB8087577546AC5
        SHA-512:9D84D711C14FF7DAD7D791F24B92F7F05FD3675F19611CFCDC9C652F0D3F47EB58B2BF7D29D60494BAD7CBA0AEE18E0CF5A41A81A4AF6F7655F8C49E38E62BA6
        Malicious:false
        Preview:%!..% This file is a reformatting of data placed in the public domain by its..% author, CalComp Technology, Inc. The original file bore this comment:..%..%.convert 167.pat 167a360h.dat 167a360h.lin..%..% Aladdin Enterprises, Menlo Park, CA reformatted the original data as..% PostScript halftone dictionaries, and hereby places this file in the..% public domain as well.....% $Id: ht_ccsto.ps,v 1.1 2000/03/09 08:40:40 lpd Exp $..% This file defines a /StochasticDefault Type 5 Halftone.....% Note that the Black array is used for Default, Black, and Gray..% (not too surprisingly), as well as for Red, Green, and Blue.....% The reason for using the single Black array for the..% RGB additive primaries is to make stochastic dither to displays..% look better since there is no misalignment between primaries to..% a screen (as there often is printing to paper).....% The CMY components are decorrelated (90 degree rotations of the..% Black data) so that misalignment doesn't cause color shifts. This

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\IMAGE-QA.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):75155
        Entropy (8bit):4.922357623547811
        Encrypted:false
        SSDEEP:1536:ReKlzA8Ydho1fU44bv7uR+xni63oaWH6Y7cNf7cE9a3Z3a0DkVEjzoEH6crTZKVy:R9lzWo1fU44bv7uR+xni63oaWH6Y7cNU
        MD5:7EF5473AE611E317967AFE336CCBCD49
        SHA1:CA99AAF4B44CBBE732F086E2783C5B31028C0569
        SHA-256:7A57E8121D43F06F1BCC332A4DD10FAFA38504A9F9AEBED8FD60F36B6248E90C
        SHA-512:E6C001C0D6B3BF50139C63A33A54B0052D3B29468779A90EF51AAB82B11E776FD18DEA87CFE3888B2FD87E9BF11AF27CFA530551A262F42A539C50CBD6AD910F
        Malicious:false
        Preview:%!PS..% Copyright (C) 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861...%..% $Id: image-qa.ps,v 1.3.2.1 2002/02/22 19:45:55 ray Exp $..% Tests for the image operators....% Specifications for Image operator testing...% ..% 1. All 8 standard orientations (0, 90, 180, 270 degree rotations with..% and without reflection); ditto those orientations perturbed by +/-..% 10 degrees, and

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\IMPATH.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5723
        Entropy (8bit):4.718634792461294
        Encrypted:false
        SSDEEP:96:Vn4pzz7cjRI5yd769c0AK891aR6qYwXiaeqvkJpi+K9/1bEFF:IcjRI5yd1aR6dQiFJsx/bEFF
        MD5:31830F5477AAB5DC1F48F1C73611149C
        SHA1:C26990407AF0A3641BD520481D66B07BBE69EEF6
        SHA-256:4A053072001B166C4CD538F01D235F77664757B6413007270E86E627FC516E7F
        SHA-512:FFC8092E9D90E1DD8BDB09861974515DE091FD5E528AE199349020F90FC9024CF3A0948C87C5408742E494001DBF724BEAD5701CF7A429CDD9194C6D7FD93252
        Malicious:false
        Preview:% Copyright (C) 1992, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: impath.ps,v 1.3.4.1 2002/02/22 19:45:55 ray Exp $..% impath.ps..% Reverse-rasterize a bitmap to produce a Type 1 outline...% (This was formerly a Ghostscript operator implemented in C.)....%.<image> <width> <height> <wx> <wy> <ox> <oy> <string>..%. type1imagepath <substring>..%..Converts an image (bitmap) d

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\JISPAPER.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):963
        Entropy (8bit):4.992624131338247
        Encrypted:false
        SSDEEP:24:AOZZReQK8avvv6XDIQZZ6cidgFVffl1hFjnqCJlX:xnReQ6v6UiTi+Ft91hFjFHX
        MD5:1B92B5A4A8C8A85F653C5997D4812F9F
        SHA1:AE189C2B28D60389EDADD8DB12576D2C0EEC5F08
        SHA-256:30E86A86CFC6539188031751C84BCA6FD5B5FD50CA151D2A2B10788F4BF5930E
        SHA-512:7F66C1954A7DD14F44120E69E60C56FB3C07472A98440CD7C4291ADA404F5FCB39267FEDEB084DDDBC5B601D2345B57AF533B95CE35EB68F239F7FF4798C8D06
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: jispaper.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Select JIS B paper sizes for b0...b6.....userdict begin.. /b0 /jisb0 load def.. /b1 /jisb1 load def.. /b2 /jisb2 load def.. /b3 /jisb3 load def.. /b4 /jisb4 load def.. /b5 /jisb5 load def.. /b6 /jisb6 load def..end..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\LANDSCAP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):1549
        Entropy (8bit):4.515123192517662
        Encrypted:false
        SSDEEP:24:f+K1o9obyEiELRbUcQK7hwAei+JoAGGl6EaNIpaN0l6QzK3pTv:e9752bUcvqPJHfhQTv
        MD5:5FB86FBF44844076889E2B11EB49E9B6
        SHA1:D2FE2D979B65C2422FFD9CA0D3689353A11DA97E
        SHA-256:3A8518A6D22811059ECE49311E2ECA1798F808BE2CCB0CE5E1463D2522F96959
        SHA-512:8E5B552D14A972A604BD4C30B749DDCA120A6C14E841B1EFEF5AFD23BF65384892D27752279F8E9F920BD5B2A2A166BE41E26A1426A26C9EAA536800FDCD547C
        Malicious:false
        Preview:%!..% landscap.ps..% This file can be prepended to most PostScript pages to force ..% rotation to "landscape" mode...%..% There are (at least) four possible ways to reasonably position a..% page after rotation. Any of the four old corners (llx,lly e.g.)..% can be moved to match the corresonding new corner...% By uncommmenting the appropriate line below (i.e., remove the ..% leading '%'), any such positioning can be chosen for positive or..% negative rotation. The comments at the end of each "rotate" line..% indicate the ORIGINAL corner to be aligned. For example, as given..% below, the lower left hand corner is aligned. When viewed, this ..% corner will have moved to the urx,lly corner...%..% James E. Burns, 3/8/93, burns@nova.bellcore.com..%..% $Id: landscap.ps,v 1.1.6.1 2002/04/10 09:22:58 giles Exp $..%..gsave clippath pathbbox grestore..4 dict begin../ury exch def /urx exch def /lly exch def /llx exch def..%90 rotate llx neg ury neg translate % llx

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\LEVEL1.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):121
        Entropy (8bit):4.765997276538032
        Encrypted:false
        SSDEEP:3:hooEFUhOTFU8LiVX+KtQv5WyA6TrsATsoJFeFQFUFLHRQTrsATsi2W:vEusTFUP9sjFQATsoJFeFQFcLeQATsi5
        MD5:EA5BD52F5607CC737F147C052EC679B5
        SHA1:B5AA98F4CAC46641C889D047D9BD93D6BC382A58
        SHA-256:B6BB7EEEC860578721DA85B812A062DF318499689AC621E1C3259BDBCB19A7A4
        SHA-512:B9007CDFCCD256776672416F5374EFC34BCDF8B9F63D8AE57FBBDDFEFC8F923739194191D4B31D688E6AE2A35AC23E28C1F7FA1A314834D970F7552759305DDE
        Malicious:false
        Preview:%!..% $Id: level1.ps,v 1.1.6.1 2002/04/10 09:22:58 giles Exp $../.setlanguagelevel where { pop 1 .setlanguagelevel } if..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\LINES.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):4039
        Entropy (8bit):4.662871520157489
        Encrypted:false
        SSDEEP:96:Bn4pzcEl2zKccocT69mycrIo8lb0N0M00lNibU0UMel40qG:hEccocTUnlb0N0M00lNibU0UMel4LG
        MD5:0AEF22CF9577962E4E9FE2CAFA7DB487
        SHA1:545F84CB9E435A9915470ECA34155E90B8C6A5A1
        SHA-256:DBDF60D17C4F27A8AD16C39E50888DEBD091007D786AEF26C275D6E56A08C712
        SHA-512:80EFF99BD88B3C1149C7BC5BAD0C0A07D41170C867D23ECF223870FA5EDE1CBCC6D8B4F4887743E71ABE9395F5B9F092C2A7701959D8B100AD2D74E27AF1BCB0
        Malicious:false
        Preview:%!..% Copyright (C) 1989, 1990, 1992, 1994, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: lines.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Test line rendering (stroke).....% Exercise the miter limit. The left column of lines should bevel at..% 90 degrees, the right column at 60 degrees.....gsave..1.8 setlinewidth..0 setgray..15 15 scale..-5 5 translate..[1.415 2.0].. { se

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\MARKHINT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3609
        Entropy (8bit):4.83752515103099
        Encrypted:false
        SSDEEP:48:bnReQ6v6UiOwKSmHH/fIGn73367nghYg+kl0oGzC5vJY9KiJ:bn4pzTXn/LAWn+klNGuBiJ
        MD5:1467348BEB6149CC0E51112097461176
        SHA1:3F50B4D276C809B3533B1ACC3A63D690DC8AC6A2
        SHA-256:BBD674E43106EE28F87CB54F624A823F90ACA6EC11CB15E50828127C73EE366C
        SHA-512:52F8A24072177C709486FE45D11E5E13D2CE9E089B4F0035BC59DE6A2D401C180CEA3F06ACFE9E18CF351D39D98A4E963412CEEA01792EEFB00F00243932ABED
        Malicious:false
        Preview:% Copyright (C) 1994, 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: markhint.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% markhint.ps..% Draw the hints for a Type 1 font.....(type1ops.ps) runlibfile..../mhsetup..% <matrix> <print> mhsetup -.. { /mhprint exch def.. /mhmx exch def.. /mhdash 0 9 gsave initmatrix dtransform grestore idtransform add abs def.. gsave..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\MARKPATH.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1955
        Entropy (8bit):4.822963889364228
        Encrypted:false
        SSDEEP:48:fnReQ6v6Ui0Wg1cZD//LNEUk1wXgUYoztiUkhQWMnGFc:fn4pzFtiDn5EHbUJtiUd
        MD5:59F07140010E336CB0B9F7B24FEE3C83
        SHA1:E4AE5180FC647264F5AFA1A28DFF43231D2B6AFE
        SHA-256:596B41755ADCE0A00ED30E179362B5A4C919BB207F53A25E20C9942FE3683EDF
        SHA-512:1FAC4B4B086A6529E1AD5AA4E7C45F16999C31877242F918D3EAA4BC1AD23C10ACDFBC8C79AFCF5EBE69DAE00BC13E23BB3D407963CEE48B9105E4FDE6427586
        Malicious:false
        Preview:% Copyright (C) 1993 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: markpath.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% markpath.ps..% Mark the corners of a path, drawing it slowly if desired...../Delay where { pop } { /Delay 0 def } ifelse../setxy0.. { currentpoint /y0 exch def /x0 exch def.. } def../bip.. { epsx epsy idtransform /ey exch def /ex exch def.. currentpoint ex 2

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019003L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-Regu 1.05)
        Category:dropped
        Size (bytes):36026
        Entropy (8bit):7.9602470729022015
        Encrypted:false
        SSDEEP:768:NLkA9WAu78D4EdrTRd2r4DPXVQPH85D5JVCwzxJpblhpJUAC9C0pukJBX:NLkA9WAuIDpdTRlPXy05LVCoJ7hQV9z3
        MD5:1C3092ED18554C09919B386FFA7EAB85
        SHA1:B9967F8348C302BED0BDED2AEDC64A6F265D6BB4
        SHA-256:D89A0769709568F00EC6B4ED380D006D78CA20378AD1D8A7CFE7065C17C7FD12
        SHA-512:162B678BA0C04BC3B9A577D05C795118D9FB3F2E7709602D9CD9CA07A2008FF9299D1CEB311123AAC50DD2C5E4BEF8A9BC7026986D882D2A1C7EA02878473C0C
        Malicious:false
        Preview:..]...%!PS-AdobeFont-1.0: NimbusSanL-Regu 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019004L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-Bold 1.05)
        Category:dropped
        Size (bytes):35941
        Entropy (8bit):7.961440302888498
        Encrypted:false
        SSDEEP:768:tLkA9WAuCQy1DPhQAkmw/0cntbolTwn81gK2EtaIEgnnSkWPd:tLkA9WAutwQAl70K7JxtaFgnSkWV
        MD5:F27169CC74234D5BD5E4CCA5ABAFAABB
        SHA1:ACB56E3A4F2842EB6CA12D128013CEB2FB94C818
        SHA-256:A7A8CF4B173B410FFF6D8F006ACE207322BC52183BF219D2CE996CAB8A14000C
        SHA-512:BF0CE29EF82A731C698D6113A3B046F2CC92D7B62C7AA90F51A0C2484967ECA981332605A7A1C7FC6199AC18823CBD74415B4FC5364560500969B453B9B271A2
        Malicious:false
        Preview:..W...%!PS-AdobeFont-1.0: NimbusSanL-Bold 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019023L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-ReguItal 1.05)
        Category:dropped
        Size (bytes):38314
        Entropy (8bit):7.9628038467417355
        Encrypted:false
        SSDEEP:768:QLkA9WAuGMgMWBnxartdbPLarcFdjVG25PYGGqTvAXWBzClYT31JFBHG:QLkA9WAusMWOtdbPZhG25gG7T9lwYHm
        MD5:E2C3D78AE784576039D060EA3DD69F53
        SHA1:142992AF29B4B1E8A92FD2953350A64F444D0595
        SHA-256:9B73948CD5E431033F7E74D470B027D55B12E39F5089DBAB3EB7226B5ED2E46B
        SHA-512:30E5AF7BAB66260E1F670EDED4948D91411A68C8FFB2118AE9D0A84EC73CFDE436D56AB23639BA195FA0A27DE1C97DD5EA26A284F9DCA137E4B21B6E51A8A4E2
        Malicious:false
        Preview:..n...%!PS-AdobeFont-1.0: NimbusSanL-ReguItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019024L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-BoldItal 1.05)
        Category:dropped
        Size (bytes):39013
        Entropy (8bit):7.963348132551168
        Encrypted:false
        SSDEEP:768:ILkA9WAucAzjOLl1fMA/zgQcGz7YU83O96+agGLSILwMLbohVtTneZZEP:ILkA9WAu5PslJgrGt8E6+GEhVlnsiP
        MD5:B244066151B1E3E718F9B8E88A5FF23B
        SHA1:5C05F8702439B8B74F085BC5FB6948A7CB56F15C
        SHA-256:E58B4C3D3ED978534C3D34A30677C25680F5AD931FB0C3D4F53726AABFE5C956
        SHA-512:A0C6DC4A1E7F74D1AE51310A620D15F8CFDE0C693A8A6D8F19F85FC0AED999F8C5AD33B6F898E82F6DFBE70AD45035466F335FF5670C6CECC829EB7B26967C97
        Malicious:false
        Preview:..h...%!PS-AdobeFont-1.0: NimbusSanL-BoldItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019043L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-ReguCond 1.05)
        Category:dropped
        Size (bytes):36615
        Entropy (8bit):7.960950232911771
        Encrypted:false
        SSDEEP:768:ULkA9WAuF+1Orm81uW8CItWAb3AQj8ejwfAcGuG/fX/2rpcbHf:ULkA9WAuwUT8fb3qejfDuEfXy4Hf
        MD5:F4EA732593D153340AAE1867E8E9191C
        SHA1:C61F24007D849B68B1CFEA1C7C6E03E484895515
        SHA-256:B4FBA13909A937B7EAB7309EB5C11CFE4F85622B8EF58C286985AACF7AC1664C
        SHA-512:A8DE899DBB90888565A652A08F0D69975AB643BD2378F5B91200F8C2FB2DD25C0F63FBC4355B6C4C488617E38F912FCBF33CB6C0B9A741E99FF4225AEEADADFF
        Malicious:false
        Preview:..n...%!PS-AdobeFont-1.0: NimbusSanL-ReguCond 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019044L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-BoldCond 1.05)
        Category:dropped
        Size (bytes):37240
        Entropy (8bit):7.963089437088482
        Encrypted:false
        SSDEEP:768:MLkA9WAuCvmr6+Y0wdrxtVxD6ndO2wCXmouQqYs0DUHxqAEtrtH/amt3BPpd:MLkA9WAuq4+0wBjqw2woDqd0DwxqAAt/
        MD5:028AD04A0B0A32799D94FAF5AB58D017
        SHA1:95DF2A6029BFF545D2029F2C44FC0F3F570B8D74
        SHA-256:3E94DD14A6E795E54D9CFEEF14D5E134513AD075E068381ED53856BC45CBE186
        SHA-512:BD0869535442AA51A7A6EF0C2C8669C8BBF011833BCF39BEC82FA2C734F902F06B38078CFCD1C27886077C3C76E1059DAB86DB663081E0A622F8D1AB65A8BEE7
        Malicious:false
        Preview:..h...%!PS-AdobeFont-1.0: NimbusSanL-BoldCond 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019063L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-ReguCondItal 1.05)
        Category:dropped
        Size (bytes):37247
        Entropy (8bit):7.960303158261299
        Encrypted:false
        SSDEEP:768:ULkA9WAu+RTcqjfVN4DFkLSIcUyv9PIaoVStAghkW0BBQRlZaSM4tw:ULkA9WAuGF3seLeUsuWkW06i4tw
        MD5:475CF037458FA01B9599286E6150664C
        SHA1:E115CBAE7363F1F9353DE3E197D216AD22D5C8B6
        SHA-256:4EB87A23CFFE7E16F1FFB3A6888F60648485501C463C6B8E5EDE4064FF512E6B
        SHA-512:D87870FB0400BAE397C27EF05E123FA8A0C64D3519718CE2C68DF3E13258AD8CA99A79CD424D81E044B4A492B01943A1FD298FC2554CA0715227851633C82F0F
        Malicious:false
        Preview:..~...%!PS-AdobeFont-1.0: NimbusSanL-ReguCondItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or li

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N019064L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusSanL-BoldCondItal 1.05)
        Category:dropped
        Size (bytes):38310
        Entropy (8bit):7.964956152968785
        Encrypted:false
        SSDEEP:768:MLkA9WAu8Z7YSHhaSNLQqUpd9CrTT6YBXSlPGkVwlCnm9pS1:MLkA9WAu27YSBL1HUT9Crv6Y+PZVwlsh
        MD5:B43A4631CB368EF10F010BAAA14C2BAB
        SHA1:718B6DABF10AA4483910569DF47ED3C433D8764F
        SHA-256:884DC72A4B7EE8FD7045DA42C694E4028740DEEB3FB9BEF432B9463492E528A8
        SHA-512:F404EB3DB241BF90F2050EF69D187D0FDB48C53FC278E7E924AD5442850D90B418ED9B8354E0B9468EB621BAFDA3E19B9E9AF7ECFEB7FE223BAD39ED32319026
        Malicious:false
        Preview:..x...%!PS-AdobeFont-1.0: NimbusSanL-BoldCondItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or li

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N021003L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusRomNo9L-Regu 1.05)
        Category:dropped
        Size (bytes):46026
        Entropy (8bit):7.973349830539808
        Encrypted:false
        SSDEEP:768:NLkA9WAuMqktLgmxgubTbtKCCUOUYhM+Vtfqq3mDegvg3mwLfYrqVHOsHt32ALu6:NLkA9WAutktU5ubgGv+VBIvgmCnbH12e
        MD5:6DAB18B61C907687B520C72847215A68
        SHA1:9CA8A1BE180C6A054B6335302466633BF9022CD2
        SHA-256:2EF9D47303D25F3C9553A43255DAE8C39160E130AD5ED34444E39DEE03D796A1
        SHA-512:5EC2C77489E7955426901617FDF78C39FADA93DA1497BE08CF118DD837AA8271E394952DF46163F8A44ED5ED5F250B3922BA9545947662B29395A8D6366228CF
        Malicious:false
        Preview:..m...%!PS-AdobeFont-1.0: NimbusRomNo9L-Regu 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N021004L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusRomNo9L-Medi 1.05)
        Category:dropped
        Size (bytes):44729
        Entropy (8bit):7.971770859324153
        Encrypted:false
        SSDEEP:768:BLkA9WAu389rlzRf6YcG7O3xdUl1/wFroZ1WITNbumHIi0NF/hmj/1tZVrCLAou7:BLkA9WAuM9RzAlG7Qil5krMXTN3P0LQ1
        MD5:811D6C62865936705A31C797A1D5DADA
        SHA1:783231EBD8E9667E9BABAAE80C2FCE59C0671241
        SHA-256:7F3F19F61452892A29D06AF2836331CA78AED29390914D294F7A440D35927142
        SHA-512:B9EE31E667B4266A7027A7CF9FBDC9BB4AFD98EE803781216BF7426E7A0F34FF999048F722E214934F62A682A4D5B5E0D55821EC55BE873EC2FE91A60AC5E7EF
        Malicious:false
        Preview:..i...%!PS-AdobeFont-1.0: NimbusRomNo9L-Medi 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N021023L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusRomNo9L-ReguItal 1.05)
        Category:dropped
        Size (bytes):45458
        Entropy (8bit):7.9723393562578915
        Encrypted:false
        SSDEEP:768:WLkA9WAuQtBwfVHHsiRzEaMS4EbWir1l/4GA1Z8C1x7DQWR8RoNsbhKpHd1tgDTL:WLkA9WAuRLdkEbL4hSCz7EWHNWhIHTgL
        MD5:A3FABA884469519614CA56BA5F6B1DE1
        SHA1:52B319F7E1663DD4D87310D2DA18B81B83DACC90
        SHA-256:F9A0C528B42D2DED2884E31CF1D225B81739CA9B17A0E7CB362FAD404CE0AEDF
        SHA-512:36FEB6248453A8FE6F9DDA1BEF7D44DFB83F21910853014194FDFD50A86BCDDDBA0A0428232F057A1C983CE8FD85AB1AB2624A730732FBFC1AA46C7C4233D7CD
        Malicious:false
        Preview:..~...%!PS-AdobeFont-1.0: NimbusRomNo9L-ReguItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or lic

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N021024L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusRomNo9L-MediItal 1.05)
        Category:dropped
        Size (bytes):44656
        Entropy (8bit):7.970763945238117
        Encrypted:false
        SSDEEP:768:BLkA9WAuigNyMaseUKMtpKzEMkzBOC0uqzvvIqcTPAzaJ1YmfXgZN68TX4Vp:BLkA9WAuvNyMaseUT5BOCkvlcTPF1g6J
        MD5:0CBCA70E0534538582128F6B54593CCA
        SHA1:510E1EA497AE74CBF3F5D1B2A090AE88FE5A44C4
        SHA-256:21D029FDA4757908BE702F42811199EAC11CE5886C0ACFDDD574DF4545B1E7A9
        SHA-512:D8B9ED2FB03C09C07B9612D69FF5E4FC36F5912D0898415CECE0511E5EFAA19CEB55848AFA627E3825D1E1E3362FDE8D3E74336BF253A6D4DB565C47DA7B27D4
        Malicious:false
        Preview:..y...%!PS-AdobeFont-1.0: NimbusRomNo9L-MediItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or lic

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N022003L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusMonL-Regu 1.05)
        Category:dropped
        Size (bytes):45758
        Entropy (8bit):7.973385498891676
        Encrypted:false
        SSDEEP:768:rLkA9WAuGyxQSR5pKpEamksOZw3ssNebuQAjb42vP3qV2nqW/CQKCXqahS83H3M2:rLkA9WAujq+jKxW3sYIAjb42HqV2qyCs
        MD5:19968A0990191524E34E1994D4A31CB6
        SHA1:B16FD6A3BBC63417571CC5DFB900871D798262C9
        SHA-256:8816758F882B18A97A2FCDD4E496B881CD7726B8612648CBFB1C9DE2D9853029
        SHA-512:E5D8FEF2200874A4E9315CF72A2FB0F1D0C325C2A6DFEAF840C80D99AAE5E8639CE20B3234581A2995BEB80D50AC91FB1C4810F377FFA38EFBAC363DBB9BCD39
        Malicious:false
        Preview:..[...%!PS-AdobeFont-1.0: NimbusMonL-Regu 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N022004L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusMonL-Bold 1.05)
        Category:dropped
        Size (bytes):50493
        Entropy (8bit):7.975846693764515
        Encrypted:false
        SSDEEP:1536:zLkA9WAuYu72LkH3QY0ZDkUgDgeDqvnliI/TG72TtLr:sDvkyAT3gDHDqflt/TG7ELr
        MD5:4ED1F7E9EBA8F1F3E1EC25195460190D
        SHA1:CDEA656D1BD06F38A795B61223A81C4F4F4CFB87
        SHA-256:115A5A2363A24F7AFD4F2021763F62FDF0C034C133EC36D2B13B983F6E1E68DF
        SHA-512:EDAB8FC393F6D6D18DECEA9B53F8748DD5B207980ED579681671E59A20157C1185840614D4A82BB921EE9CDD885CED0D69276660F13359E1263FD08B3CD79A55
        Malicious:false
        Preview:..U...%!PS-AdobeFont-1.0: NimbusMonL-Bold 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license ap

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N022023L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusMonL-ReguObli 1.05)
        Category:dropped
        Size (bytes):44404
        Entropy (8bit):7.972184115042817
        Encrypted:false
        SSDEEP:768:DLkA9WAusJFRqjlwXDTtsDoflt9cdcZ/vUHZtmzeSeFiCJIgoErdnFVT/r0+WCn3:DLkA9WAuKXXvMeltadcNUDmzepsEtTTn
        MD5:EA3D9C0311883914133975DD62A9185C
        SHA1:63AECCB375BC5961E5AB03D11E34821958D1196F
        SHA-256:5FFE8060BB3E9E3456835076C46D29DFD4F233B7CA753BBB71F512DF741CB118
        SHA-512:905AB8BE0725EECFEF220DAD4DC53080C73D177DCD46AB9691EBC169A1B277B8EF671006955A8372FE20018FEA5C15A284797D0948B920C69D4A7A0BBAD18AF0
        Malicious:false
        Preview:..m...%!PS-AdobeFont-1.0: NimbusMonL-ReguObli 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\N022024L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (NimbusMonL-BoldObli 1.05)
        Category:dropped
        Size (bytes):51527
        Entropy (8bit):7.977346981468182
        Encrypted:false
        SSDEEP:1536:zLkA9WAu4XyYgfiE1Orvly7xEQyejopcfa9H2CvP:sDuXyYgaEAly7xjPjZflCvP
        MD5:8B8414FB335C1BA9C7CA364C3E691B70
        SHA1:85AEA2B76E24431EB107F5FC67410766511ECECC
        SHA-256:4F3A93F5DB9BC1EFF72E3AE198FD34F3C19C7F44E44CD107D4DA5F9433E394BA
        SHA-512:67E574D47EDA96B905F3DE65CD4020E5A815B42009C04DA22F9791D09797041E9968A872D4A98E3B64DB06713A03CD5B93A7E77A6A850DC6FFCC151E2D3C3C52
        Malicious:false
        Preview:..g...%!PS-AdobeFont-1.0: NimbusMonL-BoldObli 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or licens

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\P052003L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWPalladioL-Roma 1.05)
        Category:dropped
        Size (bytes):52665
        Entropy (8bit):7.978400845147363
        Encrypted:false
        SSDEEP:1536:hLkA9WAu37ZWPnNThPgK3mozm6atxwBWHiqACjXvy7IJn6CB8:yDx7ZWfNdoamexgaBWCqAAn6C8
        MD5:661B1E6B26EDB5F50DD491F8A701CB57
        SHA1:1F69901535A61EB266F8E0346CE1376832B2BDB7
        SHA-256:1FA269C3D9F9CCE83A3D032DC58122A7D514A79E6027C86858D8F1761D47D1F4
        SHA-512:20C85D5CE3F7493DFB25FA367B71786CD5940383993A0EAA4209FD1E5B8BC421896BC83BE8F714191EA15D78D5DEA23B3837B42C08E1A553D7A7980F0E0456D7
        Malicious:false
        Preview:.._...%!PS-AdobeFont-1.0: URWPalladioL-Roma 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\P052004L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWPalladioL-Bold 1.05)
        Category:dropped
        Size (bytes):52406
        Entropy (8bit):7.977690644812763
        Encrypted:false
        SSDEEP:1536:xLkA9WAu1jRqb9mixy92mis1naXQ0yzhsAd/68Z35K:CD7MhE2mdRyQ0X9MK
        MD5:DAD2F72863A03727D5F536C64A69C452
        SHA1:BF2A20250B5B608332FA6652901FE0B19D0E1170
        SHA-256:763886DE629C882C76E3B5F26702664984CA4219067A6EDD60B1D098C53D01F3
        SHA-512:EBD9C10F2B81283CBCE98B3C0A12ABDE021725F0F6308A4651E2D9959A19C753F64AB2E6C88564EFBB94DCAE1F811212C2F567A86FFDED68BD18B9AF656885FA
        Malicious:false
        Preview:..]...%!PS-AdobeFont-1.0: URWPalladioL-Bold 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\P052023L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWPalladioL-Ital 1.05)
        Category:dropped
        Size (bytes):50022
        Entropy (8bit):7.976877926985854
        Encrypted:false
        SSDEEP:1536:0LkA9WAuuxdIK/9mOnYIQXe2APX+29NjYVHYLKEzTTjHCHyNm:XDwxd1/9dYPXRg+29dYVOWHyU
        MD5:90249CBA7E3E4E9845F80328D6F9BD13
        SHA1:B9B74DC5C192080ECA9BDAAE8AD7211489A28B88
        SHA-256:47495953F98B3C05F123D4DFDD331E2DB6884E61DF76B05A5E085AC3910951CB
        SHA-512:2AAD905A41F3A2B1438CE903C7EC9B555ACB739FECFFC7E3E8902AD1CBCE6E871BACBB6900986D84D0E82582AF4906C020305D6D0D5231D09E0D129B34D71BE6
        Malicious:false
        Preview:..c...%!PS-AdobeFont-1.0: URWPalladioL-Ital 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\P052024L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWPalladioL-BoldItal 1.05)
        Category:dropped
        Size (bytes):51285
        Entropy (8bit):7.978599156570455
        Encrypted:false
        SSDEEP:1536:xLkA9WAuDalGzlPK0Fr2mh3C4l+YByJbYomXoFx5bZ:CDM8Rrlh3C4l++yJbCXoFx5bZ
        MD5:96E6AC8305D3A03D04D7EE3879E2710E
        SHA1:33BD15B05904ED13584E6C9AF1C7BCC2BECE5225
        SHA-256:0D67A25494D47B5454FE20632980FF8B8952670A31C1AE97EC9E9092BCBE697D
        SHA-512:69FEDBC9719DC6188984AF8431E7DA7254F1E095B3161112FEA483B74F939F6D69102101D4083CB6CAFBE9F8D13C68271C4E5CB97BBE9E4BBEB7DB7D4AF395CD
        Malicious:false
        Preview:..m...%!PS-AdobeFont-1.0: URWPalladioL-BoldItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or lice

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PACKFILE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):10702
        Entropy (8bit):4.929837909359013
        Encrypted:false
        SSDEEP:192:fUBygLz9uI+f7O5D3Lh5QB73ljVd28jy5fWNGFGYJpb5imMXoR6:fVazstf7OF3LvQBlW8oCG5v8a6
        MD5:368EE93082AD75DCF63AEF5AACCEE2E3
        SHA1:66E0E461BC33D3F08AB78B94742B5175B242B096
        SHA-256:EF29D80CC636B0AD9A747B24E6948275979BEF9E3BFF80ACC1593F2D9BA3E9A5
        SHA-512:A2255C4E73354DDECA8397A812C5DC8F0418E19A6E731968D69BDB7D6F2BDE40AB7D71243D68A58FBE8CCEE91662CB250C05262CDECC2624DC6C5ABF79A4191E
        Malicious:false
        Preview:% Copyright (C) 1994, 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: packfile.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% packfile.ps..% Pack groups of files together, with compression, for use in..% storage-scarce environments.....% ****** NOTE: This file must be kept consistent with gs_pfile.ps.....% ---------------- Huffman coding utilities ---------------- %.

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PCHARSTR.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3716
        Entropy (8bit):4.9162768368993675
        Encrypted:false
        SSDEEP:48:NnReQ6v6Uivksv7c3zmrieMp/DodOBXKqy7CDL5A1KPjo/nOhH5uD6UxhkTXO:Nn4pzaksvUzvbodOtK6DBDhH8DYXO
        MD5:53D0F76168E9246AD236EAD13A9D47B2
        SHA1:CAE9D9495209002DE3FF33586E801C29C7989720
        SHA-256:482778E2087E406DCEF50E93E31FBE99EDA5D87CA3E470566993B0F6712E9F1E
        SHA-512:1498C8102A095D786EE075DFF358139A9BD9DB002658D2E9592EEFD73EB281CC050165BD70421BCC78DEF526FB4F968A4854BAE67F6663A73D2B271D7CC2643F
        Malicious:false
        Preview:% Copyright (C) 1990, 1992, 1997, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pcharstr.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% pcharstr.ps..% Print the CharStrings and Subrs (if present) from a Type 1 font,..% in either a PostScript-like or a C-compatible form,..% depending on whether CSFormat is defined as /PS or /C.....% Load the Type 1 utilities...(type1ops.ps) ru

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF2DSC.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5206
        Entropy (8bit):4.926899356005434
        Encrypted:false
        SSDEEP:96:en4pzhijCAkTdjJFffqpA72MYc3Ae+0blCwrGHHhpW0Om:zi+AkdV1fqDMYveNblGhws
        MD5:C875C6BC717D6B5C220E888F884CC236
        SHA1:18CA010C1D44FB9D7A1BE805F290FFF6B5E43D8D
        SHA-256:D627A274DAC367D5010C06A6830A7FE1F87191F87E02E0BEF029EA4703DD5A88
        SHA-512:BC30D48F847D2BBCF3B961D6C60DBF50FACCF82E767314741C49C0051D52B5CAA876B8E1D5ED2045C77D21F38BDC74E5003A0A04EBA94900CABB4A70D460A5B4
        Malicious:false
        Preview:% Copyright (C) 1994, 1995, 1996, 1997, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf2dsc.ps,v 1.3.4.2 2002/02/22 19:45:55 ray Exp $..% pdf2dsc.ps..% read pdf file and produce DSC "index" file...%..% Input file is named PDFname..% Output file is named DSCname..%..% Run using:..% gs -dNODISPLAY -sPDFname=pdffilename -sDSCname=tempfilename pdf2dsc.ps..% Then display the

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDFOPT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):33132
        Entropy (8bit):4.939177443913486
        Encrypted:false
        SSDEEP:384:/0fMepi6AlTcBI9mugP531ge2a0IlLdjuddgklTb00:lgUJiPrg/bHdJA0
        MD5:6255D3359C55AAEAA6E87B1D28C8DFB0
        SHA1:6695B4DDCBA5C42AA7EEA99B2C1CC80537F3C79F
        SHA-256:E75836D9DBBA3D6F781D21DC0AA51A5F6B60D0B174B89D56C3A508D287515ABB
        SHA-512:9825C35115586A638CEABD8A75E57B7D63D41AE29C13D84E6B9670C518F3274F932CE979DD06388F713B8C81DC5B72B964A2E4F5943964B7F9DA711123BF0FC8
        Malicious:false
        Preview:% Copyright (C) 2000, 2001 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdfopt.ps,v 1.10.2.2 2002/04/02 13:57:27 mpsuzuki Exp $..% PDF linearizer ("optimizer")......currentglobal true .setglobal../pdfoptdict 200 dict def..pdfoptdict begin....% This linearizer is designed for simplicity, not for performance...% See the main program (the last procedure in the file) for comments..%

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDFWRITE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):8371
        Entropy (8bit):5.045458964152841
        Encrypted:false
        SSDEEP:192:1vkCVCRdKabNKJcnkiQpk/X+ukzSXajwR4oAYgGrto:9fEtDYk/oSXUXYjG
        MD5:0C245D4DA2C2F8D9863AF857BF471AC3
        SHA1:91D8C343DD4FAD1D488A53008777AF6D3BC39A98
        SHA-256:5C81F884E5639F309609FF8C9DB7A75BAAC26F9C89CAFD6F05895C8CE2866ACB
        SHA-512:5057E56571EC66ECF5FD0BDBCD2D35E0EF9C412E5003926A658A8C16F3AD68712CF14525C74C1A27D4FB8C33D068765D5369302784C3D2C4730FDA57B5B1B50D
        Malicious:false
        Preview:% Copyright (C) 1999, 2000, 2001 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdfwrite.ps,v 1.7.2.1 2002/02/22 19:45:55 ray Exp $..% Writer for transmuting PDF files.....% NOTES:..% We do editing by replacing objects (in the cache) and then doing a..% simple recursive walk with object renumbering...% Free variables:..% RMap [per input file] (dict): input_obj# => output_obj#.

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_BASE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):21402
        Entropy (8bit):4.88007126764491
        Encrypted:false
        SSDEEP:384:7r7Q3BaelesMDDE0pjmeLCuaDWMScKRwU9euS0RDTDWXL5NW6:7vCwarMnxpCepMS+qxPDmL5NW6
        MD5:7695B1CD229BCD6917E4B33F8E9D55F8
        SHA1:792F206C632BD9633B52E1BC36E42E3CE92C2D74
        SHA-256:61F3DCA588EBE603F40798E08EE1EF24E9B395C00B8AB5F38189D5EE4D0EB856
        SHA-512:569E6532D120F8070F6B42BFC638BBCFC2BED4F4DA847B0F306D27F4094A71EEB2CE5621B622FD241F761B22DE7D3EE6E841F3C2E11D30C910BD7A58920516A7
        Malicious:false
        Preview:% Copyright (C) 1994, 1996, 1997, 1998, 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf_base.ps,v 1.14.2.1 2002/02/22 19:45:55 ray Exp $..% pdf_base.ps..% Basic parser for PDF reader.....% This handles basic parsing of the file (including the trailer..% and cross-reference table), as well as objects, object references,..% streams, and name/number trees; it doesn't in

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_DRAW.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):35133
        Entropy (8bit):4.888456182091639
        Encrypted:false
        SSDEEP:384:baQ2Pl+d8StpeSlp20Egyy8QThwzvcZz8rXV6r/KfpHPZvGidnv7vHWl2/:eQ2hS2Slp27COWoV2/KfphvGiFbHWlq
        MD5:2027843302104C2796927AF7534DDE0F
        SHA1:12E3E8A53686A8AA5ED7ECE68C177BAD41D2A4EF
        SHA-256:47767346E9DBDD0D0E0E8F74DF03CAB5BE3482B1081E1AB0B3F37C751B5F2C76
        SHA-512:AC5F21C5E38E98132953A76956C7CBE5855F5CCC62D1DCE19C552C9A324FCC7A91445FFA57716E5F3958F48C8F5F802E3018473F228A2A069972B265ECDDB6A6
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf_draw.ps,v 1.36.2.2 2002/06/28 23:12:21 ghostgum Exp $..% pdf_draw.ps..% PDF drawing operations (graphics, text, and images)...../.setlanguagelevel where { pop 2 .setlanguagelevel } if...currentglobal true .setglobal../pdfdict where { pop } { /pdfdict 100 dict def } ifelse..GS_PDF_ProcSet begin..pdfdict b

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_FONT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):39450
        Entropy (8bit):4.873003564255242
        Encrypted:false
        SSDEEP:768:coNGA+sGeMEyHyMc/Ve0sFn1Q2pcYRQwb7Ruo:ceGA+U/Ve0sFn1Q2p3RQwb7Ruo
        MD5:399A6548C25A93AF9CE9C468D012356D
        SHA1:58E983F9C3155837846111000820DFEF0B29991A
        SHA-256:602039223CBD4A85AA4D9A4E6DC2CC7EEAE11C10DC255A80AEBB0B41498F7F90
        SHA-512:02181F951E4BE4B90B7336895857A12095648013E537A5261AD7BC0F48AEEA3A11CD334DDF99D20DD9C45DF847BABD613A8D1FCAC1C4DD93A8198CCB0545185F
        Malicious:false
        Preview:% Copyright (C) 1994-2002 artofcode LLC. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf_font.ps,v 1.23.2.6 2002/04/16 06:11:29 giles Exp $..% pdf_font.ps..% PDF font operations...../.setlanguagelevel where { pop 2 .setlanguagelevel } if...currentglobal true .setglobal../pdfdict where { pop } { /pdfdict 100 dict def } ifelse..GS_PDF_ProcSet begin..pdfdict begin....% We cache the PostScript font in

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_MAIN.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):25020
        Entropy (8bit):4.818137014344204
        Encrypted:false
        SSDEEP:384:MqfZ+1kQv+klicCl5n6cAblIf50+PXwGprdP7ZSrqFtaOdlixGsf:bfGkQv+cicE56Afe+YYdzmqFtaOdltk
        MD5:FE849309FE00B5B78D3583A1F6CB2310
        SHA1:CCB1EA1C31AFEEC3D08FBEBB16CCC0FD63421E26
        SHA-256:393DFBA588FFB3BE7D1E8046E4CF296A7645B3D55DB243A3A43017A8D181E18C
        SHA-512:B4EA11898AC818D0B237F155A7B5B3A82D73A72E19088F3FCE622010C605D4420D3FBCF3ED362580E926A2D863681FF3E75C247FFB66ACE91614738F181CC4D5
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf_main.ps,v 1.35.2.7.2.2 2003/01/28 11:54:11 ghostgum Exp $..% pdf_main.ps..% PDF file- and page-level operations...../.setlanguagelevel where { pop 2 .setlanguagelevel } if...currentglobal true .setglobal../pdfdict where { pop } { /pdfdict 100 dict def } ifelse..pdfdict begin....% Patch in an obsolete var

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_OPS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):16303
        Entropy (8bit):4.928991181437981
        Encrypted:false
        SSDEEP:192:O0FN0Wq/8b3lfJS7WgOwrFLLcTsOdFdC6OOb9dIwVGT6pdBAwAJQPA94kdYXyiqc:O0n1kL4Ts+bdIepd6wAJ9zdYlqOMg
        MD5:5C2B9E00D9D2A57FC826EA9BB8954F60
        SHA1:0263186EE1F151045A7DEDFE81BCA389B2069D96
        SHA-256:1C725661BD332CDF5C4D87B7CD798B1E11CBA817BADAD2948B9F6BDF04F98D14
        SHA-512:ABD50EA3AE6E3EEF0D524C63C13877DE23CBD9128E2659D3E940F5892C2547FB341B58CA30A851DD5268229B8FD97EAC00D4FA9558F0E2C67BE196A72541FD19
        Malicious:false
        Preview:% Copyright (C) 1994, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pdf_ops.ps,v 1.17.2.2 2002/02/22 19:45:55 ray Exp $..% Definitions for most of the PDF operators......currentglobal true .setglobal....% Define pdfmark. Don't allow it to be bound in...% Also don't define it in systemdict, because this leads some Adobe code..% to think this interpreter is a distiller...% (I

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PDF_SEC.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):9786
        Entropy (8bit):4.808348117089843
        Encrypted:false
        SSDEEP:192:yxqM5UCrRNJOxwJqhgHaXAT/O6w17ktyUaXRWNFEWeO3oWu1MjI1:yxqMzYx3jM/O6Y7BfRWN2WeO3of1AW
        MD5:7944CF5F89DE4FFFE2959E793A87C76D
        SHA1:3989B0C35A49B5ED97E3C023581B45E1B903DA8A
        SHA-256:9470772B2FEC6B4377BE12C7D1BB7DA3B3E02DAA3BB451F7B4F8A0C2F5405AC8
        SHA-512:1E99E2F62FD913A5D24B35DF8B936EF37910CD9DC233FF850694F49CDC3FF2DF1F3FD76BC552B1AF8DDFD7DF4A113E7DB21B2712100540C240C90E95D4FDA00C
        Malicious:false
        Preview:% Copyright (C) 1996-1998 Geoffrey Keating. ..%.Copyright (C) 2001 Artifex Software, Inc...% This file may be freely distributed with or without modifications,..% so long as modified versions are marked as such and copyright notices are..% not removed.....% $Id: pdf_sec.ps,v 1.5.2.1 2002/04/02 13:57:27 mpsuzuki Exp $..% Implementation of security hooks for PDF reader.....% This file contains the procedures that have to take encryption into..% account when reading a PDF file. It replaces the stub version of this..% file that is shipped with GhostScript. It requires GhostScript 7.01..% or later.....% Documentation for using this file is available at..% http://www.ozemail.com.au/%7Egeoffk/pdfencrypt/....% Modified by Alex Cherepanov to work with GS 6.60 and higher...% New versions of GS require explicit checks for /true , /false, and /null..% in .decpdfrun . This fix is backward-compatible.....% Modified by Raph Levien and Ralph Giles to use the new C..% implementations of md5 and arcfo

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PF2AFM.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):15032
        Entropy (8bit):4.880886922346674
        Encrypted:false
        SSDEEP:192:gVWEZX8tezSXjjTe44ZcwhhYp41MqIebvokOJ0slKypBdAKeBSjQwmUIq9fQuEqT:g8+5GXjjGZV1MqIYgkOaspLM3cQLyrf
        MD5:2127D72ED4E542C9668C78540C91385F
        SHA1:4B9127909D746BD83A79A86CA1BF30C70773262E
        SHA-256:D2787635A71B0F4AE537D81EE19376E9FDEA05E334D8A0AFC95156BDCCC2467A
        SHA-512:76D957657895673A63B29F1D19925A8F21B337FDE5691A145279EE43E1093EEE6B0C60CE43A02233F6ED27B749ABA0E293CD452BC978EF80806489B02E1EFD38
        Malicious:false
        Preview:%!..% This is a PostScript program for making an AFM file from..% PFB / PFA and (optionally) PFM files...%..% Written in BOP s.c., Gda\'nsk, Poland..% e-mail contact: B.Jackowski@GUST.ORG.PL..% version 0.5 (18 XII 1997)..% version 0.55 (11 III 1998) -- unlimited number of chars in a font..% version 1.00 (27 III 1998) -- scanning PFM subdirectory added,..% code improved; version sent to LPD..% version 1.01 (1 II 2000) -- message changed....% $Id: pf2afm.ps,v 1.3.2.1 2002/04/10 09:22:58 giles Exp $....% Usage:..% gs [-dNODISPLAY] -- pf2afm.ps disk_font_name..%..% The result is written to the file disk_font_name.afm, provided such..% a file does not exist; otherwise program quits...%..% The font can be either *.pfa or *.pfb; if no extension is supplied,..% first disk_font_name.pfb is examined, then disk_font_name.pfa...% Moreover, if there is a *.pfm file in the same directory or in the..% subdirectory PFM, i.e., disk_font_name.pfm or PFM/disk_font_name.p

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PFBTOPFA.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1181
        Entropy (8bit):4.910383274073896
        Encrypted:false
        SSDEEP:24:AOZZReQK8avvv6XDIQZZ6xd4S7XdL+GPH27t6xfzu4r:xnReQ6v6UiEGFEnn
        MD5:87ABA0846094B60E8840D83B7A894230
        SHA1:ADB7DC4F0FA9A5466CE9BB9ACF4F141B209F4333
        SHA-256:7AD91A3E6BFFF538AD1A99135EFB18DF0DC4DF7B59CD43EC6ED48F73A34037FB
        SHA-512:A1E3C22AF6FB59FBE294070F7D5B7E17ABFE436CA4A5B0B55E94AD74AD7F7892531642B0D88F0A3F668BEC7F5B7074515DD32458315D2EC3C88D6207A74429D8
        Malicious:false
        Preview:% Copyright (C) 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pfbtopfa.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% pfbtopfa.ps..% Convert a .pfb font to .pfa format.....[ shellarguments {.. counttomark 2 eq {.. /pfa exch def /pfb exch def pop.. /in1 pfb (r) file def.. /in in1 true /PFBDecode filter def.. /out pfa (w) file def.. { in read not { exit } if out

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PPATH.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2034
        Entropy (8bit):4.907510689092431
        Encrypted:false
        SSDEEP:48:WnReQ6v6Ui3XhPywhvfGJdjQOsQDUlQ3IgeQjQIHqcq:Wn4pzoXkAvfGfUOs8UlI5ew7qn
        MD5:559569E61345D07BE69B9A1F5CB41A8E
        SHA1:F1565DE75E64FEA469B4876DB2EA4BF8A4E1F25D
        SHA-256:FDBD3E3E56DC3926B721E7008679C4D9D8741C9241CB0BC463B4E22A555108FE
        SHA-512:63E3012F532E98340C27646B9CE20EBB385F3B521A366E298A031C0C95ED1170E7AE84C7F4C07216938EBF1A4F9E14052DE3DAC98A444B23BC184392335B126D
        Malicious:false
        Preview:% Copyright (C) 1989, 1995, 1997 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: ppath.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Redefine pathforall for tracing...% Can't be used recursively...../# {( )print} def..../-mat matrix def../-imat matrix def../-smat { //-mat currentmatrix pop //-imat setmatrix } bind def../-rmat { //-mat setmatrix } bind def../-pathforall /pathforall

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PPHS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7148
        Entropy (8bit):4.8507007049611035
        Encrypted:false
        SSDEEP:192:BCV8Stk1uXSmYnQS9G/WvHzZrhvJPJWdBPP:skb5BTZrhviL
        MD5:FECF683F1199D15D3164AF97D6BEF175
        SHA1:7F9A5C68D45AFDAFFC296F82965784343B214B7F
        SHA-256:07AC1A98FC5F890F37568E202993779EB30BBD0C9E347B37B75B7AE61B3EFA30
        SHA-512:0184D901A75B8A87F3D4D6D13495FBFEA02916B38E506B593D63D944A67C5F0EB0898448AD6D8F2535A9A2BB3647A89582A805D23745C0FE02CF7425F3E33D5E
        Malicious:false
        Preview:% Copyright (C) 2001 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: pphs.ps,v 1.3.2.1 2002/02/22 19:45:55 ray Exp $..% Print Linearized PDF hint streams....% Utilities../read1 {.% <file> read1 <value>.. read not {.. (**** Unexpected EOF) = flush quit.. } if..} bind def../read2 {.% <file> read2 <value>.. dup read1 8 bitshift exch read1 add..} bind def../read4 {.% <file> read4

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PRFONT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):6630
        Entropy (8bit):4.938598219190871
        Encrypted:false
        SSDEEP:96:2j6Q6m696N6k606gLt2O4LYJGPaEgIOI+rtHTuHVVX9F8fCySO08IBNZt/K:ct2O4E8CEgIOISzuHVVX9QXQ8IX/K
        MD5:4E9431F81A4355B40382E60A50306836
        SHA1:1CA6504C43AE91F7DF1CF036D281976D01151E3D
        SHA-256:165D1866179E71D1131C3EB3FB1C61DEEB202E6AB8EE8AB12A66DDDF5A046E33
        SHA-512:251E0B72815157FDE63710BE721872D2D65D9F812CA0710F2A12BCAE0F7FE0806FB17584217516BB7603AAD5A7318BFC22B262C41801F5AEFEB9884389DEC8E8
        Malicious:false
        Preview:%!..%%Creator: Eric Gisin <egisin@waterloo.csnet>..%%Title: Print font catalog..% Copyright (c) 1986 Eric Gisin..% Copyright (C) 1992 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin.com)..% Modified to print all 256 encoded characters...% Copyright (C) 1993 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin.com)..% Modified to print unencoded characters...% Copyright (C) 1994 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin.com)..% Modified to always create 256-element Encoding vectors...% Copyright (C) 1995 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin.com)..% Modified to print more than 128 unencoded characters...% Copyright (C) 1996 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin.com)..% Modified to leave a slightly wider left margin, because many H-P..% printers can't print in the leftmost 1/4" of the page...% Modified to print unencoded characters in any font that has CharStrings...% Copyright (C) 1999 Aladdin Enterprises, Menlo Park, CA (ghost@aladdin

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\PRINTAFM.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):3399
        Entropy (8bit):4.93524018860198
        Encrypted:false
        SSDEEP:48:Q+IGIYd32r50Xucc83YwlrahKufo6CXAmXTc3Al2GtKbE:qGdM2Xucx3ehdfOAmXTZibE
        MD5:9686BF12B76788B082C315A88DFBD0D4
        SHA1:5FD93DAD2C396436190EDA025094A65858E1B9EA
        SHA-256:694CC729B5834BBAEC79046D8E02C4659462DCBFF1E13774E121C48F12A89561
        SHA-512:7C379BC125824CD500A4D122F96BCB3F8964A7E38E396274FB5E6EBC87B4C944B34C0CCD733F5D973FDB96C23E5B82CBB4B3E1CB13A566E7606350BC66BFF3F7
        Malicious:false
        Preview:%!..% written by James Clark <jjc@jclark.uucp>....% print an afm file on the standard output..% usage is `fontname printafm' eg `/Times-Roman printafm'....% From the `dvitops' distribution, which included this notice:..% dvitops is not copyrighted; you can do with it exactly as you please...% I would, however, ask that if you make improvements or modifications,..% you ask me before distributing them to others.....% Altered by d.love@dl.ac.uk to produce input for Rokicki's afm2tfm,..% which groks the format of the Adobe AFMs.....% $Id: printafm.ps,v 1.1.6.1 2002/04/10 09:22:58 giles Exp $....% Modified by L. Peter Deutsch 9/14/93:..% uses Ghostscript's =only procedure to replace 'buf cvs print'...% Modified by L. Peter Deutsch 9/6/95:..% uses Ghostscript's shellarguments facility to accept the font name..% on the command line...../onechar 1 string def....% c toupper - c../toupper {...dup dup 8#141 ge exch 8#172 le and { ....8#40 sub...} if..} bind def....% printcharmetrics -....

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\QUIT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):6
        Entropy (8bit):2.584962500721156
        Encrypted:false
        SSDEEP:3:JMOvn:Ln
        MD5:1A5427AD7FD8B2BC47791F113F6EC9D8
        SHA1:92B01D72316FDE624E36442ADFE6B02C2867DEA9
        SHA-256:EAA9EB2410FFB871A6971AE3C3D0A41236BC4FE35547B320FCF031CD8D24706E
        SHA-512:01051ED210FF5DE87A46F8AC464E9C33517C23D19498591474913998FE241890D4CE19D5A2594B2B13B8F0D80942F8CE7E2D0B77F43652540DFDE3E78824D35A
        Malicious:false
        Preview:quit..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ROLLCONV.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):12125
        Entropy (8bit):4.972060616274557
        Encrypted:false
        SSDEEP:192:CMwQ3EC/GOh5JezBqKdP7sPUVnGc4Kd31JTCn6ClLD:J30s6dqSsMVnGmFJTCn6ClLD
        MD5:A70A59C6E3ADBA3B3900171525B786B6
        SHA1:07F926999C1DAD7101C1DD5998F2AEF4DA1E4A1D
        SHA-256:A173045D9CAF716B8F42E764EBDA44A59618CDA5CFEA26CFBEEC57F506F783EE
        SHA-512:0481597F11BAB5DC4A1F9CCCDB7D901FC179DCA6EDC4FCCD8D80AF64476F9439C150C99359F8A5CE93E1EA2D73E48E83C31E2DD90CC7BC2D0FD1C97037A075D4
        Malicious:false
        Preview:%!..% Copyright (C) 1995, 1996 Aladdin Enterprises. All rights reserved.....% $Id: rollconv.ps,v 1.1 2000/03/09 08:40:40 lpd Exp $..% Utility program for converting Japanese fonts produced by Macromedia's..% Rollup program to Type 0 fonts suitable for use with Ghostscript...%..% Rollup produces the following files, where xxx is the font name:..%.xxx-H, xxx-SA, xxx-SB, xxx-SK, xxx-SR, xxx-UG..%.JIS83-1_COD..%.JIS83-1_CSA..% The _COD and _CSA files are large files containing the actual..% character outline data; they may theoretically be shared between..% multiple fonts...%..% rollconv.ps converts the above to files named:..%.fff.ps..%.fff.COD..%.fff.CSA..%.fff.CSR..% where fff is a font file name provided by the user at conversion time...% The fff.ps file is the actual font file to be loaded with `run'..% or placed in a Fontmap or a directory named by [GS_]FONTPATH;..% the other two files must be present at runtime in a directory that is..% on Ghostscript's search path (-I, GS_LIB, GS_

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\S050000L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (StandardSymL 001.005)
        Category:dropped
        Size (bytes):33709
        Entropy (8bit):7.814295551999415
        Encrypted:false
        SSDEEP:768:FAWLArA0s2nw7EDvDrPZU3sRGHhgjBNBqKjUa6e2G57EGO9:FAMArX7w7wvfRU6SgNNoKjn0yK
        MD5:B09D2E140B7E807D3A97058263AB6693
        SHA1:6D14EAF0CC924D680D4B711995173E420A47B52F
        SHA-256:2038021A7B6330936FEA8562232B48796968FC913C1FD952D29E23BB1FDC891E
        SHA-512:F365C217F8A4250C04CD9EB82D2A6A5E7419D69FEC9F9F03C49035352100337052779714BF0DA73AEDF116B9D9DF40FDC6797FAB2AEF0140F0DAAF91728E3E3A
        Malicious:false
        Preview:......%!PS-AdobeFont-1.0: StandardSymL 001.005.%%CreationDate: Thu Oct 21 1999.% Copyright URW Software, Copyright 1997 by URW.% URW Software, Copyright 1997 by URW.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (001.005) readonly def./Notice (URW Software, Copyright 1997 by URW. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or license applying to the document itself.) readonly def./Copyrigh

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\SHOWCHAR.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3031
        Entropy (8bit):4.8680796849737185
        Encrypted:false
        SSDEEP:48:pnReQ6v6UilG8weIUHAU67lH1uqE1PQscSNwrDfyPl5czPPAW7ZnMwfzJ2vVQ:pn4pz4xbhQu/G/Nr7a5c7AWVkVQ
        MD5:4B2D137E9BA6982C11CA9DCBC09AF82A
        SHA1:6DBB1EE34DA55D858D0A5C54AA9A12C19724BC03
        SHA-256:79432CAF518A1E710EC1ED5B0AF5D5719F710A5B145B4C9E4CF5F522252EB74C
        SHA-512:BE5E0572208CEF07DB8BD13C8749266FE2EF6A10CCDBC874744D0FB979DE80039E4EAFDB2D74AB22D958E461A8430F518555DB742AA187705CEFB2B2B4826194
        Malicious:false
        Preview:% Copyright (C) 1993, 1994, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: showchar.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% showchar.ps..% Show the outline and rasterized forms of a character...../F where { pop } { /F /Times-Roman def } ifelse../P where { pop } { /P 16 def } ifelse../Rx where { pop } { /Rx 100 def } ifelse../Ry where { pop } { /Ry 100 def } ifelse../Cs

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\SHOWPAGE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):10
        Entropy (8bit):3.321928094887362
        Encrypted:false
        SSDEEP:3:lCAy:lCAy
        MD5:94260D40F25C108E7515036CFF35792C
        SHA1:FCFB5638C0BD4FBEC23D2D4C983C762D448D4749
        SHA-256:6E7C884D9F4A88C351E64CE194E0D607AC74A6C4D2AB6C80C8C767C0E7435998
        SHA-512:5076E3E0DD1E1A008A370294E14ADE3A619F6100AB23D803C49AA61673B06F91CA88C723C890AF0F0EF92919BF22E9E615091F022C320C94208703888029F578
        Malicious:false
        Preview:showpage..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\STCINFO.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):26538
        Entropy (8bit):4.608686274286342
        Encrypted:false
        SSDEEP:384:Ouu9kXNGv9depU4N3hpi0VY6TVwNqTUnJO0cmff:VikXK9YhhwBO0cmff
        MD5:B553D13D80B8643EE61A78F68A7C9ADA
        SHA1:8FE2E594B9FB711BA078CB89995A63228BDAC999
        SHA-256:B75680EFFAA8AD2E697EC2AE3E49870F09392E2FD76B1A647BF62AC45A1AF7BF
        SHA-512:C1EEBEC4D631302EFC3BE4F939DE3A9B9CF62530A2A736C3369DD8AB80AF39EDB996742D578A3D979ABF89D6FF6D32C53B736DC090E89BDD2D6CCA3DA6AC8B87
        Malicious:false
        Preview:% Copyright (C) 1995 Aladdin Enterprises. All rights reserved..% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: stcinfo.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% stcinfo.ps..% Epson Stylus-Color Printer-Driver....% The purpose of this file is to print & show Parameters of the ..% stcolor-driver. If not run on ghostscript/stcolor, it prints ..% something like a color-chart.....% use either existing STCinfo-dictionary, retrie

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\STCOLOR.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5398
        Entropy (8bit):4.83904998228405
        Encrypted:false
        SSDEEP:96:9R4pzl9pv6JO6YHn10EZnQ/LKBYHLPSm2c4aaAl2eq:opyJ+7PgLP12c4aaA4L
        MD5:7E066FD802162EA3B56547249C13EF0B
        SHA1:8A3B083F13114C2BBA19304F026470903DD6FCA5
        SHA-256:756F491FDF446C7F1946428ED37BE119A939F4523D76CC3A491C1BADBACF4FB7
        SHA-512:E62AB2B72E1E1F2C209C9837058D1ABF39BEC47C7C9E117CC016EAF57979CABB061B98B97B3ADAE49B77D726FDAA88D102E85A02D15426CF630B9375B5D06430
        Malicious:false
        Preview:% Copyright (C) 1995 Aladdin Enterprises. All rights reserved..% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: stcolor.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% stcolor.ps..% Epson Stylus-Color Printer-Driver....% The purpose of this file is to configure the stcolor-printer driver....%..% It is useless and dangerous to interpret the following code with anything..% else than Ghostscript, so this condition is verified first.

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\STOCHT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2711
        Entropy (8bit):4.87002836237044
        Encrypted:false
        SSDEEP:48:ysnReQ6v6Ui9MRQeNN8IW5blKtZG/OSEl5mmnJki:7n4pzjRN4P5wtcEvmuJki
        MD5:065ED7B9ADC6E7682577048E2E2BA812
        SHA1:A1A3DF21FE5B4D01F9CAFF580A589583C97D69C1
        SHA-256:BD4B54D60EC8C413311C163A8567050E25C9E30E5517ADABDF259CDA3A59BD29
        SHA-512:0E52E42CC302EA4D32A8B67CE87A58526A852C49BD7D54927931444E709C2A1BD7D36E7BA57C410D844F6F84999F08DB891F4F098D4FE93846450178FA2C5B35
        Malicious:false
        Preview:% Copyright (C) 1999, 2000 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: stocht.ps,v 1.3.6.1 2002/02/22 19:45:55 ray Exp $..% helper file to simplify use of Stochastic Halftone - uses ht_ccsto.ps....% This file sets the /StochasticDefault /Halftone as the current..% and the /Default halftoning, loading the Stochastic halftone..% if required.....% Stochastic halftoning is recommen

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\TRACEIMG.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1581
        Entropy (8bit):4.9224363706094865
        Encrypted:false
        SSDEEP:24:DOZZReQK8avvv6XDIQZZ6rj1r4KuHu1F6I5//mT8liY6snl2RcsM:anReQ6v6Ui6iKuHoPYYJnl2qn
        MD5:A453D5AC8BCC8BD4FD2179FDC083054D
        SHA1:76A84EBFD001DAE2FAFAF071341D9E74FB90D152
        SHA-256:2F39BF9FB1ACB15F83E97E487C8592BEA3F21E273517D3EEC8C161884EDB0709
        SHA-512:728A8B89A89003973EB295E930371C86F46456C01BF9DE825B45F11B8022DDA3D921CA742A31A76A49FCF4D7D97843EDC155212C7814493B955DE4D8A99F5C37
        Malicious:false
        Preview:% Copyright (C) 1994 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: traceimg.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% traceimg.ps..% Trace the data supplied to the 'image' operator.....% This code currently handles only the (Level 2) dictionary form of image,..% with a single data source and 8-bit pixels...../traceimage...% <dict> traceimage -.. { currentcolorspace == (s

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\TRACEOP.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2823
        Entropy (8bit):4.807242993002377
        Encrypted:false
        SSDEEP:48:lnReQ6v6UiIuaJe4B1DOZ0Aybkofo2+JKYlZequ/eRq2bdy1:ln4pzLuae4bKZ0Ayb/o2JYlZeqges2bk
        MD5:D190B747914A022E0823FB0F947CC505
        SHA1:BBA7982D09338787CA223418119F6C8DA4BF662C
        SHA-256:0E36AE33FA1889EEA20FF835DB45EE15974554412DE430187382CA5AD05C6B39
        SHA-512:1F48A87961649F46A20E05F9B48B4271FB9DD48E58B6CDF739229F26F3AFE4D898D2FA42FD17B7BD7701B2FFA2F3B49E80A56F258ACEC771F531CBB2FAAE8987
        Malicious:false
        Preview:% Copyright (C) 1992, 1993, 1994, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: traceop.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Trace individual operators or procedures...% <opref> is <opname> or <opname> <dict>..% (dict defaults to dict where op is currently defined, if writable;..% otherwise uses userdict)..% <opref> traceop prints vmem usage before;..% <opref>

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\TYPE1ENC.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2607
        Entropy (8bit):4.9933539041964226
        Encrypted:false
        SSDEEP:48:+nReQ6v6Ui9KybAwqZ+ioqdo7y1dbu2YEYjW+Fdh0s72AQA9zEt/B7LjiA3tas:+n4pzs/bAwtioqO7yz62+W+FdHyA19St
        MD5:892AC9900D1C4C4477F3CE56F592C371
        SHA1:14F35590F986D159D2C195557AAEE578FA45738D
        SHA-256:C1E8641B157CB11F029FEE536BEC17F22C0262F9BCBB2BF3C9186645AEE8ED28
        SHA-512:3AF1C336A6A6FEF919D2DC3421301270DA82C35F6AE0EE0987278925540A32B2F0E29157E0B62A23BE27BD792F1D8B1FF9D7EBB8A392DC36027E7A0DFDED128D
        Malicious:false
        Preview:% Copyright (C) 1992, 1993 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: type1enc.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% type1enc.ps..% PostScript language versions of the Type 1 encryption/decryption algorithms.....% This file is normally not needed with Ghostscript, since Ghostscript..% implements these algorithms in C. For the specifications, see Chapter 7 of..% "Adobe

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\TYPE1OPS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):7819
        Entropy (8bit):4.921161402378843
        Encrypted:false
        SSDEEP:96:1n4pz4AMnKueU0PbbKJjsUfmq3WrMmgJ5PnJv5Dngw1fNId:DAusBPbbKAU+JAmgJ5Ph5Dngw1fKd
        MD5:EC9B16180C9E8D8C1511634CFF49CE00
        SHA1:26B9FF02FB9CC5B01DFE526CEE0DF7D236B51DED
        SHA-256:49968B8CFDABA7C6B6B705FB34C0AFBC956A37AA4193CF02E6BF029C0D831E60
        SHA-512:33D561E10F9C559B49990850523A0677F5956D416048E75D3D35BFD80C0DCE5A5F319BAB66C521FBA163386F610EAFD0667CD72B8C50F916C8F53604A4C8A7FF
        Malicious:false
        Preview:% Copyright (C) 1992, 1997, 1998, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: type1ops.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% type1ops.ps..% Define the Type 1 and Type 2 font opcodes for use by Ghostscript utilities.....% Define the default value of lenIV...% Note that this expects the current font to be on the dictionary stack...../lenIV { FontType 2 eq { -1 } { 4

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\UNINFO.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):6362
        Entropy (8bit):4.34435730988909
        Encrypted:false
        SSDEEP:96:yR4pze+TJyHvv+nm4nyHPjBgUSwXmRJOIU+XKsjRR+7SPS+:seyPv+nbnyHPdgrwqlLaYRgSPS+
        MD5:52D440D46AD26AF8F5612874C113FF48
        SHA1:5839F20214C48D5CEDE454DF6481DA04D7AD36BF
        SHA-256:17A6FF2C630BFD8841B982E46AB1C7D1F5F681DDB6C335DD02BE9491521E6A20
        SHA-512:93E4EBFCD26BDA3FD9B390911499EE19DD657379F2DABAA1859475AC4F7D2B6121426F9D11394978D06721E2DAC17C696B5335C7AFD31E937746DF0876E3D63E
        Malicious:false
        Preview:%!..% Copyright (C) 1997 Aladdin Enterprises. All rights reserved..% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: uninfo.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% uninfo.ps: Utilities for "printing" PostScript items, especially dictionaries..% Usage:..% (prefix-string) dict unprint....% Maximum Print-Width../HSpwidth 80 def....% any HScvs string../HScvs {..% Number-Syntax.. dup type % stack: any /anytype.. dup /integer

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\UNPROT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1977
        Entropy (8bit):4.834976101724304
        Encrypted:false
        SSDEEP:48:vnReQ6v6UiIGBkylnCVwBJold7EQjflB5KDVNG:vn4pzdL6C6B+ld7EQZB5UVNG
        MD5:FF0CC9F70A35CC3AE3EBC9951BBBE23E
        SHA1:4EFE04FDB92B1B694BBD13C6AB671F4F70A7D6E7
        SHA-256:38A65512EB13351D01FE6554DBA04B3BA26E5CF70344AF0A076DE6A606ACF4F6
        SHA-512:9BFA44D7F5A3B647FCEE264001FF1BF74498F6ABAE2F5CB708FF1BCFD5E27ECFB1C63D86583240168219729352BB0E806E1E1C277BEC2B09A9FC10C5838644B4
        Malicious:false
        Preview:% Copyright (C) 1991, 1992, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: unprot.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Disable all access checks. This is useful for printing out..% eexec-encrypted Type 1 fonts, and similar purposes.....systemdict wcheck.. { /protdict systemdict def.. }.. { (Please restart Ghostscript with the -dWRITESYSTEMDICT switch.\n) print.. (

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWCMYK.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2187
        Entropy (8bit):5.005482959113408
        Encrypted:false
        SSDEEP:48:RnReQ6v6UiBZh3edYPn6s6yY0InGVhsTYClH:Rn4pzEfeePn6s6lH
        MD5:04DB2BED89F0B8723F59D9B4DBD07495
        SHA1:D0BDD28CCD87B1A91F3ED057BA0155E32A7BE4FA
        SHA-256:A91A48EA5ADD946EA21D58B93B1299519A80DA78551A1EB813875672F2950C67
        SHA-512:D4246E3AC90EA95B1A399C7E01D987E9FFEEE67B98EE2083F93FB84B9B51C59C613332DCE419473154090D58ADDBF600A00344335AD4C02C74BA98E3827F18C9
        Malicious:false
        Preview:% Copyright (C) 1996, 1997, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewcmyk.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% viewcmyk.ps..% Display a raw CMYK file...% Requires the colorimage operator...% If SCALE is defined, maps input pixels to output pixels with that scale;..% if SCALE is undefined, scales the image to fit the page...% If BITS is defined, it is t

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWGIF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4731
        Entropy (8bit):4.86384072413011
        Encrypted:false
        SSDEEP:96:En4pzS638TfZ868kjrTludGLPkHHLdyfnz26:K63efZAkrlucDMdyfz1
        MD5:B2B018622CAE013F6A17F8C3090200A0
        SHA1:EE967B7330B13F6836070D30A5E7814635D1673A
        SHA-256:B86D6AE234E39A0C3306E7FB169CE32FE3DD0EC4582EDD1AB53FEA356F713B70
        SHA-512:4102ABF0F31BDE5E23373DA1C327EAF63BCB82BB91B7F4EF820393F878244E139D3B3CA6A96428F7286EFB9E5D55BAB00113A6B5A39E563E1D75F207B7D5AD0D
        Malicious:false
        Preview:% Copyright (C) 1989, 1992, 1993, 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewgif.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% viewgif.ps..% Display a GIF file...../read1...% <file> read1 <int>.. { read pop.. } bind def../read2...% <file> read2 <int>.. { dup read1 exch read1 8 bitshift add.. } bind def..../readGIFheader..% <file> readGIFheader <dict>.. { 20 dict begin

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWJPEG.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):4807
        Entropy (8bit):5.023577159753092
        Encrypted:false
        SSDEEP:96:94pzdGyuzxfBE2kpMS3fjcwEmFFpoPQ1r9PExFakcX5s:2uN6jpDfjJCP28oG
        MD5:FA4DE113409A5C60C645FD26C53D3AF3
        SHA1:1F4B211A4C22700F4DD0B86080F393980FABA857
        SHA-256:7439F6646CC66960E97BAADEE5B57B730CB26B2AE1BD41362E0D108A48379149
        SHA-512:67E7E16BB3F5C6B8E888FA2EBF74AF2BDFCAACAE36498B52595C158B5BA2E2B8F7333E2B75914713AF40B2E6A9D1C2DCA06B1200583763E1AD6EA2162C55EA62
        Malicious:false
        Preview:%! viewjpeg.ps Copyright (C) 1994 Thomas Merz <tm@pdflib.com>..%..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewjpeg.ps,v 1.1.6.2 2002/02/22 19:45:55 ray Exp $..% View JPEG files with Ghostscript..%..% This PostScript code relies on level 2 features...%..% Only JPEG baseline, extended sequential, and progressive files..% are supported. Note that Adobe PostScript level 2 does not include..% progressive-JPEG support. Ghosts

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWMIFF.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3908
        Entropy (8bit):4.884273547361753
        Encrypted:false
        SSDEEP:48:+nReQ6v6UizqzwgX0gA/BBA6DyCnKAdHNaRQudAsVR85m2L2dvNJE0BCsF6757r0:+n4pziGTIcuHN+dVKL2dvNJzCsFc5v0
        MD5:D0940215243ED539FCDC421975C88B5C
        SHA1:CCFF001C18EDE9A4A86A4B9B53D7307855F1A343
        SHA-256:9379C3EE109FAC73A5832169DFEF8E3DE994798F103EB3A978F0C087A7CCE9DC
        SHA-512:DB715C57BA11B8E5F814E57EAD83F1EF89093918D0B273EC96983788D9F4629B30522741B3352842F313758BEEB7580871DD4F283F17EE4D99A93D97EC3CC336
        Malicious:false
        Preview:% Copyright (C) 1998 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewmiff.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% viewmiff.ps..% Display a MIFF file. You would think the 'display' command would do this,..% but many versions of 'display' either core-dump or require unacceptably..% large amounts of memory.....% Recognize MIFF keywords.../miffwords mark.. /class { cvn /cla

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWPBM.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):5502
        Entropy (8bit):4.865382203434436
        Encrypted:false
        SSDEEP:48:qNnReQ6v6Uic2NRsed9+E6ptxaYjaGg2dphfXXJSZXKWyCCYh/XJSzuXKWMzRb3J:qNn4pzzzeCEKxbcEDXiJFib337xOxC8E
        MD5:574F44F0C5FE5593910C91465DB369D4
        SHA1:1B404807E70A2985FDD138DDE534162306968FE2
        SHA-256:B0571DAC25135E9240DB8586F355BE5B834584E99CB1C705455938FE43DBA0D1
        SHA-512:088FC2F55E9336910815A994A124529B77E1213DA5C8D01E561BAF446AF3F860EA2492B04C35389B070D17A4142374899178123EB6145149F25B9AEFAB1836CE
        Malicious:false
        Preview:% Copyright (C) 1992, 1995, 1996, 1998, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewpbm.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% viewpbm.ps..% Display a PBM/PGM/PPM file...% Requires the Level 2 `image' operator (to handle variable pixel widths)...% If SCALE is defined, maps input pixels to output pixels with that scale;..% if SCALE is undefined, scales the i

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWPCX.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4506
        Entropy (8bit):4.780091161797565
        Encrypted:false
        SSDEEP:48:YnReQ6v6UiGsKRsedFdj2GTNk9C6Myj/3JIwOcOHZsAlTpIqrOQhlCGgQPD:Yn4pzZge4GTYC6Jj/3GrSQaxQPD
        MD5:089BF70CCF8B7E01E1461D83A6143E73
        SHA1:F272AE3C361A9D7E9962F8A40EBE10D7B7759F92
        SHA-256:1F4806415DDA4C1158E7D57A868489020291FB8AE5CF12053A4AD56DB1221052
        SHA-512:0D950FA8D1998375DA6B975D1C1A65B0A64403779E96BFFEF777AFEF54E3551FFEF1E8398FC4DDB3B2973EECAE725696AEA5D034EFEF7626715B297EE5692026
        Malicious:false
        Preview:% Copyright (C) 1996, 1999 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewpcx.ps,v 1.2.6.2 2002/04/02 13:57:27 mpsuzuki Exp $..% viewpcx.ps..% Display a PCX file...% Requires the Level 2 `image' operator (to handle variable pixel widths)...% If SCALE is defined, maps input pixels to output pixels with that scale;..% if SCALE is undefined, scales the image to fit the page...% *

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\VIEWPS2A.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):4.901708545005114
        Encrypted:false
        SSDEEP:24:MOZZReQK8avvv6XDIQZZ6UdkxB0OviLlzTWzHidFo2ta5T:dnReQ6v6Uilexz6OriYNT
        MD5:570A57CDDD4B7575A61498963BD09738
        SHA1:8C7265BE826114E3FD90149EC882CAFF38E2FDAE
        SHA-256:8E6CEB3917D5FE11715277A08AA93A223F5AEA0ADA44BAFA35302C359D82B646
        SHA-512:628E4D3B26541B0EF5777DA4F2AE869144B60E95AE264D83483325855117B88BED5B44217557A1FB3C90A61B589AFEA9CB9D40CDA26BD7B8A02CFEFA6F112545
        Malicious:false
        Preview:% Copyright (C) 1995 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: viewps2a.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% Display a file produced by ps2ascii with no switch or with -dCOMPLEX...% This is just a procset to read in before the file to display...../init { 0.1 0.1 scale } bind def..init../next { currentfile token pop } bind def../F { next next pop next exch selectfont

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\WFTOPFA.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):9230
        Entropy (8bit):4.985464986669174
        Encrypted:false
        SSDEEP:192:+1LtUgaAXCrYXxVKaEG8NNOk1hI2aiYmgbcqh5vi98bUx:+5tUQCrYX2CENP1hI2ai/qh5vi9
        MD5:E3E973E717DF2B173FC0413AB35910CF
        SHA1:900E00A46E52A52FBEEA39574CC35DFF1A92908A
        SHA-256:FAD162A31B2078FB780A489925EFF8643B6A7C9EA82B3BA7D1690388615690E7
        SHA-512:6CE6BF23D7122419C33EC7A8980F5FB2AC7CC4BEF400C87733934B6395449A2C9DC43047FC24722F023A87D2CDF00FF410344D83B56B0096EDD5FBF9BB889D66
        Malicious:false
        Preview:% Copyright (C) 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: wftopfa.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% wftopfa.ps..% Convert a Wadalab base font to .PFA (or .PFB) format.....(gs_ksb_e.ps) runlibfile..(wrfont.ps) runlibfile..../wftopfa_dict 100 dict def..wftopfa_dict begin..../KanjiSubEncoding dup .findencoding def....% Initialize parameters.../init...% - i

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\WINMAPS.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3855
        Entropy (8bit):4.947065389436496
        Encrypted:false
        SSDEEP:96:fn4pzGoG5UdWxbWWSWLvWh0oONt7A0xog5jZKAV+4kZh78eo8hi:doIPJv4EEwXXVuGZ
        MD5:25A80232AE3554221232AED5570955F7
        SHA1:F176AA726920B9F85C015442B546A71E2C53B825
        SHA-256:94CDAD0783509A60C1D9D1637F81318F078B16EC6BAF7E28D1153686E7A79B7B
        SHA-512:10D605EAB7D17511D40C7FCBA2A53A7DA7F73800FA17A2D43F5EEA0D56B3DC97AD4EF2C537824672C486E7420029CCAADE020734E49D0C4744180869329386CE
        Malicious:false
        Preview:% Copyright (C) 1993 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: winmaps.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% winmaps.ps - make maps between PostScript encodings and Windows..% character sets.....% Define the two Windows encodings...../ANSIEncoding.. ISOLatin1Encoding 256 array copy.. dup 16#90 /.notdef put.. 16#93 1 16#9f { 2 copy /.notdef put pop } for..def..../OE

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\WRFONT.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:assembler source, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):18743
        Entropy (8bit):4.747829110731365
        Encrypted:false
        SSDEEP:192:rsHw6JiVuoJEZpMXvaWDno+ozmubXFFg0/WcxJKSbJ/Qj+sU8M8P49mUZrnqw3v9:rG7ezeyXCso+ozmubdhjQ+sH4HjVOWZ
        MD5:C1D5733B2D1313DDA96F7C2A7DD5E67B
        SHA1:6F82131C463242377DAD6AE3B38F06681311224C
        SHA-256:D5327F0FA97823C747D40C2F69FC42223136537D1D593C94BB7C2274EA37F2E5
        SHA-512:3BF1E8B7213FEACC5D65F40C51A0A38DB7FEFC8E7B8979735B6A77BE2785FE55BEA6015257552C99C1A36D6864254E5CD17F891816CE56D12968CEC3619FA175
        Malicious:false
        Preview:% Copyright (C) 1991, 1995, 1996 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: wrfont.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% wrfont.ps..% Write out a Type 1 font in readable, reloadable form...% Note that this does NOT work on protected fonts, such as Adobe fonts..% (unless you have loaded unprot.ps first, in which case you may be..% violating the Adobe license).....% ****

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\Z003034L.PFB

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript Type 1 font program data (URWChanceryL-MediItal 1.05)
        Category:dropped
        Size (bytes):49289
        Entropy (8bit):7.976163684881641
        Encrypted:false
        SSDEEP:1536:BLkA9WAuiPrUQeTqejs7p1CUwt+zudIjHqmOqBzxltkrA2Ro4N:SDPQLus7p1C7QH1Zo5oK
        MD5:ED75F97B75BE34140E9D251DD8E641AF
        SHA1:CEEEBBFD73AA771BC4E52117E7D5B1D23E470552
        SHA-256:12A874C6C20887D5A64C569EBD58F02907A63C36906485EC376DC6223F859F01
        SHA-512:F97137E34F01455EC1D35EDC17FAB1FDD7A1781B4E52589101016030B639538C9EA0DB2A5180E5F32591880479ACFB5B1CB885FCDA491713299AD6F582ED0A3D
        Malicious:false
        Preview:..r...%!PS-AdobeFont-1.0: URWChanceryL-MediItal 1.05.%%CreationDate: Wed Dec 22 1999.% Copyright (URW)++,Copyright 1999 by (URW)++ Design & Development.% (URW)++,Copyright 1999 by (URW)++ Design & Development.% See the file COPYING (GNU General Public License) for license conditions..% As a special exception, permission is granted to include this font.% program in a Postscript or PDF file that consists of a document that.% contains text to be displayed or printed using this font, regardless.% of the conditions or license applying to the document itself..12 dict begin./FontInfo 10 dict dup begin./version (1.05) readonly def./Notice ((URW)++,Copyright 1999 by (URW)++ Design & Development. See the file COPYING (GNU General Public License) for license conditions. As a special exception, permission is granted to include this font program in a Postscript or PDF file that consists of a document that contains text to be displayed or printed using this font, regardless of the conditions or lice

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\ZEROLINE.PS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PostScript document text
        Category:dropped
        Size (bytes):2569
        Entropy (8bit):4.767566308502387
        Encrypted:false
        SSDEEP:48:5nReQ6v6UiOEaBepIzm00ryDE8XjdwL2ujRuavnW1XRUvvPvrNddW0mFo030J4L:5n4pzTEakazmSfXjK1j4avqXevvPvJqT
        MD5:0897239837DAD9ED6CE5FB31AD35585B
        SHA1:E10D65492912BAEA14150E8BCAE7728245A807DE
        SHA-256:B56E9973FE817F0F8936627C09C5349C3E95D56D2B59926E2E9D3169BAB641FD
        SHA-512:6ADA0AE7FA51DEDCB402B8FBCBBF394AE3ECBA68803874CBEE6407C45EF70FA31821E70EADB064A35D88B45CF05FDA28F702E74C0FA0EAED87DEF37EB1C10F30
        Malicious:false
        Preview:%!..% Copyright (C) 1994 Aladdin Enterprises. All rights reserved...% ..% This software is provided AS-IS with no warranty, either express or..% implied...% ..% This software is distributed under license and may not be copied,..% modified or distributed except as expressly authorized under the terms..% of the license contained in the file LICENSE in this distribution...% ..% For more information about licensing, please refer to..% http://www.ghostscript.com/licensing/. For information on..% commercial licensing, go to http://www.artifex.com/licensing/ or..% contact Artifex Software, Inc., 101 Lucas Valley Road #110,..% San Rafael, CA 94903, U.S.A., +1(415)492-9861.....% $Id: zeroline.ps,v 1.2.6.1 2002/02/22 19:45:55 ray Exp $..% zeroline.ps..% Test file to determine how other PostScript implementations handle..% filling zero-width lines under a variety of conditions.....% Add a small "fan" of zero-width lines at different angles to the path.../fan.. { currentpoint 100 0 rlineto..

        C:\Program Files (x86)\PSI\PSIPLOT\GPLGS\readme.rtf

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
        Category:dropped
        Size (bytes):3071
        Entropy (8bit):5.081988062489479
        Encrypted:false
        SSDEEP:48:/4jIHi2KH23D7yoc9NtIK29felJQy0gRsnBthtqt7tJtVtptIt7tRPrjFh:/ll7yjSK8fypRs5PfFh
        MD5:EE340E080FF70680B56B07FF3A429C81
        SHA1:D2CE7ECA73FC9B3D6188226B2225EE84707C8ABB
        SHA-256:40920FA32DF47A30D23B333850DA7FBA0B4CE15A31761E1280837C182F4AF785
        SHA-512:755F6A403D76FDB07D7512183C56F9757DA9AF1D93F7A1F8FD13883BF31F851A9C62643E8BAAF2E6F72463AF3FF6FC244B6A79FD15AB87E87AF72345E01B9AD1
        Malicious:false
        Preview:{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f16\froman\fcharset238\fprq2 Times New Roman CE;}{\f17\froman\fcharset204\fprq2 Times New Roman Cyr;}..{\f19\froman\fcharset161\fprq2 Times New Roman Greek;}{\f20\froman\fcharset162\fprq2 Times New Roman Tur;}{\f21\froman\fcharset186\fprq2 Times New Roman Baltic;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;..\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;..\red128\green128\blue128;\red192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright \fs20\cgrid \snext0 Normal;}{\*\cs10 \additive Default Paragraph Font;}{\s15\li360\ri360\sb144\nowidctlpar\widctlpar\adjustright \fs20 \sbasedon0 \snext15 ..Body text

        C:\Program Files (x86)\PSI\PSIPLOT\GRAY.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2706
        Entropy (8bit):4.103135755483673
        Encrypted:false
        SSDEEP:48:UEfLWhhXbGK7vN/KFo626JEfLWhhXbGK7vN/KFo626OEfLWhhXbGK7vN/KFo626v:GhoJhoWhogKDOw
        MD5:0A40F76BEB0D125D959C1D4816CF5E39
        SHA1:EDE60F89789CADE677D5397B46465BEFBC0183AB
        SHA-256:649756A5BE342D2B8902257F3A09BA612203E91D2FB8FB36E416F5B8B07035FA
        SHA-512:7FC103F4F959F8A6987CE9BD23453F72D643EB1DD9C42F86D47E5CB8233C7E2633B77D804A2B9647B237B49C453B0D7B7321E8B0E6147F73BEED24AC75863041
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=255,255,255..Color2=247,247,247..Color3=239,239,239..Color4=231,231,231..Color5=223,223,223..Color6=215,215,215..Color7=207,207,207..Color8=199,199,199..Color9=191,191,191..Color10=183,183,183..Color11=175,175,175..Color12=167,167,167..Color13=159,159,159..Color14=151,151,151..Color15=143,143,143..Color16=135,135,135..Color17=127,127,127..Color18=119,119,119..Color19=111,111,111..Color20=103,103,103..Color21=95,95,95..Color22=87,87,87..Color23=79,79,79..Color24=71,71,71..Color25=63,63,63..Color26=55,55,55..Color27=47,47,47..Color28=39,39,39..Color29=31,31,31..Color30=23,23,23..Color31=15,15,15..Color32=7,7,7....[LINE_COLOR_RGB]..Color1=255,255,255..Color2=247,247,247..Color3=239,239,239..Color4=231,231,231..Color5=223,223,223..Color6=215,215,215..Color7=207,207,207..Color8=199,199,199..Color9=191,191,191..Color10=183,183,183..Color11=175,175,175..Color12=167,167,167..Color13=159,159,159..Color14=151,151,151..Color15=143,143,143..Color16=135,135,135..Color17=1

        C:\Program Files (x86)\PSI\PSIPLOT\GRAY_INV.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2706
        Entropy (8bit):4.103135755483673
        Encrypted:false
        SSDEEP:48:UqfBhKoDNN0lfTVL1wS9QQUqfBhKoDNN0lfTVL1wS9QQlqfBhKoDNN0lfTVL1wSA:CKPjVKPjsKPjOBDfXq
        MD5:0513C0D313AB1A217F40F22444E1FD63
        SHA1:AEFA079DA965635E9ED4F47CCA21DF253C0BD473
        SHA-256:E1D3F957627FDD5E7DAD9D5B4BCFD6BE3839034A86F35BB84F8917975AA29231
        SHA-512:23CDD979D8E068E91249E27FB7EDA0B711D3A50823BEF4425D5E47163B094D7FD827FEC4CC3BFC042EEADB9B150770AC31ED32A1DF131F5486BDA1EC0D863801
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color32=255,255,255..Color31=247,247,247..Color30=239,239,239..Color29=231,231,231..Color28=223,223,223..Color27=215,215,215..Color26=207,207,207..Color25=199,199,199..Color24=191,191,191..Color23=183,183,183..Color22=175,175,175..Color21=167,167,167..Color20=159,159,159..Color19=151,151,151..Color18=143,143,143..Color17=135,135,135..Color16=127,127,127..Color15=119,119,119..Color14=111,111,111..Color13=103,103,103..Color12=95,95,95..Color11=87,87,87..Color10=79,79,79..Color9=71,71,71..Color8=63,63,63..Color7=55,55,55..Color6=47,47,47..Color5=39,39,39..Color4=31,31,31..Color3=23,23,23..Color2=15,15,15..Color1=7,7,7....[LINE_COLOR_RGB]..Color32=255,255,255..Color31=247,247,247..Color30=239,239,239..Color29=231,231,231..Color28=223,223,223..Color27=215,215,215..Color26=207,207,207..Color25=199,199,199..Color24=191,191,191..Color23=183,183,183..Color22=175,175,175..Color21=167,167,167..Color20=159,159,159..Color19=151,151,151..Color18=143,143,143..Color17=135,135,135..

        C:\Program Files (x86)\PSI\PSIPLOT\GdiPlus.dll

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):1703936
        Entropy (8bit):6.829944201654569
        Encrypted:false
        SSDEEP:24576:xMZOjtk2i4xOQ6cX25aEbU746iIlR5DV+p6iH2AwPotr9TllqyCr748sibfIU:xkLEU486iMDV+qAwS1lejl
        MD5:84637D0DDEF17005967A8E0856E99A75
        SHA1:A23252D7D7393DAD00587862A83D9C35467E2B3E
        SHA-256:9E99A5763796015D46914D279EB823F318D94E0EBD1BB5515A8133C703A8979D
        SHA-512:52151B62D203C9F0068AAA7260D3D1CB55FDAB381EA19C02C913D2249FC815E3960B84D02D443D96F08C1AB9EDD9BF6950E054FD326D8F8D109EE873D81BC792
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9=.XS..XS..XS.p{J..XS..XR..YS.p{...XS.P{O.EXS.p{l..XS..{...XS.P{N..YS.p{n..XS.Rich.XS.........PE..L.....m=...........!.........`......]+.............p................................]................................D..CN......x....p...........................t..L...8.......................................|.......0............................text.............................. ..`.data...l...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...t..........................@..B(.m=8...(.m=E...(.m=O...'.m=Z...".m=d...(.m=n...........KERNEL32.dll.NTDLL.DLL.USER32.dll.GDI32.dll.ole32.dll.ADVAPI32.dll..............................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\HALFSPCT.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2548
        Entropy (8bit):3.990601186590089
        Encrypted:false
        SSDEEP:48:UwLKP4q6cZAbLrQFyHAd2i5eRL4wLKP4q6cZAbLrQFyHAd2i5eRLRwLKP4q6cZAk:S4lP6Wq4lP6W34lP6W/NsBJKKy4
        MD5:3516A761563EAEB5AE36576C629DC64D
        SHA1:15ADEE42A6AEE8562014B8EE44F6EBAECF858B01
        SHA-256:E99F35CDE1A6F83FECF4F11FF4E3F47EA3DEC0B1B110F82B2397BFB248F35235
        SHA-512:27A14E1AA97BCE72645F389250D13D31A7D634BAE610A24E9D0447125C48CB18FA17A7F9E4615FE3769BE2B124FC5947AEEEB7CA12C28B6F37AC4261052FF3DF
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=0,255,255..Color2=0,255,224..Color3=0,255,192..Color4=0,255,160..Color5=0,255,128..Color6=0,255,96..Color7=0,255,64..Color8=0,255,32..Color9=0,255,0..Color10=32,255,0..Color11=64,255,0..Color12=96,255,0..Color13=128,255,0..Color14=160,255,0..Color15=191,255,0..Color16=223,255,0..Color17=255,255,0..Color18=255,240,0..Color19=255,224,0..Color20=255,208,0..Color21=255,192,0..Color22=255,176,0..Color23=255,160,0..Color24=255,144,0..Color25=255,128,0..Color26=255,112,0..Color27=255,96,0..Color28=255,80,0..Color29=255,64,0..Color30=255,48,0..Color31=255,32,0..Color32=255,0,0....[LINE_COLOR_RGB]..Color1=0,255,255..Color2=0,255,224..Color3=0,255,192..Color4=0,255,160..Color5=0,255,128..Color6=0,255,96..Color7=0,255,64..Color8=0,255,32..Color9=0,255,0..Color10=32,255,0..Color11=64,255,0..Color12=96,255,0..Color13=128,255,0..Color14=160,255,0..Color15=191,255,0..Color16=223,255,0..Color17=255,255,0..Color18=255,240,0..Color19=255,224,0..Color20=255,208,0..Color21=255,1

        C:\Program Files (x86)\PSI\PSIPLOT\HALF_INV.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2548
        Entropy (8bit):3.990601186590089
        Encrypted:false
        SSDEEP:48:Um4gqAi6m2+XGLw0ec1yDMone59Ym4gqAi6m2+XGLw0ec1yDMone59xm4gqAi6mt:4a//Ya//Xa//nrpWDCO
        MD5:F828AE52B60C7A38229151DA8BD8FAD1
        SHA1:6B0DEC42155A99A8C75BF898DCFBC7876B1FB337
        SHA-256:080E6E21C12BD125AEE0CCAAF162943F2AE63F7AD30BFB10D0404E8E09840247
        SHA-512:3B35F967490DB27F9F9D8F41C74CE349EC49089549BAE626E1202924B46BE92340BF5B61ACCD63ECA4537616F3A711097BC2194E98A9DD4530E31E94FA029E6A
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color32=0,255,255..Color31=0,255,224..Color30=0,255,192..Color29=0,255,160..Color28=0,255,128..Color27=0,255,96..Color26=0,255,64..Color25=0,255,32..Color24=0,255,0..Color23=32,255,0..Color22=64,255,0..Color21=96,255,0..Color20=128,255,0..Color19=160,255,0..Color18=191,255,0..Color17=223,255,0..Color16=255,255,0..Color15=255,240,0..Color14=255,224,0..Color13=255,208,0..Color12=255,192,0..Color11=255,176,0..Color10=255,160,0..Color9=255,144,0..Color8=255,128,0..Color7=255,112,0..Color6=255,96,0..Color5=255,80,0..Color4=255,64,0..Color3=255,48,0..Color2=255,32,0..Color1=255,0,0....[LINE_COLOR_RGB]..Color32=0,255,255..Color31=0,255,224..Color30=0,255,192..Color29=0,255,160..Color28=0,255,128..Color27=0,255,96..Color26=0,255,64..Color25=0,255,32..Color24=0,255,0..Color23=32,255,0..Color22=64,255,0..Color21=96,255,0..Color20=128,255,0..Color19=160,255,0..Color18=191,255,0..Color17=223,255,0..Color16=255,255,0..Color15=255,240,0..Color14=255,224,0..Color13=255,208,0..Colo

        C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):229376
        Entropy (8bit):6.197259246004463
        Encrypted:false
        SSDEEP:6144:P1ksHzzW+wpfbqOay5PPPgxwBvozzW+wpfP1CayC8c0nxwaYubRvKgj+72MX024m:P1Xe7BX0N4V
        MD5:AEE180154B6C0A64DB80E8824B9DED9A
        SHA1:D5FD84D2188899098BF41B4548F208DCABDC68C8
        SHA-256:FFBF949FA6D9A6DBA4025C325659D904827E47D4F4024D329A142010BEBD5DF6
        SHA-512:867A5C66003ABB088311CEBA45BD1A5A527B3E70516AA3B5A280BEB2D591C40ED94C618E68CCAC9F59D55BDDB9605A9E3BEEAF7C897C0ECA9180ED356AE2D139
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e,IG.B.G.B.G.B.....@.B.....R.B.G.C...B.`.?.].B.`./...B.`.,...B.`.0.C.B.`.>.F.B.`.:.F.B.RichG.B.........................PE..L...d..J.................p..........-Z............@..................................<...............................................p...I..............................................................@.......................@....................text...ef.......p.................. ..`.rdata.............................@..@.data....Z....... ..................@....rsrc....I...p...P...0..............@..@........................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10A.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):864
        Entropy (8bit):5.217285101200266
        Encrypted:false
        SSDEEP:24:eqMH9up89XSnaBHJA6pnIkpklVSlRxavHMk/nMRufd:q9up89XSaZK6WK3xWB
        MD5:C5AA52E0624020FFD3FC2A6896E3BA8F
        SHA1:532A15AA2A9193FCF164DF25CEF377795A33188A
        SHA-256:DFD9BBDCED3D4027958A35492815CCE25171C3A5EFA8DB4822931257C16B57B8
        SHA-512:CA70A56F0C145327351D3CD83362C627E99981016626951B8BC0278DA1C8DAD78FC5529E554CC4DAA01A192A1C4E539C4E0EE36C920C716AD3A1ECFC18058CBD
        Malicious:false
        Preview://Lesson10A example..//How to use intermediate variables and multiple varaibles..//In this model M0,M1,and M2 are three intermediate variables..//PSI-Plot supports up to 30 intermediate varaibles..//In ths model, there are 4 independent variables..//PSI-Plot also support up to 30 dependent varaiables..//Of course, each dependent variable should has its own equation....[INDVAR]: X1, X2, X3, X4..[DEPVAR]:Y,Y2..[PARAMS]: A1, A2, A3, A4, A12, A13, A14, A23, A24, A34, A123, A124, A134, A234,P1,P2..[EQUATIONS]:..M0=A1*X1+A2*X2+A3*X3+A4*X4..M1=A12*X1*X2+A13*X1*X3+A14*X1*X4+A23*X2*X3+A24*X2*X4+A34*X3*X4..M2=A123*X1*X2*X3+A124*X1*X2*X4+A134*X1*X3*X4+A234*X2*X3*X4..Y=EXP(M0+M1+M2)..Y2=P1+P2*X1....[INIT PARAMS]:..A1= -.5..A2= -.5..A3= -.5..A4= -.5..A12= 0..A13= 0..A14= 0..A23= 0..A24= 0..A34= 0..A123 = 0..A124 = 0..A134 = 0..A234 = 0..P1=1..P2=2....ENDMODEL.... .

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10A.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):2027
        Entropy (8bit):3.9617820970052273
        Encrypted:false
        SSDEEP:48:vjsgUb/xCDklxJk7Ky9J/5rW2YWltwgBRJ:vYgUoDkp0J/1W2YWXN7
        MD5:81E576516790869CC211B287D36586B5
        SHA1:AA32002F43CFB0B4FA0A154BE6546D7F680199D7
        SHA-256:D64D08ADFCD2D90D6C91DFD501BA02853F99A4ADE7B42B58DFE92F568F65FE5D
        SHA-512:571DDCA92C951122190B30D709C59D1A1A3CF0D968119697E6630B3AD08DA806C817C3B31155233EC8B1084D371A787D8DF19C5ACFABDAAFC1DA33E01FE8BDF6
        Malicious:false
        Preview:.".PSI-Plot8.0Windows.........................X1.........B...........Q.....?............(\..?.........333333.?.........=..p=.?..............N.?................?..............<.?................?................?................?................?................?................?................?..............c.?.............@..?................?..............T.?.........X2.........B.................?.........{..G.z.?................?.........333333.?................?................?...............?................?................?..............i.?................?..............8.?................?................?..............e.?................?..............H.?................?.........X3.........B.................?..........Q.....?.........ffffff.?.........333333.?..............i.?................?................?...............?..............g.?.............@h.?................?................?................?................?................?.............@z.?.............

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10B.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):718
        Entropy (8bit):5.056161366584627
        Encrypted:false
        SSDEEP:12:e8DrE9I2jHXOLsTNBpZsYw0VBjoks7wU8qA7g6motlrtG0naexl:e8DrEXjeLsvfbwmxoksXUIobEcl
        MD5:57DD74FFABE8D132FB4A1B51B451CBC9
        SHA1:45D8B2D9186C7431F747497CE0A507FA2B9018CF
        SHA-256:88B6802E96535654CF9630D8CD3A21FED9BA1C4E1B3F4A4090F396BFB2E085B0
        SHA-512:EC59B3BED0B5AC9195948404E74C96BE3926828535F66C1306ECC3B35637F2981D7070923183F145845ACBFC9477B55A178B597FF725FB64CE7F80BC46304255
        Malicious:false
        Preview://Lesson10B example..//How to use weighting factors..//Missing point handling: For any missing point in 'T' or 'Y', that pair of data will NOT be used in calculation..// For missing any point in 'W', default weighting value 1 will be used..[INDVAR]: X..[DEPVAR]: Y..[PARAMS]: A, B..[EQUATIONS]:..Y=A*X+B......[INIT PARAMS]:..A=1..B=10....//Here comes the weighting factors..//The 'Y' here MUST be one of the dependent variable..//and 'W' is the weighting column name. It Must match a column name in current data sheet..[WEIGHTING FACTORS]:..Y->W....//uncomment the last two lines to sepecify the selected data ranges for fitting..//[START ROW]:3..//[END ROW]: 8....ENDMODEL.....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10B.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):562
        Entropy (8bit):2.993960781422298
        Encrypted:false
        SSDEEP:6:U439++CmlZ0mGsvnl7WGH4/SGmHo+ThqWwEcHjoh3Uho//BflK6ge0or/3mgl1ac:F9++lD0Hstyy46AVWwsxUAN0orfXac
        MD5:ADA9AB246650D1396A682719DF4A3572
        SHA1:8A451CCDD4EBB97EEA3E5371CDB681A6128ADF9B
        SHA-256:A611C47FBB97F58C6B76B2325B9F463618D436829FAEF0D9CC955F477F28B1D5
        SHA-512:3525888A117A76F1852B149B9DC907F37CCCF83963B075F7DB196AA66E4B588E117827647D3F85CBA36C5962FF5BFDB60F8FE7DA3DCCA3121D8D8A744B642B9F
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................X.........B.................................?................@................@................@................@................@................@............... @.........Y.........B.........333333/@...............0@...............1@...............,@...............&@............... @...............)@...............+@...............*@.........W.........B.........ffffff$@...............(@...............$@...............+@...............-@................@...............-@.........ffffff$@................@...P.\.u.P....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10C.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):600
        Entropy (8bit):5.277255091742896
        Encrypted:false
        SSDEEP:12:S9HAOL/kMDyTpcPMiBAuIvWyg13JtxE9I2jHXOLsTNZjjXS/FXRjG4zZ:Sxa11cPNB+Fg15XEXjeLs7XS7jD
        MD5:5AC99ACC27306917131EF87BE7055C66
        SHA1:97B039EC74E977BDBDF7F145AEBDD3F18AEBE232
        SHA-256:C38A96DDF5621536FC4CFF3524174137436DEF6AE6DA60B91A10D1D177B564DD
        SHA-512:2B1E82184F28160E272112165FF5ADC89F8A4BFF7440C618EBC55BF0DD7C83377DF5A08317756CFB70E2E4D34E52E31622363CC937A957709A51D2691375F446
        Malicious:false
        Preview://Lesson 10c example..//How to select subset of data for fitting..//Any line with double slash "//" will be used as a comment..//Comment line can be put anywhere in the model..//Dependent and independent variable names MUST match column's names on the current data sheet..//Missing point handling: For any missing point in 'T' or 'Y', that pair of data will NOT be used in calculation....[INDVAR]: T..[DEPVAR]: Y..[PARAMS]: A, B, C, D..[EQUATIONS]:..Y=A/(1+EXP(B*(T-C)))+D....//Guess a inital condition...[INIT PARAMS]:..A=115..B=0.12..C=110..D=42......[START ROW]: 3..[END ROW]: 10....ENDMODEL.....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN10D.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):640
        Entropy (8bit):5.3110201359598666
        Encrypted:false
        SSDEEP:12:7AE1wFMDyTpcPMiBAuIvWyg13JtxE9I2jHXOLsTNZjjXS/FXRjG4hdjn:7bk11cPNB+Fg15XEXjeLs7XS7j1
        MD5:2AF6E6AB57085FB71AC1AF3513CB2E6F
        SHA1:2E8F91B6D479F3C94E8645A2D05D504D33C3B01E
        SHA-256:70EB1B9F993EBD47C9A0A54E74425A3898E7E8C6A29433DA426E730D1C1FED79
        SHA-512:A17ACFCD3AC41F47B1C28A15590F8C3796F2CF12967470AAC28928F987ECAB530D33632FFB1AFD86B040FB359BA1BC3C24DA15C9D6381A78A37AD94914B3A0EA
        Malicious:false
        Preview://Lesson 10d example..//How to set the restraining condition for parameters..//Any line with double slash "//" will be used as a comment..//Comment line can be put anywhere in the model..//Dependent and independent variable names MUST match column's names on the current data sheet..//Missing point handling: For any missing point in 'T' or 'Y', that pair of data will NOT be used in calculation....[INDVAR]: T..[DEPVAR]: Y..[PARAMS]: A, B, C, D..[EQUATIONS]:..Y=A/(1+EXP(B*(T-C)))+D....//Guess a inital condition...[INIT PARAMS]:..A=115..B=0.12..C=110..D=42....[LOWER LIMITS]:..A=100..B=0....[UPPER LIMITS]:..A=150..B=0.5....ENDMODEL.....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSN14A.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):5993
        Entropy (8bit):5.264443594396247
        Encrypted:false
        SSDEEP:96:XQsJ36/YNVS5Ompgq5q0RmERZyXem/TIVcevtRtNpIi/j02aRSAfbK+:XQpY0pFBRZqEV3F/G2aRSAfbd
        MD5:5B95B0B1EDC512E5F336693AF44FF582
        SHA1:BC35DE40C58FBB5AA2F5EFAC076ABD0E4AE5F9B0
        SHA-256:2E9992CB4F503FF8E3A35DF3AFC3EBA7D1B7908F2194F274CEDFFEEAEED27862
        SHA-512:8398E37635939B2D43A24C53394EF45773845E9334EA377B2A3591B6E9EE71B3B826045B71CC9FDC6554C464D81C93A2758D51249CDFD3290AA471D79EB4B193
        Malicious:false
        Preview:...PSI-Plot4.5Windows....2............X1.........B.................................?................?................?................?.........UUUUUU.?................?................?................?.........333333.?.........UUUUUU.?..............;.@................@..............].@................@................@................@........."""""..@.........333333.@.........DDDDD..@.........UUUUUU.@.........33333s.@..............;.@.........DDDDD..@................@.........Y1.........B.........................._<....?............D...?...........B....?..........Jn]#..?............+.n.?...........v..@.?............_.^.?...........R....?.........2G....?..........3..f..?.............v.?.........A~.S.(.?..........S.....?............'y.?...........yV._.?.........x.F.Q..?.........S8+|@..?.........L.v...?...........5h-..@................@...........".S3.@.........@......@...........zgP.@............OE.@.........X2.........B................?................?.........xwwwww.?.......

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON1.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):707
        Entropy (8bit):3.295987955811921
        Encrypted:false
        SSDEEP:12:Bj2shNjHkMtyy46Ail4FWwsxUiQeg0orfXaVOUl/Mk/mc:Bj2qsjilI7pL8kVc
        MD5:537503A9DE6F3699930BDB62601A0373
        SHA1:7A0E892C93495DF0F8878A9AC588176E14F7CCE6
        SHA-256:5672CECDE42B495227A64CD29A4939CAEC1EFA427EA0CBB19A61C2FCAEFF0EFD
        SHA-512:16A8F2674181954BD0E63DC7531EA5E178D2D2D2F47F84D8A9C2B5773A058873841129680283CAD99128661C44A4DE3CDC60F646F34A2AF66BD787822084D86E
        Malicious:false
        Preview:.".PSI-Plot6.0Windows.........................X.........B..................................?................@................@................@................@................@................@............... @.........Y1.........B..........333333/@...............0@...............1@...............,@...............&@............... @...............)@...............+@...............*@.........ErrL.........B..........ffffff$@...............(@...............$@...............+@...............-@................@...............-@.........ffffff$@................@.........Text.........A..........text.........on.........each.........data.........point.........A.........B.........C.........D...P.\.\.Z.P....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON10.EQN

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):812
        Entropy (8bit):5.149239903143307
        Encrypted:false
        SSDEEP:24:t5p4LM1ZxcPNBCei2njFg15XEXjeLs2XErjapcV:J4Lo3eTCbkj61MyE/apA
        MD5:83C2F9307D183AB8DA70740CEFF58062
        SHA1:9B9AFC204DB29881021FA780F68CCB65B2F7CD0C
        SHA-256:AD6ADDFAC1839A452EE9794072ACCCD2CBFFC8C5D31514C3DC84EAD45FDB0FD5
        SHA-512:02F05D1CA388D85147EF33BD7887401F0BE64DC577DED7C94F5EAFF5F763BB8FB3660960FDDB77FA418A8B62C2A104809574113D6A1708F64472FBBE29F95334
        Malicious:false
        Preview://Lesson 10 example..//Logistic model..//Any line with double slash "//" (anywhere) will be used as a comment. ..//Comment line can be put anywhere in the model..//Semicolumn ";" can also be used as comment, but only the text after ";" will not be used..//Dependent and independent variable names MUST match column's names on the current data sheet..//Missing point handling: For any missing point in 'T' or 'Y', that pair of data will NOT be used in calculation..[INDVAR]: T..[DEPVAR]: Y..[PARAMS]: A, B, C, D..[EQUATIONS]:..Y=A/(1+EXP(B*(TT-C)))+D ;Semicolumn comment....//Guess a inital condition...[INIT PARAMS]:..A=115 ;semicolumn comment..B=0.12..C=110..D=42....//uncomment the last two lines to sepecify the selected data ranges for fitting..//[START ROW]: 3..//[END ROW]: 10....ENDMODEL.......

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON10.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):533
        Entropy (8bit):3.9119608164209194
        Encrypted:false
        SSDEEP:12:Bjis9kMQEDzc89lOvgmY8QaF1RL4APFeYseoe:Bjie6cc89sYmY8QkR0ANeYvoe
        MD5:BD3E370EA837D2C488DBA45C4C42AC37
        SHA1:44E905924DAFCE85ECF167E642605220B5906260
        SHA-256:45A27A378A3D8445DBA1D4E0E05636F1A10C4D50618D4FE57E96995BCE58DED4
        SHA-512:94979817922BA6B9AA84B9B645943346BC116CDBD7E7148DB62E2971618BBD82B0955E56E6EF9B060415792240D91DFB4532870F7D7514C8436B734D6A2801F5
        Malicious:false
        Preview:.".PSI-Plot6.0Windows.........................T.........B................4@...............>@...............D@...............I@...............N@...............Q@...............T@...............V@...............Y@...............[@...............^@..............@`@...............a@.........Y.........B...........-....c@...............c@.........W.I...c@..........+H3..b@..............b@.........L...1.a@............?.o[@..........}t...O@.........~o..xE@.............7F@...............E@...............D@..........]K...E@...P.P.P....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON14.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):35331
        Entropy (8bit):5.853324062054588
        Encrypted:false
        SSDEEP:768:AScf4yrXZr7dM91cBAnEANZX/xYJMyN3R7P9efsocJ:ASQrpPdM9xEANZX/QM8JGsj
        MD5:8EBCF4EDAAC3C80CFDA31D8F2DD4696C
        SHA1:F1750A93704D728C60FC05C0B613ED4950AD01B4
        SHA-256:A0D610702615C301C5016D5BE5539CB3DFE1750A15CCEEF42B5997A8C89BD9DD
        SHA-512:44E39F90A9BCEA5EBDAC56823CAB85467E2D3E3E4ADB17289AFDD24FEC98E7D8146AB6D03BE3215A6A226D6A04B9ABD3D97E971FF433A60985999A90E23F3C56
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................X.........B..........4?...............ZZ...............u.7................q.............WC.X.............~.............t............... ............4C.yP..?..........1kp..?.........R......?..........@,..u.?.........8..J...?..........._~.E.@..........DW...@................@................@.........Y.........B................?................?................?..........................333333.?.........{..G.z.?................?................?................?................?................?.........333333.?.........ffffff.?.........333333.?................?................?.........ffffff.?.........Hx.........B.........C......?...........DYrz.?..........9([_K............2'..'.?.........2......?.........tvu.&..?..........n\.X..?...........qj............xxt..............Fw..S............./..............y..2..?.........-.?~?............W..C.`..........V.2...............|y_iz.?.........Vc..L............j....2.......... F4.S!...........

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON2.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):495
        Entropy (8bit):3.972754950315022
        Encrypted:false
        SSDEEP:6:U439++LyX8CH8Gsvnl3Hlhu/0nWPCS7E0kvinIs0QNv/Qw2vLPhqImulnl4b7sul:F9++O8w8ZtWGWP+Hy92vTYi9gQu8S9
        MD5:588C8D5EA1950A30FF87760A48787C67
        SHA1:E3612AEF6BC90AB03AC017A6D5019B31B858E5E6
        SHA-256:809D721E7681476C29E0E18C4FF564272F9CC40FDC5A2E7EFF648A7BF09B090D
        SHA-512:82D7C6D944DC43ED737DB2178737D83857EF310F8699633F4578F1D86D175AE81EA9DD21490C6E075835395DBD02B034CD80AD8E8903A920E8CDBF5DC09DCE07
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................TIME...........................................?.........R....Q.?..........G.z...?................@.........\...(\.@..........(\....@.........333333.@..........G.z...@............(\. @.........)\...($@.........)\....'@.........CONCENTRATION...................-C...6.?..............L.@..............h.@..............d.@................@...............@................@................@...............x@...............m@...............g@...............\@...

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON3.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):233
        Entropy (8bit):3.7672218027247135
        Encrypted:false
        SSDEEP:6:U439++O8XyCH8GsQEXz4/llMoUSWXqEpgX:F9++/J8ZQEXyHMZXgX
        MD5:A9E859714D29CA1A36D601517A79FF37
        SHA1:5AF8A67F2A7B375E724FA416D81562A46EEA0D19
        SHA-256:82CE993665D6BFB9D5861C2C7CB060B46D7C5AF5CD77074719A280A48726F772
        SHA-512:81B525F5845341B459FAB17AC19B5C920D099010905ED2A76497710183D675764EE77842344787D90DEC78E31B656E899F496B2E73A8AD348914AC0874F187D8
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................SALE.........................4@................@...............9@...............>@...............9@.........DAY.........Monday.........Tuesday.........Wednesday.........Thursday.........Friday...

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON4.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):678
        Entropy (8bit):3.368078389132604
        Encrypted:false
        SSDEEP:12:Tkj1jrHQODQjbnzJHm/dTgB+fggyPqrFqA:Ij1PQwQjbnzC8ZqqA
        MD5:CA2CBC2FECD7A5F0CC19EC572D5A8BAA
        SHA1:5B4806CF508D679C12F171E6ABFEB283CDBB43ED
        SHA-256:C03BCFE24FF260920C17AF084E6092E960987C4A7E0BA0A04410A6D7D3736B31
        SHA-512:C91786673DC27F4B976C8BDB2C7BA29FE8FF8C73D8C69810D49D65C77252336A2185524A0630513C13BFB744E6ECB582CC90E435A23411E6801FA7739C10E009
        Malicious:false
        Preview:.".PSI-Plot7.0Windows.........................Month.........A..........Jan.........Feb.........Mar.........Apr.........May.........Jun.........Jul.........Aug.........Sep.........Oct.........Nov.........Dec.........Male.........B................g@...............e@..............``@..............`e@...............`@.............. h@..............@_@...............Z@...............`@...............e@..............@`@..............@g@.........Female.........B...............@_@..............._@...............f@...............g@.............. g@...............`@...............]@..............._@.............. a@...............c@..............@a@...............b@...P.P.P.P....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON6.XLS

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1997
        Entropy (8bit):4.8063012804388086
        Encrypted:false
        SSDEEP:48:MMuGZ92ZyML6Ujso78pCjbtO8hivf+cOH6KE2D9/Z:nJ32gML6UiCjbtsvWPaKEiJZ
        MD5:A63BD8407647AEF38EED9CF61B8871DE
        SHA1:44F6D2560F5DCB531DD57BC9E9EBB2769100BB15
        SHA-256:1C918A9EE938AB48EB618BC1701BA76786F313174364EAEE5AD6586ABB2D74CC
        SHA-512:AA23AB71BC8FAFD6D7EC769AE0EA9CAAC61BC4D8E3E9CAC49CFA6B9C676FD2A1FDADB87B9FFC89DAEC24E5749B32778B7B830F996EC6563F8F4FDF3F9E6256A7
        Malicious:false
        Preview:....................*...B.........d...........................MbP?......".....*.....+.....%.....1........MS Sans SerifE.....1........MS Sans SerifE.....1........MS Sans SerifE.....1........MS Sans SerifE.....1........MS Sans SerifE..........&F.....Page &P&..........?'..........?(..........?)..........?@................General.....0.....0.00.....#,##0.....#,##0.00....."$"#,##0_);\("$"#,##0\)....."$"#,##0_);[Red]\("$"#,##0\)....."$"#,##0.00_);\("$"#,##0.00\)..#.""$"#,##0.00_);[Red]\("$"#,##0.00\).....0%.....0.00%.....0.00E+00.....m/d/yy.....d\-mmm\-yy.....d\-mmm.....mmm\-yy.....h:mm\ AM/PM.....h:mm:ss\ AM/PM.....h:mm.....h:mm:ss.....m/d/yy\ h:mm.....m/..Criteria......m/..Data_Form......m/..Database......m/..Print_Area......m/..Print_Titles......m/..Recorder...................C.....@.U.................................................D................@................@................@................@................@................@................@................@................@....

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON7.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):657
        Entropy (8bit):3.9235497536487123
        Encrypted:false
        SSDEEP:12:F9++cW08ZtW2XolXZY/bztKHiDnngCg+YN+tQu1VMaU:FY+48Non6ztKGgCgfzu1Y
        MD5:AE5F94C69073BABBF52410632C5DB775
        SHA1:8F81A8464206D1B484663E9814A001CE754D74E9
        SHA-256:BE7224D4D50E86B0BA9BC0FA4B10B49D398B3066A5705101608C49512831EADE
        SHA-512:1D6EA0D49EB92D5A52B34001824428412412D87BDFBDA31D8A84F13CBAF0C5311F7858E4E9A4672C3E04D4A5271AC830DA72E4747AFA148442CEE15A83D4301C
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................X..........................@................@................@................@..............."@................@................?................@...............$@................................ @.........Y.......................x..?............_T..?.............,..?...............?................?..............".?............'.h.?............./l.?............./l.?...........@.e@.?...........@....?.........ERROR..........................?............pn............gff.............433...?.............Kj..............h.................E................b#.?.........333Wf...............~r..?....................

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON7B.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):2594
        Entropy (8bit):4.467194475790071
        Encrypted:false
        SSDEEP:48:FY+kKMP6Tw/8f+XCF1C05BH2Vaqyyx4YDa0mpJry8nrSH:XdMP6WlXMBH2MvyeYGpTry8rSH
        MD5:2E968C36ED959E80EA36045335DE1AC3
        SHA1:19B3312DAB3A7622AED933088F463FBAE67AB67A
        SHA-256:1460E09274F05EF204A74E99126E1969D7E80822C2B585954F4782BC09306709
        SHA-512:0C2959950915FB94449F46CAEDCB2FE0EF8D85F5BBE4E9DA821E2050732E9449562988EFD895331D888747B96EA7C2AEB0ED5DF34C6EA7070A37E18E705DCEF5
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................Column1..........................?............t.3.?.............2..?...............?............L.-.?.............f..?................?..............W.?...............?................?............pJ..?..............R.?..............b.?..............p.?...............?.............D.4?..............b.?................?................?............G$..?.........Column2.....................@.lv.?................?...........@.+..?.............@I.?...........@o...?............X.s.?.............]..?................?.............>..?............E...?..............L.?................?............R...?............NP..?...........@z6..?.............2^.?.............f..?..............T.?.............TU.?.............jx.?.........Column3......................\...?..............G.?...............?............]..?............/...?...............?..............?............ Z..?..............0.?............\...?............3z..?................?.........

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON8.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):17480
        Entropy (8bit):5.275354113429777
        Encrypted:false
        SSDEEP:384:q/TNvMM13nJmv/XGRcOrXx7lReKo5RvZY:q/TN/4v/XGtr/Red5pq
        MD5:1C8BE32B699F49F439495F07F1DEA9E9
        SHA1:A1C4E7E69CC863DCD1224F07651A37FEE72720C3
        SHA-256:B3585D3015A755507B20DB1B571DAA7132C1146D90CE0607B666BBA10F37448B
        SHA-512:83BEE9F35F811D017D2C379F791F8153B91D1EBC29C0EF7FD58C3A21E5E99407F6BD6684F5D73D9750A108D06E04C50EADFFCE9561B249445B10ED0FB6F20286
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................X..........................?................?.........333333.?................?.........ffffff.?................?................?.........333333.?................?.........gfffff.?................@................@................@.........gfffff.@.........333333.@................@................@................@.........gfffff.@.........333333.@................@................@................@.........gfffff.@.........433333.@................@................@................@.........gfffff.@.........433333.@................@..... ...gfffff.@.....!..........@....."...333333.@.....#..........@.....$..........@.....%...gfffff.@.....&..........@.....'...333333.@.....(..........@.....)..........@.....*...gfffff.@.....+..........@.....,...333333.@.....-..........@................@...../...gfffff.@.....0..........@.....1...433333.@.....2..........@.....3..........@.....4...gfffff.@.....5..........@.....6...433333.@.....7..........@.....8..........

        C:\Program Files (x86)\PSI\PSIPLOT\LESSON9.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):422
        Entropy (8bit):2.89470858639215
        Encrypted:false
        SSDEEP:12:F9++l/G18ZclDAc0pQHCY/kHo7PcXgsKgt+gRgIIl:FY+E8eVeOCv9g0biB
        MD5:5D2D6DE42629282E02E140127FA81A8C
        SHA1:DCC5469E2A060C8B078B61E1CA3950ABD8982A51
        SHA-256:DEBBBFF0EE713D1830DC3CDF6990CD38BCEC53917F4CFD04D4287F309867C800
        SHA-512:0941B78012473F3D3C0C75D50B3B3718D9E6EF407E1AA6D2C9E0DE7F73BC4E0B245C9196F261ED1E90F82CF1D42F4AA6C8ADD507EF6D63EB06AA82589E74CD74
        Malicious:false
        Preview:...PSI-Plot4.5Windows.................Latitude..........................?................@................@................@................@................@.........Longitude..........................@................@................@................?................@................@.........Collection..........................@................@................@................@................@................@...

        C:\Program Files (x86)\PSI\PSIPLOT\LNSPEC.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2492
        Entropy (8bit):4.044734721727012
        Encrypted:false
        SSDEEP:48:Ug3j8RPxgno5ZL2vNZdqLOxUB4g3j8RPxgno5ZL2vNZdqLOxUBRg3j8RPxgno5ZH:/ga0Eq9ga0EqKga0EqhIg8bS
        MD5:ABB0416E94505BF7E93149987EDCF935
        SHA1:F08D79763F9C7553FF650AE739D53F2C07422430
        SHA-256:467F5F869D5B3E02B2DD1A56663190D2DC7715C0A97C4EACD41988E3B410F5CA
        SHA-512:CE5F6BF6AB79B153052D3583CE640AAA86611B6ABFB346932E6FDE229D7143042548F5729008C7E885F220AE5ABD427F15DAEA74F6C69887E24B09D742B1DA7A
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=128,0,128..Color2=112,0,144..Color3=96,0,160..Color4=80,0,180..Color5=64,0,192..Color6=32,0,208..Color7=16,0,224..Color8=0,0,255..Color9=0,32,224..Color10=0,64,192..Color11=0,96,160..Color12=0,128,128..Color13=0,160,96..Color14=0,192,64..Color15=0,224,32..Color16=0,255,0..Color17=32,255,0..Color18=64,255,0..Color19=96,255,0..Color20=128,255,0..Color21=160,255,0..Color22=192,255,0..Color23=224,255,0..Color24=255,255,0..Color25=255,224,0..Color26=255,192,0..Color27=255,160,0..Color28=255,128,0..Color29=255,96,0..Color30=255,64,0..Color31=255,32,0..Color32=255,0,0....[LINE_COLOR_RGB]..Color1=128,0,128..Color2=112,0,144..Color3=96,0,160..Color4=80,0,180..Color5=64,0,192..Color6=32,0,208..Color7=16,0,224..Color8=0,0,255..Color9=0,32,224..Color10=0,64,192..Color11=0,96,160..Color12=0,128,128..Color13=0,160,96..Color14=0,192,64..Color15=0,224,32..Color16=0,255,0..Color17=32,255,0..Color18=64,255,0..Color19=96,255,0..Color20=128,255,0..Color21=160,255,0..Color22=192,

        C:\Program Files (x86)\PSI\PSIPLOT\LNSPEC1.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2492
        Entropy (8bit):4.044734721727012
        Encrypted:false
        SSDEEP:48:UA5Cci/B/ZZiVBjN5ivXhLuDJQ39YA5Cci/B/ZZiVBjN5ivXhLuDJQ39xA5Cci/7:hXjQZUJ+XjQZUJxXjQZUJgIg8bS
        MD5:84B387C633D635B0C246C99A01C506DC
        SHA1:B50B46C91D15CB3C458A63AAC006D2A347A9F423
        SHA-256:32CF8B555B81FF4FE94DF2E84B0327CC4971A0D75FE4BF620D0A67ECA5ED2DBB
        SHA-512:4F57B007654B0F07DA7A22B2D8BF454BE420FC6F2A99BC6F0096D41F66E162D64721F9CD071AFABB75D39AE81BD1A226080FE40014D602C74EB9D5307FC52393
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color32=128,0,128..Color31=112,0,144..Color30=96,0,160..Color29=80,0,180..Color28=64,0,192..Color27=32,0,208..Color26=16,0,224..Color25=0,0,255..Color24=0,32,224..Color23=0,64,192..Color22=0,96,160..Color21=0,128,128..Color20=0,160,96..Color19=0,192,64..Color18=0,224,32..Color17=0,255,0..Color16=32,255,0..Color15=64,255,0..Color14=96,255,0..Color13=128,255,0..Color12=160,255,0..Color11=192,255,0..Color10=224,255,0..Color9=255,255,0..Color8=255,224,0..Color7=255,192,0..Color6=255,160,0..Color5=255,128,0..Color4=255,96,0..Color3=255,64,0..Color2=255,32,0..Color1=255,0,0....[LINE_COLOR_RGB]..Color32=128,0,128..Color31=112,0,144..Color30=96,0,160..Color29=80,0,180..Color28=64,0,192..Color27=32,0,208..Color26=16,0,224..Color25=0,0,255..Color24=0,32,224..Color23=0,64,192..Color22=0,96,160..Color21=0,128,128..Color20=0,160,96..Color19=0,192,64..Color18=0,224,32..Color17=0,255,0..Color16=32,255,0..Color15=64,255,0..Color14=96,255,0..Color13=128,255,0..Color12=160,255,0..Col

        C:\Program Files (x86)\PSI\PSIPLOT\LORENZ.ODE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):467
        Entropy (8bit):5.465402673936943
        Encrypted:false
        SSDEEP:12:tFwGj656eoPqw3sUpmD/+in8inuPOwE1n08u91:tFwhk/xRC/+HbdES8y
        MD5:626AD864917B6505EB5ADA2E46B5588F
        SHA1:3CCC8231E3CA0C1C925C28F6CFCCD50858E43F34
        SHA-256:6313583F6F5B9D0CC0832BF8ADDB77A012D58E6458809D7C8A673A06F6B85C34
        SHA-512:BE6ED62696C1ACED65BB99D79D33894A335280D7DDF64B83E27A29F3300844397FC22AFCE0E7C687F67D0839A7E6B4BBFA221F8AA67A6A12FE77C92EEA2B65E6
        Malicious:false
        Preview:[MODEL NAME]: LORENZ MODEL..[INDVAR]: T..[DEPVAR]: X,Y,Z..[PARAMS]: B,Ro,Segma....[EQUATIONS]:..// comment line..X'=Segma*(Y-X)..Y'=Ro*X-Y-X*Z..Z'=X*Y-B*Z..END OF EQUATIONS....[PARAMS VALUES]:..// go to a new line..B=3.0..Ro=30.0..Segma=10.0....[INIT CONDITION]:..// go to a new line..T=10.00..X=-7.0..Y=-9.0..Z=22.0....// specify the step size to collect data:..[STEP SIZE]: 0.02....// specify the stop value for independent variable:..[STOP VALUE]: 50....ENDMODEL..

        C:\Program Files (x86)\PSI\PSIPLOT\Macro\lesson18.pmw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):651
        Entropy (8bit):1.6570352432703657
        Encrypted:false
        SSDEEP:3:fLyVhD/lD8lsl14ppSCgpKz/zlllllllulpRJl/l6XllClE+ltlvHl//lLyVn:iD314ppSoz/LtlUHRhl16n
        MD5:644FABC7B63DC0F82F863DC411F56F37
        SHA1:FBC4C50275CED99B9891A5F0903910DB360F67F5
        SHA-256:BFA821A5C0B224C6721FE1F9AE015892A4C0A75002F01CC30D1180BFDF4A78F2
        SHA-512:788149C64BE5783DAB042563A2B2D93E3E7E76B08EA1946651FB884B27CB7D04D8D5A546414A1D85CFEBF0FC412C94319F188A0D1CB1BC87685831AAA954F7BE
        Malicious:false
        Preview:XXXPSIMACRO100XXX&...&.......................Y1.............................................................................................................................Y1=LOG(Y)....................................................................................................................................................................................................................................................................................................................................?......0@........_...............................................................................................................XXXPSIMACRO100XXX

        C:\Program Files (x86)\PSI\PSIPLOT\PLT8HKEY.DAT

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):8509
        Entropy (8bit):5.291493968355919
        Encrypted:false
        SSDEEP:96:wOzMjF8mvd+gmFf8hO+s/XDU31CG/ERd6TFvHT4nSQHFqB9JnuspstiRiU:wXBvKFfws+CGvvz4nSKqNnlsQiU
        MD5:D34D0926ED040164993E0348F60EC6FB
        SHA1:A0AC58BAE129D2FF7D5686458409F45E9B1A938E
        SHA-256:6365382D492DFCC9A54B14586A570B293C052F2694C31F434BCFEDF04BC60EB8
        SHA-512:CA4F0E4D2C16191EC79479B08A2A51670253898A7D7E48FE9C032D00343C88C947E0F7B5A30258F65758F511556D1BDF8D856ED9F20024A3E4A3BA91C36D5124
        Malicious:false
        Preview:[PSIPLOT_USER_HOTKEY]..hk1=57606,File | Printer Setup,,..hk2=31522,File | Print PreView,,..hk3=31502,Edit | TransPaste,,..hk4=31512,Edit | Insert - Cell,,..hk5=31513,Edit | Insert - Column,,J..hk6=31514,Edit | Insert - Row,,..hk7=31515,Edit | Insert - Cells,,..hk8=31516,Edit | Insert - Columns,,..hk9=31517,Edit | Insert - Rows,,..hk10=31518,Edit | Insert - ClipBoard,,..hk11=31508,Sheet | Select Block,,..hk12=31509,Sheet | Select All,,..hk13=31510,Sheet | CR Transpose,,..hk14=31558,Sheet | Row Statistics,,..hk15=31511,Sheet | Sheet Info,,..hk16=31519,Sheet | Grid Line,,..hk17=31520,Sheet | Change Font,,..hk18=31552,Column | Column Width,,..hk19=31559,Column | Left,,..hk20=31560,Column | Right,,..hk21=31561,Column | Centered,,..hk22=31553,Column | Create Columns - One Column,,..hk23=31554,Column | Create Columns - 2D Curve,,..hk24=31555,Column | Create Columns - 3D Curve,,..hk25=31556,Column | Create Columns - 3D Surface,,..hk26=31557,Column | Create Columns - 3D Bar,,..hk27=31562,Column

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\ICONLIB.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS-DOS executable, NE for MS Windows 3.x (DLL or font)
        Category:dropped
        Size (bytes):77712
        Entropy (8bit):2.643640745293126
        Encrypted:false
        SSDEEP:384:vglcAH9xKW25zs935xZxO5XAXtI/dSK5Ikn2a0SSSvqK9xCyoiAPCJBfFwl:Y6YxhfO2vCjfyl
        MD5:DFA53C3ABCCD572909881DEF787744FC
        SHA1:F1D61D10E1FB57C13DBD3BD16CCCE656CABD76EE
        SHA-256:24FB275FF084BD32AB940378E9C6DC9BEA88211E8CFBE0BC0470AEC7DFE0E9A8
        SHA-512:0575CE3DBE0B07E3529AC353B39DBE172B7E3AF438672A4152C56972F9C000D55EF0DC8467FCFF7C99388A16717C81FB85D66F4B53AAE486F40E5840BEB865A4
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ...... .........e@....@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.This program requires Microsoft Windows...$ Z.....!..L.!......................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PS5UI.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):728576
        Entropy (8bit):6.0275310298101665
        Encrypted:false
        SSDEEP:6144:ekNep3qEURVL23P2kuZx19Q+YtAnUFqtZiLzgh0+boiYtbjTVqpRQ47vXSlaB:VsxqjDL234rQ+nUdYhlU9t/ApRzB
        MD5:2C2DDDE2985D95B9140EDACED7A201D3
        SHA1:82AF9018EE85E5FD93AE776C61857A849D437044
        SHA-256:3D1AE968DA77854038A1006EA477AB0C3F6CC6D958E5E5288C5F2BB973870ABB
        SHA-512:576F7AB7B5F2B609E295AFF7103645E99AE29FF2DAD1B9BE434BDD5C5AA8F32EB122E9E3D437D5699472CD42C0B96C0A446F8883B27A003E763CC0911A825587
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+S..J=..J=..J=..@..J=..J<..J=..F..J=..P..J=..G..J=..S..J=..C..J=..A..J=..E..J=.Rich.J=.........PE..L......H...........!.....R..................p....f~.........................P......G.....@.........................`_..:...LR..........._...........................................................<..@............................................text....Q.......R.................. ..`.data....2...p...0...V..............@....rsrc....`.......`..................@..@.reloc...6.......8..................@..B...HP......H[......Hf...,..Hp...,..H}......H....'..H.......H.......H............msvcrt.dll.USER32.dll.ole32.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll..................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.DRV

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS-DOS executable, NE for MS Windows 3.x (DLL or font)
        Category:dropped
        Size (bytes):392480
        Entropy (8bit):6.905332451483599
        Encrypted:false
        SSDEEP:6144:n/gDTLGYNyQgoQ2x9Ti8ZdENzCRcsKpVjpkr2blWvFZLzz7Vl2TwKFh5Qx8ikE6+:uXGBQBQ2x9TiudENzCRcsKLjpkr2JWvZ
        MD5:B8B5F288BC3D836E928C7C169AD24009
        SHA1:D65C435CFE54A04EBA827F4DF1C7E682F59CA2AD
        SHA-256:2CADE57BAF74C2A0CE126272249A0E638C33BCC1EE2866AA1CD60A5203CB4A91
        SHA-512:BD35861D540B17732BB24DD648B50547A46354788113DCE5FDDACB25FE8066DB39443CB0F933020DBAB471C2041989451B6C2C2E3B15BE82494C849C81BE9B6D
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ...... .........e@....@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.This program requires Microsoft Windows...$ Z.....!..L.!......................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.HLP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows 3.1 help, Tue Apr 17 13:11:49 2001, 26038 bytes
        Category:dropped
        Size (bytes):26038
        Entropy (8bit):4.55580668806265
        Encrypted:false
        SSDEEP:384:uX0EppE1e80vvpyGf7t1ayKu0rtP1dOxjPp:uboUXpLB1+u0RP18xjPp
        MD5:02C3F8C32018F3AAF66E7421400F1781
        SHA1:A04F2E40287AF78867161FA3F1606045088DA212
        SHA-256:6FAEF4C998E810FFF139958F28722C79879EC2FD66C97C7E3E2C5040FD5550D9
        SHA-512:C30FEE64D74A536117DE46C81B6E22EC82634D1284783A317BC15E85CFD561FAD7D50A63CA863EA6520B5CBAECF9061F7B52D3D99050484CE8A004F81DAB7990
        Malicious:false
        Preview:?_..J........e..:...1.....(),.aadv@ancedA.@a.ndareasa ssign..ut.omaticav.ailableb.ebitmapb oxbyc<.ha.ngeclick@Commun+.t.ionscomp.uterconn.ectedCTR.Ldefault.dependin@gdialo..f.ferentdiFr*.=.disl.d docum..owpnloa...0..r.iverEdge.e..n. erro.rexample.featuref.i..ine-tu@nefont..s@forFor..m...-to-tra.y..atfrom.Generall.ygraphic.s..yIfima.geinin.....telyin50..(isl..u".le.tslevelL.istsmaym.S.....memor...ta....j.gb..vr.tworko...onlyop...t$.Optimi8zeo..... so.routl....g..p..pa1.pa.. elpla..Po.stScript.P..c.cesprHint. ed.0r..@-specif\ic.@*0..P.@p.rovi}.rel.. resetr...rs..s..ctsq..ser......s@houlds..s@ourceSd0e.sm0yspoo...gsuchtha@ttheTh8.h...ghtoTru.eTyph.m.g...us..>.want.Whenw. e8..rw..hwill.wt.Yesyou...r),).+-.011.3Aal.waysanan.yASCIIat*a..b..r..st.binaryB. ...B.2."sboo2k..ca...2sC.."los........`ntrol....t.cR.tecur...cusS.CutDjdw.D.Rn..H.y.fi...sfarf-..F....g..avpehig... ".o.w..tItits.job..slon.gL..m%.man.ualmaximXummp...m?.tVm....i0.No.tbO..onek...O.T"PT"..pixe2l..rt..@2sP.rotocolR@GBRoll..l.s

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.NTF

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1060548
        Entropy (8bit):5.335948247757904
        Encrypted:false
        SSDEEP:24576:IvAbVQ/68As8OOeqDEM+B3sG1WHEozQ47HTp1:/BF1EJljkzQeHTp1
        MD5:ACD06CCD864E483846B624642A0114B3
        SHA1:0453FED86FB7BBDEC1399F762941D3B77F50E903
        SHA-256:C19D4922DF0298D693F08D67557D48C1DE14EBFABA6BAD2CD69B1B4DDD5F0B82
        SHA-512:EAC81875BADC3363F726EEEB1464A0E188AABADEF07495FB789ACF1800AF13817F124C9ECFCFD8D7EE2721F0715AAF2CBD3744A9CAC0C8DF193C20BC31C64C4D
        Malicious:false
        Preview:1FTNSPTN............................0...........@$......x....$...................&...........&...................,......T....,..................$/......L.......................p1..Q.......@1..................,4..1........3...................6..5...<....6...................8...........8...................@...........@...................K......d....K..................LN..q5..|....N...................P..q........P...................V....1.....\V...................Y..r.k.....\Y...................a...........a..................Po......\....n...................x..m...H...$x...................~..y.......l~....................._...,...<......................l.......h...............................|...................................................................................................................p..............................D...}...H...........................................................................................................................m...................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT.SPD

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PPD file, version "4.3"
        Category:dropped
        Size (bytes):13234
        Entropy (8bit):5.234084282938284
        Encrypted:false
        SSDEEP:384:UG3oMa1/lWELElw2yTL0H5nFlpDkiZag6x/fE6HW1/kqUJFjX:zW19W4LdYZFf4isg6x/f61/kLbX
        MD5:789C07DE2E4570BC9AEB042FC3CA51A4
        SHA1:DBBD6CD819CEC3EB44E953910AB2E2EAF3DDCB03
        SHA-256:5332BB97AC7B5A363F216CCE0AA785006E48986039B3B9E64EA1C403B2263DA6
        SHA-512:47C35AF0A49C115D4C1E35F2585CE5EB71B50F4C1368E18DB9F7786B71BCCE1687716600667099FB474244B0F4E4E8B38C6432073E756202B99FF6637A777828
        Malicious:false
        Preview:*PPD-Adobe: "4.3"..*LanguageEncoding: ISOLatin1..*PCFileName: "PSCRIPT1.PPD"..*Product: "(PSI PostScript)"..*PSVersion: "(2014.108) 2"..*ModelName: "PSI PostScript"..*ShortNickName: "PSI PostScript"..*NickName: "PSI PostScript"..*OpenGroup: InstallableOptions/Options Installed..*OpenUI *InstalledMemory/Memory Configuration: PickOne..*DefaultInstalledMemory: 16Meg..*InstalledMemory 16Meg/Standard 16 MB: ""..*InstalledMemory 24Meg/24 MB Upgrade: ""..*InstalledMemory 25Meg/25 MB Upgrade: ""..*InstalledMemory 28Meg/28 MB Upgrade: ""..*InstalledMemory 40Meg/40 MB Upgrade: ""..*?InstalledMemory: ".. save.. currentsystemparams /RamSize get.. 1048576 div cvi 6 string cvs dup length dup 3 add string dup 0 4 index .. putinterval dup 2 index (Meg) putinterval exch pop exch pop = flush.. restore.."..*End..*CloseUI: *InstalledMemory..*OpenUI *OptionalCassette1/Cassette (Optional): PickOne..*DefaultOptionalCassette1: False..*OptionalCassette1 True/Installed: ""..*OptionalCassette1 False/No

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT1.SPD

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PPD file, version "4.0"
        Category:dropped
        Size (bytes):5966
        Entropy (8bit):5.253422403076919
        Encrypted:false
        SSDEEP:96:fc4eW/qClUmcNFO0U0TLUPr3t6GNadToyUhs+VVeMO+/UzeVd9WK+r7V2EfArger:FiClUmcNFO0U0TLUPr3t6GNaRoBH8zof
        MD5:F4FE28CD09F6A6B9DB8A1572D5650EF7
        SHA1:226F283F66594A42199FEA10F00F0E324E752316
        SHA-256:4B9940A7093F7483D6942F3E80509765649A62AA7717DE4D8E7734091DE4B28E
        SHA-512:3ED7536EF8869A0FAEF0D4B840E92EB9D2EF9201D2D8B877E647626EA39FB93B3B3BED21762C118F41C5D12872D8D4BF90F8C1C907AECA4E2C5472D69025F935
        Malicious:false
        Preview:*PPD-Adobe: "4.0"..*PCFileName: "PSCRIPT2.PPD"..*Product: "PostScript"..*PSVersion: "(38.0) 2"..*ModelName: "PSI PostScript"..*NickName: "PSI PostScript"..*ColorDevice: False..*FreeVM: "172872"..*LanguageLevel: "1"..*Password: "0"..*ExitServer: ".. count 0 eq { % is the password on the stack?.. true.. }{.. dup % potential password.. statusdict /checkpassword get exec not.. } ifelse.. { % if no password or not valid.. (WARNING : Cannot perform the exitserver command.) =.. (Password supplied is not valid.) =.. (Please contact the author of this software.) = flush.. quit.. } if.. serverdict /exitserver get exec.."..*End..*DefaultResolution: 300dpi..*?Resolution: "..save.. initgraphics.. 0 0 moveto currentpoint matrix defaultmatrix transform.. 0 72 lineto currentpoint matrix defaultmatrix transform.. 3 -1 roll sub dup mul.. 3 1 roll exch sub dup mul.. add sqrt round cvi.. ( ) cvs print (dpi) = flush..restore.."..*End..*ScreenFreq: "60.0"..*S

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSCRIPT5.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):543232
        Entropy (8bit):6.803024195144198
        Encrypted:false
        SSDEEP:12288:uXe7RhCDdJ1ZvaYoNGXbUq5Dts+fUAC3LZuiCP:ugRh65toULU0DtbcAC3LYr
        MD5:1024591F141A018B3DC309BB26302217
        SHA1:B00B8407D309D7773FF32D80B08939EB5A05145C
        SHA-256:098F52D66394B2FF8AFB76F023D5F73AF95EE0A6B48A540718EFA0979EE46AB1
        SHA-512:6F2FC052FB63304F164A6930F737A72D8B4D9B1C7AEF90C8F21464F95F2848E474BDA15EBCABB3B73CEB2478E94EC0DAFE54C5BF43D779D33173AF9671030E1F
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..+.v.x.v.x.v.x2..x.v.x.v.x.v.x2..x.v.x2..x.v.x2..x.v.x2..x.v.x2..x.v.x2..x.v.x2..x.v.xRich.v.x................PE..L......H...........!.........j......AL............dB.........................p......,.....@.........................@................0.......................@...$.....................................@............................................text............................... ..`.data....1.......0..................@....rsrc........0......................@..@.reloc..^+...@...,..................@..B...HP...,..H[...'..He...,..Hr...,..H[......H.......H....)..H.......H............msvcrt.dll.ntdll.dll.WINSPOOL.DRV.KERNEL32.dll.GDI32.dll.USER32.dll.mscms.dll.ole32.dll.........................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSIPSCRP.PPD

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PPD file, version "4.3"
        Category:dropped
        Size (bytes):6748
        Entropy (8bit):5.29328268785933
        Encrypted:false
        SSDEEP:192:ltLfXoc5snTSsyjshJsC1Cs3zspSscJscIsAJ4sSSs5s2sCxs+szsZs4sl36K2iF:ltL3WS9iICfpwcrSaLVL+Ip23b2ioip
        MD5:28C493B44925221AA69F020E6AF6176B
        SHA1:45D04D3E144CA3A9BA7A038CE50B5960E5903AE7
        SHA-256:9258203F212D58C04C81A2CCE6511D6FA53D65F569C14DCF35CEA19AF815CDBB
        SHA-512:BC873725E54A866B11150928A1913C455BA5833E2EC9BC4183D7AB8BD53440980591DE118BCB0DE9FB1A47C68E229794F6C870F9ECD1E5E2EA7A3C65EC07CA73
        Malicious:false
        Preview:*PPD-Adobe: "4.3"..*% Adobe Systems PostScript(R) Printer Description File..*% Copyright 1995, 2001, 2003, Microsoft Corporation..*% All rights reserved...*% Permission is granted for redistribution of this file as..*% long as this copyright notice is intact and the contents..*% of the file is not altered in any way from its original form...*%..*% This PPD is designed to generate a composite CMYK..*% PostScript file suitable for converting to a PDF file in a..*% commercial printing workflow. It originally shipped with..*% Microsoft Publisher version 11...*%..*FormatVersion: "4.3"..*FileVersion: "1.0"..*PCFileName: "PSIPSCRP.PPD"..*LanguageEncoding: ISOLatin1..*LanguageVersion: English..*Manufacturer: "Poly Software International"..*Product: "(PSI Color PostScript)"..*PSVersion: "(3011.0) 0"..*ModelName: "PSI Color PostScript"..*NickName: "PSI Color PostScript"..*ShortNickName: "PSI Color PostScript"....*% ==== General Information and Defaults ================..*FreeVM: "9992192"..*VMOp

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\PSMON.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):57344
        Entropy (8bit):3.563787453877769
        Encrypted:false
        SSDEEP:768:9lUV+NbCaa3ecBECn21wYnFAsNc8x3BoITJ:YiNC21wYOcnx3BFTJ
        MD5:78EF6802BEFCEB7AF4431F5E58B099E3
        SHA1:A48957BBE28D1497F3A88D193439861C94CAEEE8
        SHA-256:980DE80F16D9D296D1580BDA8A3284675D6D8B2F724DDC220B146675E943341E
        SHA-512:C1E5DF59C1FCAF390DFCEBC4F33FEF08FB4E877F2EBC88BFE5EA654984BAB4F5842D48CD4F9034AB528A4CE3E5AB56CC797CF5D0E1D8B06C44074205A6812EEA
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... 7...........!...<.8...p......9........P.....x................................d................................F..h.......P.......h#...........................................................................................................text....6.......@.................. ..`.data....;...P...@...P..............@....idata..............................@..@.rsrc...h#.......0..................@..@.reloc..J...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\TMFONTS.MFM

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):95719
        Entropy (8bit):6.148180556378838
        Encrypted:false
        SSDEEP:1536:uQ5jA5TBmLKafph50cxebfrP3pf70NHQ+RCLUAKGHs:J5jAJCfph5OrxANHBCLUAvHs
        MD5:0429BC080C0571EB67C958DF9B46932D
        SHA1:EA05FA033B5EA5FBF4385ABAB49CA39503E796F8
        SHA-256:4E8FA2D66ECA983F0E14C9338E6F81A06998A490C865D96ABE6616F12FE68296
        SHA-512:DEEF560CAE29664FEAB59DD84220EA332CE3FB8F277BCD98968EA7D26B965253AA70904B99BBCF502202F02EE34FA015AC0B1450DF068668628302C024526D23
        Malicious:false
        Preview:..................................................)...'Fr.....'2.g'..k...E.HVB_____.PFM.................].HVBO____.PFM.................].HVO_____.PFM.................].SY______.PFM.,...............].TIB_____.PFM.................].TIBI____.PFM..$..............].TII_____.PFM..+..............].TIR_____.PFM..2..............].HVN_____.PFM..:..............].HVNB____.PFM..@..............].HVNBO___.PFM..F..............].HVNO____.PFM..L..............].HV______.PFM.JS..............].COO_____.PFM..Y..............].POB_____.PFM..\..?...........].POBI____.PFM..`..a...........].POI_____.PFM. e..U...........].POR_____.PFM.ui..h...........].GDB_____.PFM..m..............].GDBI____.PFM..y..............].GDI_____.PFM.W...K...........].GDRG____.PFM.................].GDSBI___.PFM.................].HVBL____.PFM................].HVBLO___.PFM.Y...............].HVL_____.PFM................].HVLO____.PFM.`...............].HVC_____.PFM................].HVCB____.PFM.n...............].HVCBO___.PFM.....

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WIN95HLP.HLP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows 3.1 help, Fri Nov 7 22:55:00 1997, 21066 bytes
        Category:dropped
        Size (bytes):21066
        Entropy (8bit):5.021266414733644
        Encrypted:false
        SSDEEP:384:IzZQdT0tnYTHnI/UoR3eFMriydPI1J9CuJQgAt:IzZmun81oIFMWy5I1JkoQgAt
        MD5:C0A16032BE127705A764B0DDA172A416
        SHA1:6E6041A1DBD3277558F1825A40453EF25C6FA5F8
        SHA-256:F04D02D6BFFD8EFAE631672829278C857B9AB00A6984FDC261D2FE3B13D4B912
        SHA-512:8DA0CEA05FEF84FDCA7712E544E9879FD823DBAEE5F1DB9AE2A561764551FDC48B3B06C86A8CFE0AA69E1E0475C1D3EBD34B33042FB288EE80A3BAAACFB90207
        Malicious:false
        Preview:?_..h.......JR..X...O.....(,.aamou.ntanandA.rchivear.easASCII.availabl.eb..foreb.itmapbut.toncalcu.lationsc.anchange@Clickc. o.lor. scom.munic+0C.....putercu.stomdata.defaultd.ialogdif.ferentDi.splaysdo.cum..downTlo,.d.Pi~.d.geEn..sex actly..mp.lefi..onta..sFor....m.atfromha.vehew.rho.wIfimage0inin....te0lyin-0..is(itl..u$.le.velmargi.n.0sQ.ch. ...maym3.net.worknonp.rii.N.noto...op<.oror"iB.alpx.pa.perparal.lel..c.......edph8.gra.ph..cedPo.stScript.[ ` &.. r.@sv ...screens"e..lec'.Sexnds..9.. ..t.serx.set1 ..@shoulds izespv.sp.ecificS.0.es.0ysubshtit..d.`..u.chsuppor.tsthatTh,et....h..Th.i....imeto.TrueTypeDtru.gun.bu.s....value.. swantwF....P.rwhich.willyou...r"">#&)).,).-/011.22253400.8:;<=="A.aboum.jx..0.edADSCafg..}...oa..X.a.nyAs..wayPbeca..bH.b.$.gbestbi.n..aryB. #..b6.boxbui.lt-..utby4By!.r....ch.e%.hoose..1K.onn.!..tr.olcopV.cu....ate.0dcu.r..C,3..edeBp.1devi..i.r....doDo,S.5.esDon't`dpidr....c.hE..ef..i`..en..opeEP.Ser..exce.ptfarfa.. rfeedE.sF.lipFF.fui..futurege.t."icshas.H.

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PS5UI.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):854016
        Entropy (8bit):5.956259482904397
        Encrypted:false
        SSDEEP:12288:5rOSJf44R1/kwm018HwzEo2x2S/2RHCyO/XWseji6XxpW:Zf44R1/kwH1WoLCyO/XFe9vW
        MD5:2A5755B795E19A833BE731E306C2B393
        SHA1:FD63627AE3E0B6B8D51C3052ABD772BB7388BAE7
        SHA-256:CCDEB169EAFDFDD96588DF803543B4A912A3096B2FE24767E8D8C129667EF448
        SHA-512:5D02E87A96C5B60A86717BE8150ADEA692E11AD5047B7C5550732704D50566C2B2ADC840E8D3EB2D594CA18C72D503F642CAB54DA73D733B2B38F80B4C664450
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2$..vE..vE..vE..Q..wE..Q..yE..vE...E..Q...gE..Q..ME..Q...wE..Q...E..Q..wE..Q..wE..Q..wE..RichvE..........................PE..d...\..G.........." ................(.........2F.............................0............@.........................................P'..Z...(............_......./..................@................................................................................text............................... ..`.data...pL...0...F..................@....pdata.../.......0...d..............@..@.rsrc....`.......`..................@..@.reloc..............................@..Bk..GX....Gc.....Gm......Gx......G.....Gc.....G.......G.....G.......G............msvcrt.dll.NTDLL.DLL.USER32.dll.ole32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll..........................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT.HLP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows 3.1 help, Tue Apr 17 13:11:49 2001, 26038 bytes
        Category:dropped
        Size (bytes):26038
        Entropy (8bit):4.55580668806265
        Encrypted:false
        SSDEEP:384:uX0EppE1e80vvpyGf7t1ayKu0rtP1dOxjPp:uboUXpLB1+u0RP18xjPp
        MD5:02C3F8C32018F3AAF66E7421400F1781
        SHA1:A04F2E40287AF78867161FA3F1606045088DA212
        SHA-256:6FAEF4C998E810FFF139958F28722C79879EC2FD66C97C7E3E2C5040FD5550D9
        SHA-512:C30FEE64D74A536117DE46C81B6E22EC82634D1284783A317BC15E85CFD561FAD7D50A63CA863EA6520B5CBAECF9061F7B52D3D99050484CE8A004F81DAB7990
        Malicious:false
        Preview:?_..J........e..:...1.....(),.aadv@ancedA.@a.ndareasa ssign..ut.omaticav.ailableb.ebitmapb oxbyc<.ha.ngeclick@Commun+.t.ionscomp.uterconn.ectedCTR.Ldefault.dependin@gdialo..f.ferentdiFr*.=.disl.d docum..owpnloa...0..r.iverEdge.e..n. erro.rexample.featuref.i..ine-tu@nefont..s@forFor..m...-to-tra.y..atfrom.Generall.ygraphic.s..yIfima.geinin.....telyin50..(isl..u".le.tslevelL.istsmaym.S.....memor...ta....j.gb..vr.tworko...onlyop...t$.Optimi8zeo..... so.routl....g..p..pa1.pa.. elpla..Po.stScript.P..c.cesprHint. ed.0r..@-specif\ic.@*0..P.@p.rovi}.rel.. resetr...rs..s..ctsq..ser......s@houlds..s@ourceSd0e.sm0yspoo...gsuchtha@ttheTh8.h...ghtoTru.eTyph.m.g...us..>.want.Whenw. e8..rw..hwill.wt.Yesyou...r),).+-.011.3Aal.waysanan.yASCIIat*a..b..r..st.binaryB. ...B.2."sboo2k..ca...2sC.."los........`ntrol....t.cR.tecur...cusS.CutDjdw.D.Rn..H.y.fi...sfarf-..F....g..avpehig... ".o.w..tItits.job..slon.gL..m%.man.ualmaximXummp...m?.tVm....i0.No.tbO..onek...O.T"PT"..pixe2l..rt..@2sP.rotocolR@GBRoll..l.s

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT.NTF

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1062732
        Entropy (8bit):5.327224938603629
        Encrypted:false
        SSDEEP:24576:aLpbAtwnsRdpq5Ii/8AbQ7d9R+3UXbdwTwTJg:8M+n8oe/vbdWwTJg
        MD5:C18E8DA3F5C91760E00DFAE8B6364BED
        SHA1:566D28948DAE855C8E5F560EAD7E0D8CC73DC1D5
        SHA-256:F49C950531E485BBC4B35161CF049ADF8363D0BD222CFED2EEDE2A13FE418187
        SHA-512:65C7F8C129D71DE9B887B5741760D86955035F977B32B89CF43A31EB973178AF6BAE1E5D39DCA19B56F6BB0139634F44E90C31CFAC00F75E64908D7B36A75D3A
        Malicious:false
        Preview:1FTNSPTN............................0...........@$......x....$...................&...........&...................,......T....,..................$/......L.......................p1..Q.......@1..................,4..1........3...................6..5...<....6...................8...........8...................@...........@...................K......d....K..................LN..q5..|....N...................P..q........P...................V....1.....\V...................Y..r.k.....\Y...................a...........a..................Xo......d....n...................x..m...P...4x......................y........~....................._...4...\.......................l...........................4...............................D..........................................P..............................`...............................8.......................}...P...................................d...............................l...............................|.......................m...................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSCRIPT5.DLL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):628736
        Entropy (8bit):6.675098433423424
        Encrypted:false
        SSDEEP:12288:aCiHW5JC2rb9T2JPyc3sgTaWDwUjXZAjlxfUAC3LZui:aVW5JdrS+geWDwpj3cAC3LY
        MD5:BAD12C605CA489C061E636E840720056
        SHA1:D4006D6CA409289012F4506897B2CEC10B527DF0
        SHA-256:A3A71C558C96FEDA11CFF875C90779B90B3540EBCF52ACEB465C69B01DD0B1D4
        SHA-512:8C5381690AB37952E4DD2503E7601833BFBB8C565009CD99CC76C651720F9F4D78F3D84EE3DF9779DDC3E6175043FCDB6E4F17EF46F4884CB4BC4162F6AD1B83
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.ye"..6"..6"..6.gj6#..6.gy6-..6"..6..6.gl63..6.gz6...6.gm6#..6.gf6l..6.gi6#..6.gk6#..6.go6#..6Rich"..6........PE..d...]..G.........." ...........................A..........................................@.........................................`...................t....p...(.................. ................................................................................text............................... ..`.data....I... ...D..................@....pdata...(...p...*...L..............@..@.rsrc................v..............@..@.reloc..B...........................@..Bk..GX....Gc....Gc......Gm......Gz....Gc....G......G....b..G.......G............msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.GDI32.dll.USER32.dll.mscms.dll.ole32.dll.........................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WinEx\PSIPSCRP.PPD

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PPD file, version "4.3"
        Category:dropped
        Size (bytes):6748
        Entropy (8bit):5.29328268785933
        Encrypted:false
        SSDEEP:192:ltLfXoc5snTSsyjshJsC1Cs3zspSscJscIsAJ4sSSs5s2sCxs+szsZs4sl36K2iF:ltL3WS9iICfpwcrSaLVL+Ip23b2ioip
        MD5:28C493B44925221AA69F020E6AF6176B
        SHA1:45D04D3E144CA3A9BA7A038CE50B5960E5903AE7
        SHA-256:9258203F212D58C04C81A2CCE6511D6FA53D65F569C14DCF35CEA19AF815CDBB
        SHA-512:BC873725E54A866B11150928A1913C455BA5833E2EC9BC4183D7AB8BD53440980591DE118BCB0DE9FB1A47C68E229794F6C870F9ECD1E5E2EA7A3C65EC07CA73
        Malicious:false
        Preview:*PPD-Adobe: "4.3"..*% Adobe Systems PostScript(R) Printer Description File..*% Copyright 1995, 2001, 2003, Microsoft Corporation..*% All rights reserved...*% Permission is granted for redistribution of this file as..*% long as this copyright notice is intact and the contents..*% of the file is not altered in any way from its original form...*%..*% This PPD is designed to generate a composite CMYK..*% PostScript file suitable for converting to a PDF file in a..*% commercial printing workflow. It originally shipped with..*% Microsoft Publisher version 11...*%..*FormatVersion: "4.3"..*FileVersion: "1.0"..*PCFileName: "PSIPSCRP.PPD"..*LanguageEncoding: ISOLatin1..*LanguageVersion: English..*Manufacturer: "Poly Software International"..*Product: "(PSI Color PostScript)"..*PSVersion: "(3011.0) 0"..*ModelName: "PSI Color PostScript"..*NickName: "PSI Color PostScript"..*ShortNickName: "PSI Color PostScript"....*% ==== General Information and Defaults ================..*FreeVM: "9992192"..*VMOp

        C:\Program Files (x86)\PSI\PSIPLOT\PSIGRAPH.ICO

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):2238
        Entropy (8bit):3.7581586970469583
        Encrypted:false
        SSDEEP:12:aQpfCipX6EJXMdj4F/ZQv2AnzfWAwFdZSUCM9d2JXuXLFNuh8e80GAfICxNA1LCJ:HxCipqdkcv+uiiJXuCFjIA9vA+N0tY
        MD5:68C2626531F8473F4765C89470A1C831
        SHA1:D184C3D9E6CD8D65B6487164D018786BD4CBECB4
        SHA-256:93E9D51FAE9272AAD63410711EC2C0632DB5CE88ADDCD84E2EA523D9A86A25F8
        SHA-512:CCF9BC910FB01728A013A5B55E9133D34C3AAC661B5E57B5FBC7C17B1448E209419F52B435609A6F8789A1C533CC99DD051E53A31BD547A12FCA0DA7C6D26557
        Malicious:false
        Preview:...... ..............(... ...@....................................................................... @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`................@...@. .@.@.@.`.@...@...@...@...@ ..@ .@ @.@ `.@ ..@ ..@ ..@ ..@@..@@ .@@@.@@`.@@..@@..@@..@@..@`..@` .@`@.@``.@`..@`..@`..@`..@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@...@...@...@...@. .@.@.@.`.@...@..@...@......... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...@...`....................... ...@...`....................... ...@...`...................... ...@...`.................. ... .. @.. `.. ... ... ... ...@...@ ..@@..@`..@...@...@...@...`...` ..`@..``..`...`...`...`........ ...@...`....................... ...

        C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.CHM

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows HtmlHelp Data
        Category:dropped
        Size (bytes):4949695
        Entropy (8bit):7.998257331919992
        Encrypted:true
        SSDEEP:98304:dy30fqJBna2ksxNiTLG4cfPR5akU5gq0s1E8q5v83aDj:dyM2fz7pe5VxCjGaDj
        MD5:46ABC527DB502BB525CB5786B3A3E894
        SHA1:CB7D651FC7D0D1BEE966F001CA6EE13AC05B25FF
        SHA-256:9A7A98B72C0AC451658FAEEC5E010191811480246884ED9BF316E9DA234A69DB
        SHA-512:D96CAABA9E6732161C1E2FDE0798DD625B2771E3EB556DD7661C3F871F08A56B9CFBBFAC058BF9F451F56BF39FE446A0C7554BED4E8D71F3C8D4E0832A2EDCB4
        Malicious:false
        Preview:ITSF....`..........2.......|.{.......".....|.{......."..`...............x.......T........................K.............ITSP....T...........................................j..].!......."..T...............PMGLR................/..../#IDXHDR...<.../#ITBITS..../#IVB....z.l./#STRINGS......r./#SYSTEM..V.)./#TOPICS...<.../#URLSTR.... ..|./#URLTBL...L.T./$FIftiMain......././$OBJINST....N.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....J../$WWKeywordLinks/..../$WWKeywordLinks/BTree.......L./$WWKeywordLinks/Data....h.H./$WWKeywordLinks/Map....0z./$WWKeywordLinks/Property....* ./afx_hidd_changeicon.htm...d.#./afx_hidd_color.htm.....|./afx_hidd_convert.htm......./afx_hidd_editlinks.htm......./afx_hidd_fileopen.htm.....c./afx_hidd_filesave.htm...}.../afx_hidd_find.htm.....k./afx_hidd_font.htm...r.y./afx_hidd_insertobject.htm...+.8./afx_hidd_newtypedlg.htm...k.%./afx_hidd_pastespecial.htm...c. ./afx_hidd_print.htm.....s./afx_hidd_printdlg.htm.....-./afx_hidd_printsetup.htm...<.:./afx

        C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):9342976
        Entropy (8bit):4.388478142801099
        Encrypted:false
        SSDEEP:98304:pgIfKwnuZgfuqgH9at7iZwe87NUUi2edlqXf2elf:DBuSfoatH
        MD5:2A1254635AE44869FE026EE2FA6B33D5
        SHA1:0D90E326AAF62F29A24A3FBFFC4BD6DA26CA8FD2
        SHA-256:BBB253CD560369F1F6B33104506831FF70E1FBE09A394269043C0C95166166F9
        SHA-512:4C138BE2BAFD07F904F4CC76783F3AE7EB7C5409C1F4CA7EC34B7F5F023CD288FAD87F66DA73691296DE2845E9992530C6A06C18FB5F1A556E58815893625B19
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........MZ...Z...Z.......[......[....j..R.......U.......G...Z.......}h......}h......_.......}h......}h..[...Z...A...}h..[...RichZ...........PE..L.....O..................-...`.....$.*.......-...@.........................................................................L.7.......8...V...........................-.............................h\5.@.............-......7.@....................text.....-.......-................. ..`.rdata........-.......-.............@..@.data.........7.......7.............@....rsrc.....V...8.. V..p8.............@..@........................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.INI

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [CreateColumn]
        Category:dropped
        Size (bytes):1817
        Entropy (8bit):5.5437721839708
        Encrypted:false
        SSDEEP:48:8e0FRAeRRLNO2bRN6k4Gu1QySquyF0gi1siBdiJiRO2uiCNegiLP8iz8iWi67JNE:d0FRAeRRxTbRNyDXhi1siziJiRTuige1
        MD5:3BECDA5DB32179456566FA78FD8011EC
        SHA1:AD4021E1F448DC77DE13B4419FCFBDA08D71790F
        SHA-256:425AE9D7540E753E3A617FE769A1EC91CE87E6BD072660839B807974BD6FA7B5
        SHA-512:59E3B8C7083B04435D6797F4EEE89BDD531FC8C24AC4AF2AB15BF1EC62FE4AA78EF9DC356362AC048C12134056612F985F1BD3C031B1592A900487D11A68924B
        Malicious:false
        Preview:[MAINWINDOW]..X=0..Y=0..CX=-1..CY=-1....[CreateColumn]..String1=SIN(X)....[Create3DCurveX]..String1=T*COS(T)....[Create3DCurveY]..String1=T*SIN(T)....[Create3DCurveZ]..String1=2*T....[Create3DMesh]..String1=Sin(X*Y)....[Transform]..String1=Z2=H2O_OUT-H2O_IN..String2=Z1=H2O_OUT-H2O_IN..String3=Z1=X*X..String4=Z=X+Y..String5=Y=SIN(X)....[FillSelection]..String1=COS(X)....[OneDimensionMap]..String1=3*X*(1-X)....[TwoDimensionMapX]..String1=1-1.4*X*X+Y....[TwoDimensionMapY]..String1=0.3*X....[ThreeDimensionMapX]..String1=3*X*(1-X)....[ThreeDimensionMapY]..String1=3*Y*(1-Y)....[ThreeDimensionMapZ]..String1=3*Z*(1-Z)....[FuncPlotRect]..String1=SIN(X)....[FuncPlotPolar]..String1=SIN(X*PI/180)....[FuncPlotSmith]..String1=ABS(X)....[FuncPlot3DCurveX]..String1=T*SIN(T)....[FuncPlot3DCurveY]..String1=T*COS(T)....[FuncPlot3DCurveZ]..String1=T+1..String2=T....[FuncPlotSurfXYZ]..String1=sin(X*Y)+3....[FuncPlotSurfSphere]..String1=(Y/360)*SIN(X*PI/180)..String2=1....[FuncPlotSurfCylinder]..String1=Y/7

        C:\Program Files (x86)\PSI\PSIPLOT\PSIProject.ico

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 5 icons, 32x32, 8 bits/pixel, 48x48, 8 bits/pixel
        Category:dropped
        Size (bytes):9822
        Entropy (8bit):4.721464938826727
        Encrypted:false
        SSDEEP:96:/OtJyg4DrV8WhEKrOtJyg4Dsm81VXa1OtJyg4DZovydq2HTf/JHHNaL:2KDhIKDs51VbKDA+/JnNw
        MD5:FED3834C6EB922D0A055324AAD3C1ED3
        SHA1:0A4BC2C4FB3D23F4DC63EF5195173B1A9975FEDD
        SHA-256:6090802558E24F174754659B67E0E3721B3DA0AC22305371DFB729C795F54D5B
        SHA-512:C13A983C14BE3C31843172DD1D259C5168CCC5D677E10C25E8A1114112C501D71099222DEDFC7CBF9CE7F9481758F89C8A9C228438B6FDFD6C3D46E7902F7050
        Malicious:false
        Preview:...... ..........V...00......................h....... ..............00......h.......(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................

        C:\Program Files (x86)\PSI\PSIPLOT\PSIREPORT.ICO

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 2 icons, 32x32, 48x48
        Category:dropped
        Size (bytes):6006
        Entropy (8bit):4.321548892217617
        Encrypted:false
        SSDEEP:96:uOtJyg4DXrX7FMvgSdKmaNRcqLMnOtJyg4DgttD4VWYvNp6t5rE:LKDXrX7FMvgSdKmaNRcqLjKDgttMwmN5
        MD5:9D8BC5A3DE0208455AE2DF324E60E1DF
        SHA1:4CD6F1BF68E131D99D32BC201DF65C7DBC8588AE
        SHA-256:1145E4617792F278D9BC3574010FD0FF3BC283AE2C79C8108FB4630DFB36803B
        SHA-512:5966CC7763AB04BF4CF4384CB452FD7483E0EF414C8F97C2CDF37EA73C6B6EAE301E1757AD604F145A67645AFD72EE879A316772E3C6215B914D9943B21DBCB0
        Malicious:false
        Preview:...... ..........&...00..............(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............3...f.........ff..f.f.f....f

        C:\Program Files (x86)\PSI\PSIPLOT\PSISHEET.ICO

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 1 icon, 32x32, 16 colors
        Category:dropped
        Size (bytes):766
        Entropy (8bit):3.043964475635822
        Encrypted:false
        SSDEEP:12:IEiJVyf93f93f9Tmq11A444QQQQQQQQQQQQQQQQQQQQQ4wltlN3:IEiuV3V3VT1w
        MD5:512C96F34EBDA3AE7ED37EB233275867
        SHA1:FD903DA1452BFC23BD5441D361AA357D22B5D576
        SHA-256:6D37108E29E292D2D52A88913F0272A2A56DC003F474B31A7542812035CEB2CC
        SHA-512:0011D28EFCEC37D41331CE4C258434D6023F91DBB8BDDCB02421D8465B1944320D8C7816754F82AB171242BFA8EFE6B153ECC8C12C06EF95AD0227EBABFA5063
        Malicious:false
        Preview:...... ..............(... ...@..................................................................................................................wwwwwwwwwww.....wwwwwwwwwww...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w...............w..............ww..............................w...............x......................................wwwwwwww....................................................................................................................................?................

        C:\Program Files (x86)\PSI\PSIPLOT\README.TXT

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Non-ISO extended-ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):2821
        Entropy (8bit):4.593331548999218
        Encrypted:false
        SSDEEP:48:nUWsvZGCPJYiMFXX6qcmEZwVhQLMGw9wI3LRw+62zGo:nUFvZdPoFLEZohBGutF6M
        MD5:8E089694990F1108B85C712AE073B19D
        SHA1:E853B5F4C9B85C33C3B52EDFAF01009C0A06D4DA
        SHA-256:158487E3A50E97BA97D8D93B3652D556C3EE603B52E3C21BA760A8DDAB029F9F
        SHA-512:74CF43444EE718EFE053CC0DB40F716DC5AB0508DFA116BB921AC16F20865F32BF825625B37F030415360DD97C3484AC380C8C38AFD8359B36A1466806869264
        Malicious:false
        Preview: ****************************************************.... ===PSI-PLOT Version 10.5===.... Working Demo.... (c) Poly Software International 1992-2012.. All Rights Reserved.... Readme Document.. ****************************************************.... Contents.. 1. Packing list.. 2. Hard disk space requirement (Important!).. 3. How to contact Poly Software International.. 4. Trouble shoots under Vista.. 5. How to set PSI-Plot for multiple users.. .. 1. Packing list.... In your PSI-Plot package (full version) you will find the.. following items:.... * Program CD.. * User Guide (printed).. * Registration form.... If any of these items are missing, please call Poly Software.. International Technical Support at (845) 735-9301.... .... 2. Hard disk space requirement (Important!).... Before installing PSI-Plot for Windows, make sure that t

        C:\Program Files (x86)\PSI\PSIPLOT\README.rtf

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
        Category:dropped
        Size (bytes):16807
        Entropy (8bit):5.081172666331871
        Encrypted:false
        SSDEEP:384:E0wonI8y9O194gCJ9CDjB9Tl9CN94V9Z9T6r9Tw9TE9Tp9T79TVc0zu6vh2Kif1n:VnI8yGHOcV3E87SOeDF7zu6vh2Kif1M0
        MD5:C0359489E55EC6307AB6FD260B88D8A0
        SHA1:150456DAC1DE95440F3B16320A3DC9DE8C8BD9A9
        SHA-256:FB55EE6AAEB7E1BD44BFB5C139B792DEEEB3DF7D07BC4E6795E40F8E89A7F38B
        SHA-512:54E23C1B7C215FB810B52DE085211351D98E2F10A5CBDF41DE83F52D3E56F71EBC8A346F7D5FB365D4A5EB0187980CAD160B251A2BE12469228CE062A530AB3A
        Malicious:false
        Preview:{\rtf1\ansi\ansicpg1252\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f2\fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f10\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}..{\f36\froman\fcharset238\fprq2 Times New Roman CE;}{\f37\froman\fcharset204\fprq2 Times New Roman Cyr;}{\f39\froman\fcharset161\fprq2 Times New Roman Greek;}{\f40\froman\fcharset162\fprq2 Times New Roman Tur;}..{\f41\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f42\froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f43\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f44\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}..{\f56\fmodern\fcharset238\fprq1 Courier New CE;}{\f57\fmodern\fcharset204\fprq1 Courier New Cyr;}{\f59\fmodern\fcharset161\fprq1 Courier New Greek;}{\f60\fmod

        C:\Program Files (x86)\PSI\PSIPLOT\RED.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):4.02302278826183
        Encrypted:false
        SSDEEP:48:UgiYd3cUzCKDrQLRITHdmVwNcIgiYd3cUzCKDrQLRITHdmVwNchgiYd3cUzCKDrS:y4dZTuW4dZTuf4dZTujM0TFdDn
        MD5:76B21702A2E091BFB1B32B49F900B438
        SHA1:F2FE0F260E69A31C52C594C6B2325EBE56C2DE8B
        SHA-256:C163D56A0B04A4243B3E325406418EE02B5F90CE88F20AE29E8F87FAA5C26B59
        SHA-512:4A8FFA4A138E760E254DD6CDA9D13CC3D21D66F9C04FE4DAFCCDD047878A1072AED9E868CB3B8377EDA0E6FF5BE8F19DB68F58C4598E6D760FC1667CD8320A32
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=255,0,0..Color2=255,7,7..Color3=255,15,15..Color4=255,23,23..Color5=255,31,31..Color6=255,39,39..Color7=255,47,47..Color8=255,55,55..Color9=255,63,63..Color10=255,71,71..Color11=255,79,79..Color12=255,87,87..Color13=255,95,95..Color14=255,103,103..Color15=255,111,111..Color16=255,119,119..Color17=255,127,127..Color18=255,135,135..Color19=255,143,143..Color20=255,151,151..Color21=255,159,159..Color22=255,167,167..Color23=255,175,175..Color24=255,183,183..Color25=255,191,191..Color26=255,199,199..Color27=255,207,207..Color28=255,215,215..Color29=255,223,223..Color30=255,231,231..Color31=255,239,239..Color32=255,247,247....[LINE_COLOR_RGB]..Color1=255,0,0..Color2=255,7,7..Color3=255,15,15..Color4=255,23,23..Color5=255,31,31..Color6=255,39,39..Color7=255,47,47..Color8=255,55,55..Color9=255,63,63..Color10=255,71,71..Color11=255,79,79..Color12=255,87,87..Color13=255,95,95..Color14=255,103,103..Color15=255,111,111..Color16=255,119,119..Color17=255,127,127..Color18=2

        C:\Program Files (x86)\PSI\PSIPLOT\RED1.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2330
        Entropy (8bit):4.0184109137557416
        Encrypted:false
        SSDEEP:48:Ug6Sw/7bqEScSrg6Sw/7bqEScSQg6Sw/7bqEScSMPgmNKfbV3hM/wrQfRR+2d7ME:zIg8bS
        MD5:1D9F4E2951A0451E41B2B1B1E9A02CAE
        SHA1:9D2BD437F360F980EB07212F608C6515C9124D96
        SHA-256:1E131F2E2A6D4E8D85C05520634950533A1D72D9BB2D533FEB097B1A697C44B9
        SHA-512:AE2965A0B6D7C8446454946216648A9CEBAB3CCF37BE8FF4AF6E82C656621D4C2D75CA53167D5D2B8F825D30F10C072AD45A5F40D2A9F510F4277203B51F33C6
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=255,0,0..Color2=247,0,0..Color3=239,0,0..Color4=231,0,0..Color5=223,0,0..Color6=215,0,0..Color7=207,0,0..Color8=199,0,0..Color9=191,0,0..Color10=183,0,0..Color11=175,0,0..Color12=167,0,0..Color13=159,0,0..Color14=151,0,0..Color15=143,0,0..Color16=135,0,0..Color17=127,0,0..Color18=119,0,0..Color19=111,0,0..Color20=103,0,0..Color21=95,0,0..Color22=87,0,0..Color23=79,0,0..Color24=71,0,0..Color25=63,0,0..Color26=55,0,0..Color27=47,0,0..Color28=39,0,0..Color29=31,0,0..Color30=23,0,0..Color31=15,0,0..Color32=7,0,0....[LINE_COLOR_RGB]..Color1=255,0,0..Color2=247,0,0..Color3=239,0,0..Color4=231,0,0..Color5=223,0,0..Color6=215,0,0..Color7=207,0,0..Color8=199,0,0..Color9=191,0,0..Color10=183,0,0..Color11=175,0,0..Color12=167,0,0..Color13=159,0,0..Color14=151,0,0..Color15=143,0,0..Color16=135,0,0..Color17=127,0,0..Color18=119,0,0..Color19=111,0,0..Color20=103,0,0..Color21=95,0,0..Color22=87,0,0..Color23=79,0,0..Color24=71,0,0..Color25=63,0,0..Color26=55,0,0..Color27=47,

        C:\Program Files (x86)\PSI\PSIPLOT\RED2.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2663
        Entropy (8bit):4.033134483350259
        Encrypted:false
        SSDEEP:48:UtlSRmvTodrQv9npcUv35hvadtlSRmvTodrQv9npcUv35hvaqtlSRmvTodrQv9nX:cwe7vYwe7vXwe7vTIg8bS
        MD5:D120F25894EE1B52A489288B82A9AD02
        SHA1:AAD3804C60640D97D9EF58B4BB452865F0C353D8
        SHA-256:00A67DE2C2222F9DD0EFE778224F11E27E552A5A25600E7BDA2BF6CCD399260A
        SHA-512:395396380345055A44510CB47CA1793666B4ECD0EB875BDEEED0BB2180E5B206C8AEEE9A078A324E0515FB7441EFEF67BBEF94ED95056A9FE918B07A577CE0DF
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color32=255,0,0..Color31=255,7,7..Color30=255,15,15..Color29=255,23,23..Color28=255,31,31..Color27=255,39,39..Color26=255,47,47..Color25=255,55,55..Color24=255,63,63..Color23=255,71,71..Color22=255,79,79..Color21=255,87,87..Color20=255,95,95..Color19=255,103,103..Color18=255,111,111..Color17=255,119,119..Color16=255,127,127..Color15=255,135,135..Color14=255,143,143..Color13=255,151,151..Color12=255,159,159..Color11=255,167,167..Color10=255,175,175..Color9=255,183,183..Color8=255,191,191..Color7=255,199,199..Color6=255,207,207..Color5=255,215,215..Color4=255,223,223..Color3=255,231,231..Color2=255,239,239..Color1=255,247,247....[LINE_COLOR_RGB]..Color32=255,0,0..Color31=255,7,7..Color30=255,15,15..Color29=255,23,23..Color28=255,31,31..Color27=255,39,39..Color26=255,47,47..Color25=255,55,55..Color24=255,63,63..Color23=255,71,71..Color22=255,79,79..Color21=255,87,87..Color20=255,95,95..Color19=255,103,103..Color18=255,111,111..Color17=255,119,119..Color16=255,127,127..

        C:\Program Files (x86)\PSI\PSIPLOT\RED_INV.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2744
        Entropy (8bit):4.02302278826183
        Encrypted:false
        SSDEEP:48:UI4uR1LHcUsLC9rQvdTovmRSDI4uR1LHcUsLC9rQvdTovmRSoI4uR1LHcUsLC9rQ:QudHGOudHGXudHGpKDcft1
        MD5:2929CE69D6CC4CDBB5682C64F5D7D7CB
        SHA1:5784A44573874A8F65DC763FDE986F02D2B7DB08
        SHA-256:9082A9851D5D2E9AE5089961E299DFFFB448AF06293AF1B1742EA58D28F94103
        SHA-512:46F6F463ADA2AE059A2A58AC160E1B9C331861561F27106109035A1A33E821C0B9FD0B8FFB7A77BC2D8FF4B0DCDBE2B3174D0B2582685A28437EB68640255184
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=255,247,247..Color2=255,239,239..Color3=255,231,231..Color4=255,223,223..Color5=255,215,215..Color6=255,207,207..Color7=255,199,199..Color8=255,191,191..Color9=255,183,183..Color10=255,175,175..Color11=255,167,167..Color12=255,159,159..Color13=255,151,151..Color14=255,143,143..Color15=255,135,135..Color16=255,127,127..Color17=255,119,119..Color18=255,111,111..Color19=255,103,103..Color20=255,95,95..Color21=255,87,87..Color22=255,79,79..Color23=255,71,71..Color24=255,63,63..Color25=255,55,55..Color26=255,47,47..Color27=255,39,39..Color28=255,31,31..Color29=255,23,23..Color30=255,15,15..Color31=255,7,7..Color32=255,0,0....[LINE_COLOR_RGB]..Color1=255,247,247..Color2=255,239,239..Color3=255,231,231..Color4=255,223,223..Color5=255,215,215..Color6=255,207,207..Color7=255,199,199..Color8=255,191,191..Color9=255,183,183..Color10=255,175,175..Color11=255,167,167..Color12=255,159,159..Color13=255,151,151..Color14=255,143,143..Color15=255,135,135..Color16=255,127,127..

        C:\Program Files (x86)\PSI\PSIPLOT\RED_LITE.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2588
        Entropy (8bit):4.042851636835783
        Encrypted:false
        SSDEEP:48:Uo+iA3iA9LohLFlaJLFZcN2g5WZ1c0CvWLVKrQMMZlosLapH7PgmNKfbV3hM/wrL:YqQ3MQ3+kIIg8ba4dZTu8
        MD5:73174E1DC3355BBDBCA93B0E8FD2A5A8
        SHA1:DA0FF3751A361EC33ED879BC7C9364737417FFEC
        SHA-256:20CAAC9E5D737DD5C335D33C5B6DB3B5FE57DCAE2B9A130F1C628F3B45E8420E
        SHA-512:E30D077C9515F099D7F71E6D3F151A0E0BB713BF99B75139C62B4233C2ADD4524192B7D0F6076874AE944E95E6578FF7CD0511E306EC10AB44EBC2B90AF2ED81
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=0,255,0..Color2=255,0,0..Color3=255,255,0..Color4=0,255,255..Color5=255,128,255..Color6=128,128,255..Color7=255,128,64..Color8=192,192,192..Color9=0,128,0..Color10=128,0,0..Color11=128,128,0..Color12=64,128,128..Color13=255,0,128..Color14=0,0,160..Color15=198,64,0..Color16=128,128,128..Color17=128,255,128..Color18=255,128,128..Color19=255,255,128..Color20=128,255,255..Color21=255,128,255..Color22=85,170,255..Color23=255,170,130..Color24=212,212,212..Color25=0,83,0..Color26=74,0,0..Color27=79,79,0..Color28=0,100,100..Color29=145,0,72..Color30=0,0,100..Color31=74,37,0..Color32=51,51,51....[LINE_COLOR_RGB]..Color1=0,0,0..Color2=0,0,160..Color3=0,128,0..Color4=128,128,0..Color5=0,0,64..Color6=64,128,128..Color7=128,0,128..Color8=64,0,128..Color9=128,128,128..Color10=0,64,128..Color11=128,0,0..Color12=0,64,64..Color13=255,128,0..Color14=255,255,0..Color15=255,0,0..Color16=255,0,255..Color17=255,0,0..Color18=0,255,0..Color19=255,255,0..Color20=0,255,255..Color21=0,

        C:\Program Files (x86)\PSI\PSIPLOT\ROSSLER.ODE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):446
        Entropy (8bit):5.41706792414349
        Encrypted:false
        SSDEEP:6:tFHKHmoc66rpuAyk4Gqw3WhkYmYKenKKJvYD/c60nulK+WDwLX0n0unugSdmt:tFfj66Zf4Gqw3s5XvYDGnuPOwEn08u9+
        MD5:E94F1D720D4C391849F0B29B579B6E2B
        SHA1:4026BBBAEEF8268452AB7C5C8935F9DCF1F29262
        SHA-256:120DC26BD972C43D7281A653D3D019B6C3C26302A3F6E683147CF79C43033314
        SHA-512:68A7C172C9097A75FC8D1F7493A004DFE9DDCCC662DE4BD7578868D5F5B8CA54A9BD0C1A3E15B2E78423EC686BE65F6453673EF296AFECBE49A34C20205E3EFE
        Malicious:false
        Preview:[MODEL NAME]: ROSSLER MODEL..[INDVAR]: T..[DEPVAR]: X,Y,Z..[PARAMS]: A,B,C....[EQUATIONS]:..// comment line..X'=-Y-Z..Y'=X+A*Y..Z'=B+Z*(X-C)..END OF EQUATIONS....[PARAMS VALUES]:..// go to a new line..A=0.15..B=0.20..C=10.0....[INIT CONDITION]:..// go to a new line..T=0.00..X=10.0..Y=0.0..Z=0.0....// specify the step size to collect data:..[STEP SIZE]: 0.04....// specify the stop value for independent variable:..[STOP VALUE]: 40....ENDMODEL..

        C:\Program Files (x86)\PSI\PSIPLOT\SPECTRUM.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2516
        Entropy (8bit):4.06732260628604
        Encrypted:false
        SSDEEP:48:Ug3j8RPxgno5ZL2vNZdqLOxUB4g3j8RPxgno5ZL2vNZdqLOxUBRg3j8RPxgno5ZX:/ga0Eq9ga0EqKga0Eqht30tupqg
        MD5:D9BB17D2AFC3B08F6E9E39009F96D594
        SHA1:30B74FBF731A2AF906AD3B8A36D5591237CD29A5
        SHA-256:20D0AA7E9F9E893B50307F59D01D998E36E7B752B2433E616A7275D947565BED
        SHA-512:4C230263518746D14DB2C8D27570988BEC2BF3A01552E0F82A757F45EB75C8A85ECB5F2FAC7D7089CEB950EEE28CA077EBB2D3976D579EB904829E9DD6608DCE
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color1=128,0,128..Color2=112,0,144..Color3=96,0,160..Color4=80,0,180..Color5=64,0,192..Color6=32,0,208..Color7=16,0,224..Color8=0,0,255..Color9=0,32,224..Color10=0,64,192..Color11=0,96,160..Color12=0,128,128..Color13=0,160,96..Color14=0,192,64..Color15=0,224,32..Color16=0,255,0..Color17=32,255,0..Color18=64,255,0..Color19=96,255,0..Color20=128,255,0..Color21=160,255,0..Color22=192,255,0..Color23=224,255,0..Color24=255,255,0..Color25=255,224,0..Color26=255,192,0..Color27=255,160,0..Color28=255,128,0..Color29=255,96,0..Color30=255,64,0..Color31=255,32,0..Color32=255,0,0....[LINE_COLOR_RGB]..Color1=128,0,128..Color2=112,0,144..Color3=96,0,160..Color4=80,0,180..Color5=64,0,192..Color6=32,0,208..Color7=16,0,224..Color8=0,0,255..Color9=0,32,224..Color10=0,64,192..Color11=0,96,160..Color12=0,128,128..Color13=0,160,96..Color14=0,192,64..Color15=0,224,32..Color16=0,255,0..Color17=32,255,0..Color18=64,255,0..Color19=96,255,0..Color20=128,255,0..Color21=160,255,0..Color22=192,

        C:\Program Files (x86)\PSI\PSIPLOT\SPEC_INV.CLR

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [LINE_COLOR_RGB]
        Category:dropped
        Size (bytes):2516
        Entropy (8bit):4.06732260628604
        Encrypted:false
        SSDEEP:48:UA5Cci/B/ZZiVBjN5ivXhLuDJQ39YA5Cci/B/ZZiVBjN5ivXhLuDJQ39xA5Cci/V:hXjQZUJ+XjQZUJxXjQZUJgJKknBRxso
        MD5:A4012F8D21D3310F7E22AFD00E881DDA
        SHA1:8018119C244F1C18BDAB239B2C4DCF8F0AAA766D
        SHA-256:4A3E32C6F5CF5CE9720224154E33C114ADDEE7B308115E1EC093CAF69C0A5D76
        SHA-512:BE0DCCF434104F41DFB4615505972402ED5828E38FFB1CD8F20035DCBDEF3E8D8497C7B286A729220B540AAEBA7B1F4E0F18C336154AA54367B15A1D5E65D5BA
        Malicious:false
        Preview:[SYMBOL_COLOR_RGB]..Color32=128,0,128..Color31=112,0,144..Color30=96,0,160..Color29=80,0,180..Color28=64,0,192..Color27=32,0,208..Color26=16,0,224..Color25=0,0,255..Color24=0,32,224..Color23=0,64,192..Color22=0,96,160..Color21=0,128,128..Color20=0,160,96..Color19=0,192,64..Color18=0,224,32..Color17=0,255,0..Color16=32,255,0..Color15=64,255,0..Color14=96,255,0..Color13=128,255,0..Color12=160,255,0..Color11=192,255,0..Color10=224,255,0..Color9=255,255,0..Color8=255,224,0..Color7=255,192,0..Color6=255,160,0..Color5=255,128,0..Color4=255,96,0..Color3=255,64,0..Color2=255,32,0..Color1=255,0,0....[LINE_COLOR_RGB]..Color32=128,0,128..Color31=112,0,144..Color30=96,0,160..Color29=80,0,180..Color28=64,0,192..Color27=32,0,208..Color26=16,0,224..Color25=0,0,255..Color24=0,32,224..Color23=0,64,192..Color22=0,96,160..Color21=0,128,128..Color20=0,160,96..Color19=0,192,64..Color18=0,224,32..Color17=0,255,0..Color16=32,255,0..Color15=64,255,0..Color14=96,255,0..Color13=128,255,0..Color12=160,255,0..Col

        C:\Program Files (x86)\PSI\PSIPLOT\STIFF.ODE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):489
        Entropy (8bit):5.43043682268174
        Encrypted:false
        SSDEEP:12:jInIA5auFAiyrmsFyQJjw8dv6L9Qxqw3smluXUgHmwzB9M:ktCrmkyp9QxxtcUgtA
        MD5:6575BA83D5CC8AC8C46A1617797B0223
        SHA1:4FB2B85EC13A7A8BBF5B0F8601888F8E591A0BA8
        SHA-256:AED611E96AEB2469BEF43FB480FC840C5C0035FD7D2019A7B8A6AC4F8FC2E699
        SHA-512:F81A241AAC1020C7D7476203BFA35748B0FB0738EE8E0463460A9E3FFD440585ACC00CC633E1C4C5F65DFBDFE9810874AE806A9F4E5335CF361316AC12197741
        Malicious:false
        Preview:// a stiff example: ..// Watch the speed difference..// Kaps-Rentrop and Bader-Deuflhard will be ..// 100 times faster than Cask-Karp and Adaptive R-K..[MODEL NAME]: A STIFF EXAMPLE..[INDVAR]: T..[DEPVAR]: Y1,Y2,Y3..[PARAMS]: P1,P2,P3....[EQUATIONS]:..Y1'=-P1*Y1+P2*Y1*Y3..Y2'=-P3*Y2*Y3..Y3'=-P1*Y1-P2*Y1*Y3-P3*Y2*Y3..END OF EQUATIONS....[PARAMS VALUES]:..P1=0.013..P2=1000..P3=2500....[INIT CONDITION]:..T=0.0..Y1=1.0..Y2=1.0..Y3=0....[STEP SIZE]: 0.05....[STOP VALUE]: 50....ENDMODEL....

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\GLMBinomial.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):2272
        Entropy (8bit):3.2347387277152473
        Encrypted:false
        SSDEEP:24:GrYOkUnUamo1/RhBShV/gAE3S1444VZNdwDeTvVlNTbGB+XkXFELkt4YxP8Gc2Rw:GrnkXahhBSah9ba+OZtztc2z5Q
        MD5:6216428E942130B5D0009BD55CAEA18F
        SHA1:F51A84C725555697B77FBE55AE3962C5E07056BC
        SHA-256:8CDEE1BD54A28C2A8D8B39AFBE113F6DC5276566071E06A18887AAFC92D1EB21
        SHA-512:5D04A7829C9BAC0B1152246BEE2E30760EAF3D5BC22ECA97643203AD9E50EACE5E88FBF65B5AB3583E8505D03B0760334D2E6396962FFBAE391CED9E24238A8C
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................admit.........B.................... @................@............... @................@..............."@..............."@..............."@................@................@..............."@..............."@...............$@..............."@................@..............."@................@................@................@................@...............$@.........gre.........B....................w@................@................@................@..............@.@................@................@...............y@................@................@................@...............{@................@................@................@...............~@..............`.@...............v@................@................@.........topnotch.........B......................................?................?......................................................................................................................?................?........

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\GLMNormal.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1519
        Entropy (8bit):2.712550980822882
        Encrypted:false
        SSDEEP:24:Gr2HO9VcYbcsTqna/GXwtErXgj60XaUa4:Gr2HO9VcsYX1wxl
        MD5:95E0181097B19872F8C0722509576584
        SHA1:0DDFFE11BD1D4F63A873F201F268CCA2E58BCB95
        SHA-256:EDE940201A4892E34530D0A4C929A9C5743A2736D8C6AE77FAEDC8788E75B0E1
        SHA-512:1A12F437B269D85D6A385BA56FADCE085E7E49FCECB69506F694D09B70D4A9CD8B0C66236F0AB640C31E7E925F7A0F6FECDFD30B9FFC9317EE75B6822985C556
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................y.........B....................@@...............D@...............B@...............;@...............>@...............E@...............A@...............H@...............>@...............C@...............I@...............I@...............>@...............B@...............D@...............E@...............G@...............8@...............A@...............B@.........x1.........B....................@@...............G@...............H@...............A@...............G@...............J@...............O@...............7@...............@@...............E@...............?@...............N@...............O@...............D@...............I@...............P@...............L@...............N@...............H@...............<@.........x2.........B....................Y@...............W@...............`@...............b@...............a@..............@Y@...............W@..............@Y@...............X@..............@Z@...............[@..............@U@..

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\GMLPoisson.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1236
        Entropy (8bit):2.663183699706052
        Encrypted:false
        SSDEEP:12:xgrDURclFxscKmsw2/yJLgJsaFS14AaXxn+nmC6nUDWCg18bj4tpHoe7jAB1va3T:GrhhCJpS14A/lhDWtie7Jau
        MD5:777457D270DAC3408950928CC715D311
        SHA1:BBFD0C4E304C4D20E3A0F29C011C6D0977DBCE46
        SHA-256:1ECE5F4F44E97A7739454FDF9B38E96864F8430A1AC708FFBF462CF9B13409B6
        SHA-512:7B88EB324539F5EC8CDCC0FB7699F122596F14A91132F505407B54C72E34E9E2B4CC606EF6C784B521AE843D559FBFB718D985F2D7A8B3373D9E0837862A53F0
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................x1.........B.....................?................@................@................@................@................?................@................@................@................@.........x2.........B.....................?................@..............."@...............0@...............9@................?................@..............."@...............0@...............9@.........x3.........B.....................?................?................?................?................?..............................................................................................x4.........B.....................?................@................@................@................@..............................................................................................y.........B....................?@...............Y@..............@j@...............f@...............X@................@...............*@...............=@...............>@.

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\MLINEAR.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):2595
        Entropy (8bit):4.681979982985075
        Encrypted:false
        SSDEEP:48:vjiYYNEQQCqk1F+jFklRJsG6QSa8SYkrQEY7GHt0wxd9YcOM3Eh5Kov6q:vI6QQ8dr+DZkEEY7GNpxfyM0hVv
        MD5:32EC41F5FA76A005F91412769FA1EF88
        SHA1:C537B08F6EA10596B25259FC6E23DD1BAEE5B6DB
        SHA-256:B337D534D1AAC4B932E5203174C5876A09298585928371B9FF96D575AC0B7F46
        SHA-512:F0C088AFC844CB7C42F84E9EDA4324CF4A1F486ED8ED30C71C9EBA90DBDF6C341BF75DD1CC71A12364E54A1B6CC37105098A6BFC0B2BB631D3F97CF4A1DA22DC
        Malicious:false
        Preview:.".PSI-Plot8.0Windows.........................y.........B...........p=...?.........=..p=.?...........p=..?.........{..G.z.?...........(\...?.............Q..?..........(\....?..........p=...?..........p=...?.........{..G.z.?.............Q..?..........Q....?...........p=...............Q..?.........333333.?.............Q..?.........{..G.z.?...........p=..?................?.............Q............x1.........B..........q=..p.?..............................Q..?................?............Q...?..........p=...?..........p=...?.............Q..?.........R....Q.?............(\..?.........333333.?.........{..G.z.?.........R....Q.?..........(\....?.............Q..?...........................(\....?..........p=...?.........333333.?.........q=..p.?.........x2.........B..........{..G.z.?..........p=...?...........p=..?...........(\...?.........)\...(.?..........p=...?.............Q..@...........G.z..?............Q...?.........333333.?................?.........333333.?.........33333

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\cdlstick.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):3058
        Entropy (8bit):4.9840498775374105
        Encrypted:false
        SSDEEP:48:yjLdJaNoRsusyqZwIZtIhOeqgo6LzHLAb3yrXsMKhrIyGdOLmSp3t/IUshy:yfdJaKe37mIX4xL1XsPrOOLmSpdfuy
        MD5:0E9EE18E5AC856FDB14CB5FD8B9F957B
        SHA1:F5D27B838D7187ECAA0D472E3D630962EFF1239A
        SHA-256:B33C9CD907CD8279DEDC33E68D58E6AB93B08138521A55863CF02A317452ECE3
        SHA-512:285F12651A7FDBC10698E2899B8B626CCE5A16330C16F99ABD6C70BBBB6713EF5D43EDF49BB30825D3A9C3BFEA5FF47420C64CEB5A9F23AF689B63860BD48B91
        Malicious:false
        Preview:.".PSI-Plot5.0Windows............"............date.........B................?................@................@................@................@................@................@............... @..............."@...............$@...............&@...............(@...............*@...............,@................@...............0@...............1@...............2@...............3@...............4@...............5@...............6@...............7@...............8@...............9@...............:@...............;@...............<@...............=@...............>@...............?@..... .........@@.....!.........@@.....".........A@.........Yin.........B............@..S@.........'..=.S@..........h...IR@.........7..FQR@..........].a.R@.........D...U.R@.........w...F.S@.........b...ROT@.............".Q@.........^A_..DT@.........9_...0U@..........p....T@..........d....T@.............Q.U@.............}.T@...........B...T@..........~8.V.T@............N..V@..........twV..V@..........z=.%EW@

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\comp2lns.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):881
        Entropy (8bit):4.4606633039065375
        Encrypted:false
        SSDEEP:12:Bj1LsFnmOCYHGlZtjcr2DKe3j4G+nimgkDslV8VnCUsAhwrEmPUuyrBwQN11+:Bj1NVlDP3h+F4j4COQUuyrG41+
        MD5:3A8964429A99273D5FFD274D983AED8E
        SHA1:8E7C9C7C30B07B3EABDB5443B059B38DCD82E204
        SHA-256:C31F6DD7FA595A638E598B3B0B09E9541735FD7B140100CB60A862154692EEEB
        SHA-512:4A4C11FB7067D47031A1A14B0BBE280B0913F72C12A260BEE9EA0A5A2CE73C9DD185BE04638EBECEC3749DCE87DC30397D50CBA51AB495D789A9C7E3BAAE80A1
        Malicious:false
        Preview:.".PSI-Plot6.0Windows.........................x.........B................&@.........333333&@................@............... @...............(@.........ffffff-@.........ffffff.@.........33333.5@.........3333334@...............3@...............9@.........ffffff$@...............*@...............7@...............(@.........ya.........B...........G.z...@..........p=...@..........Q.....@..........p=...@................@................@..........Q.....@..........G.z...@.........H.z..G.@.............Q..@............... @...........Q....@..........z..G..@.........\...(\.@..........(\....@.........yb.........B..........q=..p.@.........\...(\.@.........\...(\.@................@.........ffffff.@.........q=..p.@..........G.z...@..........p=...@.........R....Q.@...........(\...@............... @..........G.z...@.............Q..@.............Q..@................@...P.P.P.P....

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\ec50.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1095
        Entropy (8bit):5.07315378402798
        Encrypted:false
        SSDEEP:24:GrqGvTtrMP1tyQX4w37G8D3m2PEMVRKhpxMi3wcxKe8C:GrVtrMP3H4/8jtvKhfULC
        MD5:3F9598D2C580098C8D1F706BD253772D
        SHA1:044E9C02F7BA36000233A54FCB237E69018FC6B5
        SHA-256:74DED6F18EEF6E3D4C3D904BB5E66A3B8E13FA0045B2499293B0048B2222CBC9
        SHA-512:D147D133059251B434796A352CFD52352D2EE39F0DC067AD55977E3BDD49F9B5029276C53042116B84DBD66770114AD4700A020E41C63BF66788E642D46531D5
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................dose.........B................G.z..?..........v.../.?.........H.z..G.@............Mb..@.........Zd;.O..@..........$...c#@...........Q...)@...........v..z5@.............M.@@..........C.l.A@..........rh..\D@.........w.../}G@.........X9..vnL@.........V.-..oM@.........j.t...M@.........P..n.3O@.........F....@P@.........`..".Q@..........S.pR@.........u...V.U@..........~j.t.V@.........fffff.V@..........E..X@...........C.lgY@...........S.C^@.............S.`@..........-....b@..........+...e@.........Nb.X92v@.........yield.........B....................N@...............N@..............@M@.........fffff.H@...........Q..EB@...............6@................@.........333333.@...........(\...?.........q=..p.?.........ffffff.?................?.........ffffff.?.............Q..?............Q...?..........p=...?................?.........333333.?................?............Q...?.........333333.?................?................?..........(\....?.....

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\floatcolumn.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):6234
        Entropy (8bit):2.5589654924845373
        Encrypted:false
        SSDEEP:48:GrhrEQxqrFisMl9hZYDS+sctHmc/U6Ycs0Tle5/PO8EfBJumvtL3RtK:CrEcq5isuZYDS+sMHmcpYSAdOFL9FDRs
        MD5:A46DB5C5B17F3A42BA7446F2D68ACA5A
        SHA1:6FB5BDE50A2AE258864214F29FDAE347E25745C8
        SHA-256:B0CFF778D82625E1B10933EEB4578AAC416151EBA9E8BFAD8EEFC01513548BAC
        SHA-512:704F275FAE1BED5FD33CBAE51E93BE3E7814BF2B87E385FBE1665BB13EEBDB726C2A4DEDE68CC7E30DDB1D0118A5BE2CB32ECC582DDF66E4720169B3DFE92CD3
        Malicious:false
        Preview:.".PSI-Plot8.1Windows............G............xmin.........B.....................@................@................@................@............... @..............."@...............$@...............&@................@............... @................@..............."@................@...............&@...............&@...............$@..............."@............... @...............&@...............$@..............."@............... @................@................@................@................@................@................@................@................@...............>@..... .........=@.....!.........<@.....".........;@.....#.........:@.....$.........9@.....%.........<@.....&.........;@.....'.........:@.....(.........9@.....).........8@.....*.........7@.....+.........:@.....,.........9@.....-.........8@...............7@...../.........6@.....0.........5@.....1.........4@.....2.........<@.....3.........4@.....4.........5@.....5.........6@.....6.........7@.....7.........8@

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\kaplan_meier.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):907
        Entropy (8bit):2.53167969491864
        Encrypted:false
        SSDEEP:24:Gr1n4lvXaW80geH0/NkgzOBZS14rGZ4VZNM:Gr1kvXafOK
        MD5:26CFA7B7FF1198AD752653079C4C3985
        SHA1:513062E4B557FFBEF12A88C9E292E0526B18FA27
        SHA-256:1FAA9076AFCBB73030F317742E4BE2F0F0FE5C110E9C7413D2BDD33E674E4B50
        SHA-512:9B8D94411663A8D662B3BEAF7E980E61BDEFEAFBE8851FCB824F1371613F1B2E1BC8C1DD36A450474FF3772101613BEBA31F402BD55EE8DEBA8F2830AE08B874
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................time.........B....................a@...............c@..............@d@.............. g@...............i@..............`i@...............l@.............. m@...............m@...............n@...............p@...............q@..............`r@..............@t@...............n@.........dead.........B.....................?................?................?................?.................................@................@................@................@................?................@................?................@................?..........................censored.........B.........................................................................................?.........................................................................................................................................................................?...P.P.P.P.......

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\ld50.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):929
        Entropy (8bit):3.303853511639173
        Encrypted:false
        SSDEEP:24:Gr2iyEwrDdg7et5fbHlGT05a34dulXeEH:Gr2Zo7et5cH
        MD5:9470ECFB8D2D110726800FFCF4E15F62
        SHA1:F3500C2D338DE31443FACD5BF6D6143ECE671BA7
        SHA-256:B28FD9FA5AD1017893F25485DF7FFCE82BBF86CEFA0217E827F477B3E4F2B701
        SHA-512:092F592DE99031513F82EE4C407F72D055F128A50E876F81FB379FF71D089162849887F31ED04F9F144CFCEF1A40CEC7AA8E334B9A8040FF20FC03E5702B6A1C
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................Concentration.........B..............H.z..G.@.........H.z..G.@.........H.z..G.@..........G.z...@.........333333.@.........333333.@.........333333.@..........p=...@.........R....Q.@.........ffffff @..............."@.........Dead.........B.....................?................?................@................@................@................@................@............... @................@...............2@...............3@.........Total.........B....................4@...............4@...............4@...............4@...............4@...............4@...............4@...............4@...............4@...............4@...............4@.........control.........B.....................?................?................?................?................?................?................?................?................?................?................?...P.m.P.P.W.......

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\logistic.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):7245
        Entropy (8bit):5.065878276506439
        Encrypted:false
        SSDEEP:96:bHEHNPSe54Ur3Xf3DZkXNhEY7GN+tTxfLBeM0hVAdLuMsc9KV6Jh4gfcGF:M1SeiY3XbOXNhNtlDQMgICMQUCmRF
        MD5:975D3B3918DADD5D0E13EC38E3EDB8DA
        SHA1:DD7DA97E2AAA443EDE15FC9FCD2B62CF2D7607B2
        SHA-256:54D524353E1877808192DC7E3A3788E31F2FEBB2B7763A2A495C6C24FA21566D
        SHA-512:739C9F77A7D2AC1E5E736A06BE2AA03E1A3AA2C54849E4650691BAF8D6555AC681CC65013E1217FD489587ED4491692D6F076A127A6A9EBE42A40EA6EE408E38
        Malicious:false
        Preview:.".PSI-Plot7.5Windows............(............p.........B............. ...?...........dx.p.?..........bd.2..?..........E....?..........e!.R[.?..........FW.,..?...........i.$.?............ ...?.........a......?..........Ey..F.?..........\...z.?.........<.r.M..?..........b>H. .?..........M.+w..?..........4..2.?............uo=.?.........9.G....?..........bd.2..?..........K..Y..?...........>.!..?............uo=.?...........h..Q.?..........e!.R[.?.........<.r.M..?...............?...........h..Q.?...........h..Q.?...............?.........E..@..?..........#...M.?............i.(.?..... .....)'...?.....!...E..@..?.....".........?.....#....#...M.?.....$.....h..Q.?.....%....e!.R[.?.....&....Ey..F.?.....'...E..@..?.....(...a......?.........x1.........B..........q=..p.?..............................Q..?................?............Q...?..........p=...?..........p=...?.............Q..?.........R....Q.?............(\..?.........333333.?.........{..G.z.?.........R....Q.?..........(\....?..

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\nichols.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):488
        Entropy (8bit):3.0390234500482114
        Encrypted:false
        SSDEEP:6:97gPjcidkoscGnlsBqlgrHl/QGmblMlthfP6Jq/Ug59qo/XlnlsPurA:xgr1d4cQsBqaxYzGXfPt/UMlmPurA
        MD5:A0DDDB3A7E0E37F8C4BCE5C29AC56494
        SHA1:74154AE3BC26F2F0F4FC4062CE2040E807CBC96E
        SHA-256:ED9EFD47645C993CDC1FFC474C1BD2A8DB0E985E772EA56589B55C229355EC25
        SHA-512:6280EFE7003B2A4876E3B09976899E29F916560823ADFCEB8148C1DCA57EF032BB79E62E4E004ECA5DE44B3EC0698203525F2F98EC1F27DAD906A4F10C1891E6
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................Phase.........B....................r................q................p................n...............@j................f................b................^................V................N................F..........Magnitude.........B....................6................2................,................'................"..................................................@...............(@...............4@...............;@...P.P.P.......

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\ssa.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):3036
        Entropy (8bit):4.168964098417579
        Encrypted:false
        SSDEEP:48:Gr8OeucOP4sRb6yPzKAN85DxUSYcGWhUQJ5m7oC+1peZQHOkx83lNN58k8dq17kQ:Weup4soyPWLxNtGwFJ5m7oCM1Okx8VNv
        MD5:674A0DDBD4B8D1FC72FAE26B57C303C3
        SHA1:F1423EC237D41D925F5AC89AADD1857F824B941C
        SHA-256:404CD8C59487147A5BBD88AD2C65CB8D6DF8BCCDEC618C26A922595AEF681384
        SHA-512:B3C66E6536139E38C88EBAB506A88075F33343CFAC06A33E10FEF18634489B5D7B91989448BEBA452A099A07C4760CA4328F8B143671C87CC77E3C572A54E23F
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................sale.........B..................F.@............(.s.@.............9#.@................@.............Y~.@.............+..@............ .i.@..............x.@............8m.@............He..@............P..@............0...@............(c..@............Hq.@..............s.@............p..@..............u.@............\.c.@.............k..@............T.s.@............h)i.@............ ..@.............R.@............8...@............x..@...............@.............0m.@..............`.@............D _.@................@............T..@..... ......Lw..@.....!......`.6.@....."........r.@.....#.......v.@.....$.......,.@.....%......@...@.....&.........@.....'.......,..@.....(......p..@.....).........@.....*......`..@.....+......$xa.@.....,......|...@.....-........@............`#S.@...../......P.?.@.....0........d.@.....1......p#..@.....2.......w..@.....3........t.@.....4.......EA.@.....5......8..@.....6........).@.....7.........@

        C:\Program Files (x86)\PSI\PSIPLOT\SampleData\weibull.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):250
        Entropy (8bit):3.5539727142772946
        Encrypted:false
        SSDEEP:3:9z7gPj/+Wlnlvp+//lM4lvlnk//9lkltl4mxsl2llvhtllnrag10ZlltR9otllUJ:97gPj3nY1LkXsrQmhlG/7GCnkC7ia
        MD5:F36E5B65552F21A990AB7E8F5390FABD
        SHA1:0754B07ED917B0AE6C898C3BAEB2E93C6AC43588
        SHA-256:FEDA2B712677603566BF0924802712D36BA7BBB2506BD29B8BDE5E8927C6E1CD
        SHA-512:46DF1D1AED225EA9D3D47ECD1F740D0F7BBD353519951175A43D178FCCEDC2EA6234501B45BB8F13D3FEF181120197BC4BBAA3C994F1966B4EB7BB7B4632D099
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................sample.........B...................5'A..............."A..............~.A...............)A...............'A.............n.*A.............<u.A.............Z;%A..............B A.............L..A...P.`.......

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\ber.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.4143944531959107
        Encrypted:false
        SSDEEP:96:woxfVqoInLzSyu6rIJoTGS0dznvT291Y7v47M/VLDoj9Lt0lR1j/V4lb8oEN9V2t:wo9VqoWzS5jS0RWqvxOSC+SRAQ/s0
        MD5:1E787BD38EC4BEEA3ACD1997A517D333
        SHA1:B527EA55BDCC2558AFD1D019DEDF9F1B6698E39A
        SHA-256:01BA02FAB3D63F663E710BE06CE5697D1AFAEAB937A840D849EE095A3A624C90
        SHA-512:8CC0C0B48764A563AC9FB905D7513CDA626E7670DD5684B2DECF5B2E32E99F3D53F12842C3B2E55F7965E379A12C1BFD17C7D5ABEE28DF2C2EAC7D0C57DD97A3
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<................z...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\decibel.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.318831845019081
        Encrypted:false
        SSDEEP:96:wooCVqohI+ku7jIOKXTG3atnJBYs27n2njpisH8uhcixY5n0CBWxb1V99nX7PJT7:woVVqooOvoNTq2tWOvoNTq2t
        MD5:13D8FEF9C8934053E9F5A79D2404EA7B
        SHA1:A7BED3B584ADF25BFE97E47E4B7459C3C9533E2C
        SHA-256:2D2DC27E0D1318B80B05957B5A9323BF80FE02E7671841E68ECFFE030377D40E
        SHA-512:F2C51C6F1EA36A6DE6C178AD9196DD97C95983C78998C6F0981DE277948BFAEF1252B22CAF96C432498C15784E104E7D9D5D15C98580D3D0FA236948168D232F
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<.............X.Z...............C.o.n.t.e.n.t.s..........................................................................................................'..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\logit.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):12800
        Entropy (8bit):3.327989806266965
        Encrypted:false
        SSDEEP:96:hoDnaISyu6rIJoTGS0dznvT291Y7v47M/VLDoj9LtxiR1j/V4lb8oEN9V2AeGy:hoWIS5jS0RWiv
        MD5:71B64936169C48111AE8D8331E60E580
        SHA1:75C27B9701396F2B166A5681F457F8F122C9D669
        SHA-256:E9BFDBB18F4D00F1DA208D5921B07C44F9960C6CAFE76E4DA506F63602A44614
        SHA-512:1ED7E197561C583C0803D0F23B6A2B8266B31902123FBB4455B300F3EDC8F8BBCB5B9F0B642DA1C4550253ED48ED4D543246B2B4CB0D5F0D3BE271591BD910D6
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\loglog.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.4155782332171207
        Encrypted:false
        SSDEEP:96:woSfVqoQnGOSyuNrIJBTGSdznGTZ9157vC7q/VxD8djzLt/e21j+VDlW8oEi9V3R:woOVqofOSC+SRAQTsMOSC+SRAQHs
        MD5:F40478A2101423C40F3A8F55715186CE
        SHA1:FA549C66D82C13586E941A33EE4EC289D0057EEF
        SHA-256:F6C9151CCE025F240A9229BEE0006EBBA8189BD68DF120A6E3EFF6CB948AD43E
        SHA-512:92E9872DF3CAE7424FB50212AA53FF45214828923669537403D98EC5B0CF6E920DA7414DFCEF4E9D2C6C970C678A53CBDAC37C01FFD0927B21D0D221362F59F2
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<.............&..z...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\probability.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):12800
        Entropy (8bit):3.3276695688588376
        Encrypted:false
        SSDEEP:96:hoRnazSyu6rIJoTGS0dznvT291Y7v47M/VLDoj9LtxlR1j/V4lb8oEN9V2Aepy:hoUzS5jS0RWfv
        MD5:F171709DB4965365959ADDD138E2B80B
        SHA1:2FD7AA3D2028A77238D41308F5387AB0605E4C9D
        SHA-256:E6118215581BD72B46487BCCA6E76B4454951FD1830926AFE27F71AC3DED1FC0
        SHA-512:2657435EA6F0C501B5FDDFB6827D6DD6C2582D82D23816674E8AA0796D3016DEC1AD663F0730B6362515BAEBBB438D468566F83EFD64FDA80494B15083D4B060
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\reciprocal.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.3796349223806725
        Encrypted:false
        SSDEEP:96:wo0fVqo+nGOSyuNrIJBTGSdznGTZ9157vC7q/VxD8djzLtfe21j+VDlW8oEi9V30:woMVqo1OSC+SRAQzsPOSC+SRAQHs
        MD5:5B185D985CD4B87C467E076DF0AC954B
        SHA1:0F2269E44C05BD4EE0CFC97BDDBE887DB834BB70
        SHA-256:833043B44C5EE15214A957A9AE4BE1AFDE06D6118DDC1278BCAA224FAF590061
        SHA-512:988BBF59648A8FE8058448B9859F2DAEC264D9A064FB549E2EF0A9FBBDD8EEE2DBAD8558F35F527DD28AFB0DB54B08018ED0765487FB248F705091AEFD073758
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<..............n.{...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\regular.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.4014697217277736
        Encrypted:false
        SSDEEP:96:wojfVqoUdnGOSyuNrIJBTGSdznGTZ9157vC7q/VxD8djzLFe21j+VDlW8oEi9V3k:worVqoUUOSC+SRAQHsyOSC+SRAQzs
        MD5:EF6E705DBD7FB5D709E2BB5D298C5221
        SHA1:8E364EBE2EBAB83D8B64989027F8DD385C86088C
        SHA-256:07E635597578772BFD53CE8BD5F699CB2ACC0CE890B3E79EA96D7C67234B5F4A
        SHA-512:172B56829FCA85417BC781C53CE3280370C7FBAF6FC1B82D83C62255FDAE91BC4BB48FEA1230DDAD8BB0F574C5D2BE65DA6962482B8BDD6B2BC25A6AD30F624C
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<............p.!{...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\semilog.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):12800
        Entropy (8bit):3.349504280535575
        Encrypted:false
        SSDEEP:96:Qo1fVqotnGOSyuNrIJBTGSdznGTZ9157vC7q/VxD8djzLt/e21j+VDlW8oEi9V3y:QoxVqokOSC+SRAQTs
        MD5:B95DD163FCF451401BF92336EFC5FEA4
        SHA1:9468FA207E7A89C20C92D81BB0345F36D88835F7
        SHA-256:585EA614A0E69675AA0A2E858BE93A42CEB32E78BC7664BCC581F57540B20655
        SHA-512:AC85470DCF722EC14509495BC9FADAE65E8ECEAE84024FA942DB5E07A669E72B70B5B3712C6CF308E1425D0BA298335AFD184B5060C359821AB2B60866B18AD2
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<............P.e.z...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\area.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):57344
        Entropy (8bit):5.615099187810549
        Encrypted:false
        SSDEEP:1536:h/YCXQ028nXQ0rtuXQ058XQ0LRXQ090XQ04vyjXQ02MSXQ0rlrXH:JVXCAXsXyXxXyX+6XC1XpXH
        MD5:595EBE449FDCE23E2129177FE409B6AD
        SHA1:859ACF2CF6DC66E6F7BCC863D7781326C09F140F
        SHA-256:934DE347121C3F15AF57DA60D9D6221E6FC9BA1DFDCF25AA8C21A0D16881D12E
        SHA-512:581C28FE13AD378A33CD9242FDCB314B4C3143225775251E12CC1DDCE7BB4C92C49F5376C91D9AB97A3C9762AB4AB0102056300E3B6985F8FEB35DE0C49F788E
        Malicious:false
        Preview:......................>...................................(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................@.P;.f..... Q\..................f...)...@.......O.c.D.o.c.u.m.e.n.t.............................................................................................................P.O.L.Y.S.O.F.T.W.A.R.E. .G.R.A.P.H. .D.O.C.U.M.E.N.T...........8...................................................O....F......C.o.n.t.e.n.t.s.........................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\axis_sample.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):48128
        Entropy (8bit):4.415112788481547
        Encrypted:false
        SSDEEP:384:lbpKWyltw1svBZiPAQkhl/pr6xwGizLGe3gsDg:43vPawfQT
        MD5:FB3FBF77DFEA8F77114267019AD2218F
        SHA1:959FC608F3CD92E677D9AE60D140CF121B7A0AFF
        SHA-256:55663936A013DD514C439A3F28433A52DBEB9D69D323C30735073CC237DE33A8
        SHA-512:563EBC8F5D2F2AF02507FCA3A5B7B3FF7AB330B2004E0FCDD9B65AE702880E111635176BF5E22DAB0BEC97825EFD17F908E237CD87FE84368D830B4B46533435
        Malicious:false
        Preview:......................>...................................[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\axisattr.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):25600
        Entropy (8bit):4.111567740668044
        Encrypted:false
        SSDEEP:192:DGBoGyYRj78fj4GT409HZoRddY1ZUKExsIpmtDyuiqTNJ/dlzUMfRa4/aOBpHO:SAWe48Qd9hxsdyCNBrzUqRaodB
        MD5:C17DEC551E5C97493F83C838B0E65A1A
        SHA1:25D9B176AA7184FC5D53BE39E7D65E96087BF91A
        SHA-256:07644485BD223AB603D8D81B9DCCD8AD9A443CCCE971F40566C72C03145C1E25
        SHA-512:C0ABDD203F930B075C780560EB8793D636F756A42A9C62E366B07A6CB31338C95A417EFDDBFE09294B0E88598E5853AD1F7E21E3E79A1195F2E054952C8ECA01
        Malicious:false
        Preview:......................>.................................../...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\axismode.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):108032
        Entropy (8bit):4.022532853487887
        Encrypted:false
        SSDEEP:384:PmmWFQ5Av8WSazFQ5Av8WSa4vHLzDKTEGl1djzir6+vrT1zIc43RQV7NIfrGRtyg:CaW7zaW74vH+BKrJzL43RMOfS6vH+B
        MD5:24C8FC993A3FB1AA85DBDCC25DB90149
        SHA1:84B539F3267CB458EBB73834FF202381B8371F41
        SHA-256:5369A507313EB85D088576E673FD4EB861032D590A84F80F42804EFFC565CF18
        SHA-512:4E7E8DDF9D423E24ADB9E12AE531E07B4CAD204195F2563DBAFF411073AED480896EEE5EB847F5956EC65EC9D6957BD7BDED4F43CD3CE2911E1DC7AC9F2E6C43
        Malicious:false
        Preview:......................>...................................-.................../...............................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<.............EFH.z......@.......O.c.D.o.c.u.m.e.n.t.............................................................................................................P.O.L.Y.S.O.F.T.W.A.R.E. .G.R.A.P.H. .D.O.C.U.M.E.N.T...........8...................................................{...-P......C.o.n.t.e.n.t.s.........................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\boxplot.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):19968
        Entropy (8bit):3.727574613614576
        Encrypted:false
        SSDEEP:192:3bfRGjN69ZEYLnZP6zzxOkSgALwF1peFf:Vr9T9UoLwl
        MD5:06A1619A17FDD571311F3546E6704D7F
        SHA1:BFAB5F2C146B95C39C765D8B369280A0D7837628
        SHA-256:DD4B4F9358557785DC34518F563E378D1B079EB451A3C7C151D811F7D1A279B2
        SHA-512:3A2D385B5DA9E0188E9CB49D1DC83750D8AACACE55F9D333A5EF5A1E89B1C0E076FD21AFCA7AF0102F5EB0B48D8B60FE1CFFA638EEB51A8734F92837EB16BCAF
        Malicious:false
        Preview:......................>...................................$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\butterworth.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):31744
        Entropy (8bit):5.338244659046129
        Encrypted:false
        SSDEEP:384:mFQFmPyJR+A0JR8TmdabLJRRi4ZjFoJRfCGCJRln9JRwiqRyJR+9pd+GI8gc5V:+QFP+98TmdAgesfCdlJwimsQ
        MD5:2E7CCC47B655DB1AD2DFF1EBE999DC47
        SHA1:33D17865AC01051F43F10A497F19F92D35DB32DC
        SHA-256:ED48BD6B1ADED26138BAEC72B8086FD2BA7F5F577D3A7CDC627E431170188D2D
        SHA-512:653CCB3E3FF8CFD1942D38A9A81AB29AD9A02FCF6EFE5C7A4E07A5D79816A82BFDD6FFADDE8D0183055FAD2F903A757C5ED2F8BCC6759E8F0234FCE49F9A56B3
        Malicious:false
        Preview:......................>...................................;...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\cluster_area.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):59392
        Entropy (8bit):5.778179812675517
        Encrypted:false
        SSDEEP:768:IUqTAWoaGcGGvcRRmpfrGqNofuLZW7J5VbZ+AtV:IUq08GcGGvhpKqNFLqxZd
        MD5:BE89B2F1D80EE13B528577A0C836E925
        SHA1:67EAAE2F2DE23F4A1466F86A4E0361F7283EB28B
        SHA-256:E4F350B8BD0AE8E94152586340964048DB227C4996FD8DADCFE58DF73D0922AB
        SHA-512:D7B6A07238178A6446E4F840D7CBCA4A4E86157E9FD514787282322F93116A6EC12C86DC0ACE5C809DA699A682EFE9703134B964B5277B45331C54217E7BBD02
        Malicious:false
        Preview:......................>...................................q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\cylindricsurface.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):140800
        Entropy (8bit):6.504353813029754
        Encrypted:false
        SSDEEP:1536:T/fy9D6Ks4PvQkpn0oT/yy9DXKs4HvQzL9y9DFtIGQvpv/Q:Tc6evQG0eNX+vQzaFGGQ5/
        MD5:9D73B73E0EAFD19522F9DB76FCB2821C
        SHA1:7C5766425D62C58DC58DB11202FD80A7209DC9D1
        SHA-256:B84BD9A90A5E0C279B67146742709C697BCDA13C88A69C0322A327651BECEDEF
        SHA-512:88E0EA93EA71F70DF8318B54EE63997CCA7C26FFA95C2AFBA937433B4E4DF9B2F761C71C20F0E3ECD0019E860CEA35EA76BB50D57916CBA5E9EB9BA254EE007C
        Malicious:false
        Preview:......................>...................................a...................c...............................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................@.P;.f..... Q\.................ff...b...@.......O.c.D.o.c.u.m.e.n.t.............................................................................................................P.O.L.Y.S.O.F.T.W.A.R.E. .G.R.A.P.H. .D.O.C.U.M.E.N.T...........8..............................................................C.o.n.t.e.n.t.s.........................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\errbar.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):31232
        Entropy (8bit):3.8543076433197636
        Encrypted:false
        SSDEEP:192:T2SCGBaFl3+XdDi0iw8cmJXzFHVXoifP3gdPrAD7l1S+PXEJUCav:DJtDkDJRH0rQlxUFav
        MD5:F5BB340978ACBE17E83930F3E47D27AE
        SHA1:86E9E9365E3B3F653C252B5ED2672299EBB03151
        SHA-256:CA5826DA40FEF36A18B119F73A96107BD690670F8AD2525AA05E1AD66A0FAC3D
        SHA-512:D6C1C15BF31C47DF0E2AC6930A3AE31B02754810AE89FD4DEE56D7F5AE6FFFA28AC4AFA18C84FC937AAC97AC239C4AE5DCD2FFB3CC0E4B7665E4B2CBDD4B1A6D
        Malicious:false
        Preview:......................>...................................:...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\maze.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):11264
        Entropy (8bit):3.308848274652167
        Encrypted:false
        SSDEEP:48:rGxdQMzujRlhNCJY5OZwJ9Dc1vP0SHdBB7wdC76XbBo0SC4DTy05ce27zo7pcwZv:kQMahFvxSif+DpVRIyjD9hdv2llu
        MD5:8879F01480B3571115D04102DEBB06C0
        SHA1:46BEDF4BBC2868FD13524CBA72E1CE65B8FD4541
        SHA-256:C5729D06E1EB7511518977D294C24D9BEF33FD4160A6113DACDF86F1595392ED
        SHA-512:E858CFC361D785F3D2000F0E1026F29A8E20311357CF0D15C6279D8235441770AB31964E37E467D362C67B9F4692C6D25C97CC66AB3B03964FED961C7926BBF5
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\qcchart.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):34816
        Entropy (8bit):4.341510840954421
        Encrypted:false
        SSDEEP:192:3SREj4qdrRhA25LHyNE3NA/5YNI6NkPT18t5S9eHcTB5HEeYN:Cg4orRhR5L+PTet5dQBR
        MD5:D9281B649E4CB5E77875B66725DE2719
        SHA1:B9D508405A63BD5CF88B42E45449DE5CCD72194C
        SHA-256:1AB418003F9E5650B2A7A7032F1B61ABCDEBA40219B4EA6667958805ADB29B5E
        SHA-512:A5322356B04514BBB5314EFB8A05E4A4397992E85171D1A4E0085175181698B56735D85C732E1C2182FB2AC0A0628D74DD0A3EE86C25841F04AB58BD7175D6EA
        Malicious:false
        Preview:......................>...................................A...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\reciprocal.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):23040
        Entropy (8bit):3.3796349223806725
        Encrypted:false
        SSDEEP:96:wo0fVqo+nGOSyuNrIJBTGSdznGTZ9157vC7q/VxD8djzLtfe21j+VDlW8oEi9V30:woMVqo1OSC+SRAQzsPOSC+SRAQHs
        MD5:5B185D985CD4B87C467E076DF0AC954B
        SHA1:0F2269E44C05BD4EE0CFC97BDDBE887DB834BB70
        SHA-256:833043B44C5EE15214A957A9AE4BE1AFDE06D6118DDC1278BCAA224FAF590061
        SHA-512:988BBF59648A8FE8058448B9859F2DAEC264D9A064FB549E2EF0A9FBBDD8EEE2DBAD8558F35F527DD28AFB0DB54B08018ED0765487FB248F705091AEFD073758
        Malicious:false
        Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................i<..............n.{...............C.o.n.t.e.n.t.s..........................................................................................................&..............................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\stock.pgw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):27136
        Entropy (8bit):4.187628327788609
        Encrypted:false
        SSDEEP:192:hoVA8xqtFYsMmdlO55ANIf+hagEp1F559zA7SPegGMWBjUmWownzfuA0zGm2CX5f:hn/dUpZzAGOXI3WR8VHXIf
        MD5:C19278FDC5E4EF4BCB34458D34FED755
        SHA1:38F33C2345827C9E77265B88D916762962691769
        SHA-256:DC8B092ED15E5D9C2EC0DBE1FEE9ACDFB2FB826AB3283AC2B182399C3511F0E8
        SHA-512:ADE17856DE5F0BC864048934D5D70409116065810391E7D6368B88F31DCA7084A42A171FDD4C55CA15362B76E3B8018829C4F18EA2706FA538809C2C89DCE7A3
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\surface.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):222720
        Entropy (8bit):6.948859433625652
        Encrypted:false
        SSDEEP:3072:BnmQ9fS1MWtWCWg6zar0bARds8XTM9rXH06UiiwUVgaH+/xD9x6l:NFyMz60bAXs9UNfgaH+/xD9s
        MD5:327A7B770F015FFBD52904333A0F44E2
        SHA1:A72F33D7475F119AE13767143842DD5F2CB806EA
        SHA-256:3EA286EE0465F0A2E2D43038D609C89AD1689A670696FD4A6202015E4013C4F5
        SHA-512:B973F20451E29641B77A3CC5CBC475C3943D799629C199866F6F904EEC879963CA3E4D0FA1D29C6655BE192F5B62C444BC49D51AC2CF6983633BB04AA6EC879D
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\symbolID.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):20480
        Entropy (8bit):3.776231995064967
        Encrypted:false
        SSDEEP:192:3NO3zbcb5Yoh46g71pbJw0jPumW6CNHQ2:43zbAYoVKnamPRMQ
        MD5:AD89B2DE61FFEF6473C5F109AD0F515B
        SHA1:33CAE5C56BF391F1D48527EFD6B6505D1A20D1B3
        SHA-256:E515B3E101F785ECDACC38A52CB8B789A1F8D8AA6E3464117B75CF4E4CBD39EB
        SHA-512:B5652819682FBF91CD4E4069B2F0B09E80E88C509DA5C70E6D753A1FEAF942312BDAAB7E3A78F6D1C6E54159FFCF96ED409E1FFA03F18F90D688BD4FE453E500
        Malicious:false
        Preview:......................>...................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\text.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):5120
        Entropy (8bit):3.0755034716005305
        Encrypted:false
        SSDEEP:48:ra/xsU9HoafbCven9zg0Gl4+U4zwY0YTGl:OKaoGCi9zLIVgaG
        MD5:694AF3E3DBB7F92E201D61507E9A3029
        SHA1:56BEE9558EA323E00DC9F5A8263820C9D533F782
        SHA-256:2F97E9ECA6DA5129DCEAAEE4F85FB0FE999939C213539DFDF4BBA14C5F6D2FC5
        SHA-512:DCAB1FC15BD843337C23CBA61DD297B5590C27F05551AABA4F0DC1E01DF1CA7899B06CD5F54DFAFCC648E86BF75557C3BC91F8E35086A467CAEA4438248416F9
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\userdef.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):28672
        Entropy (8bit):4.059932622570656
        Encrypted:false
        SSDEEP:192:xzxhqbB5CtiPxbRYhhN5lBYzcWcfcBc2chc5dkBEcucNcikcJ/40T6Zuc/UbCTDO:4fPxKJk2pW4xSiXJpT6j8b73cp0JmOl
        MD5:C1E3D6D086771C7C30A5B98EE49DA910
        SHA1:73B59F0FB860EE47068519D64703BC58EBE946F6
        SHA-256:DF812DE528A075F00A9CB542C181EC2831B03CB93D4CABB999AB25930C1F1630
        SHA-512:0BEC22F2CCA713DB276B5DD0588DCFBD69552035BC0EA1EF30780E91C222B890044292D8F8A083987D4C0ED87D2F78C94D9DB9D0A54322D12F1C238C5F25F7D9
        Malicious:false
        Preview:......................>...................................5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\vector.PGW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):32256
        Entropy (8bit):5.679295736639588
        Encrypted:false
        SSDEEP:384:Cc+V6qhgI5ce9PGTM3RPxE9kGTMBMRPxuCUSwSU:Cc+ZhguBk1U
        MD5:948E6BDD727609EF19CEB61A2B6A9485
        SHA1:EA287D1EB54F7AEBFEDEE30EE7359039864F427D
        SHA-256:0B598524E000BB7DD7DC07D18042CA1EB89D6A5A823167A0853758ED611F764F
        SHA-512:EF8B57C59E17AC16EF2B69FF015DD86FAB2845430AD17D5A2AC30DAD191200882C0338F6504A49C1B2CC43FE96B46DCF9C68C9135A4944F4DB1830C50980CA12
        Malicious:false
        Preview:......................>...................................<...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Program Files (x86)\PSI\PSIPLOT\TEMPLET.ODE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):465
        Entropy (8bit):5.46510764879692
        Encrypted:false
        SSDEEP:12:tFwGj656eoPqw3sZKhpmD/+in8inuPOwznn08u905:tFwhk/xphC/+Hbdw8z
        MD5:C110F6229F124A314ADF8E95C29D5A7E
        SHA1:7EC147AECEC58AE905E767865CB3DC09A4FE39F0
        SHA-256:5D3BAB2DFE6959B64FB3AE7E6E4063BB5D3435FF6B5B973EFC1CC3930D3E5861
        SHA-512:719FF59A22FB26ACB3835C53E0954A3E4F00C5C103FA8075015260A2D4F737963CD42F4A8EF279971CCC54D1F3CD730BBEB3E97273B0E112A151EC6A6D0E945F
        Malicious:false
        Preview:[MODEL NAME]: LORENZ MODEL..[INDVAR]: T..[DEPVAR]: X,Y,Z..[PARAMS]: B,Ro,Segma....[EQUATIONS]:..// comment line..X'=Segma*(Y-X)..Y'=Ro*X-Y-X*Z..Z'=X*Y-B*Z..END OF EQUATIONS....[PARAMS VALUES]:..// go to a new line..B=3..Ro=30.0..Segma=10.0....[INIT CONDITION]:..// go to a new line..T=10.00..X=-7.0..Y=-9.0..Z=22.0....// specify the step size to collect data:..[STEP SIZE]: 0.05....// specify the stop value for independent variable:..[STOP VALUE]: 20....ENDMODEL..

        C:\Program Files (x86)\PSI\PSIPLOT\TEMPLET.TSM

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):34
        Entropy (8bit):3.8954238702803163
        Encrypted:false
        SSDEEP:3:NK7R2SQ2pn:Et
        MD5:26BA9374C70A05BE744669B78AA2B180
        SHA1:F3B6095479A157F69745897B99E00F8C340F70F7
        SHA-256:B33263A7280F1A795F4CCD0C47364297FC1F266A975AC8ED0E492993EEE0D278
        SHA-512:E58849E75879A79E0EF5FB14971234C6165171C06C732B4580AEAC6A3EAFA51A4144642211F7A4538E5C4D01AC99C6138DBE90EE3293ACB97F649AA8E8410ACF
        Malicious:false
        Preview:x=column1+4..y=column2*2+column1..

        C:\Program Files (x86)\PSI\PSIPLOT\TUTORIAL.PDF

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PDF document, version 1.1
        Category:dropped
        Size (bytes):2103361
        Entropy (8bit):7.92770783086045
        Encrypted:false
        SSDEEP:49152:uzS2mNBKQEm9lk+QnSCQD0LGnDUyizJCRZ04t:uzSsI9lk37tLiDkCZ3
        MD5:B4D00402A14C653CBAA1B42E4B114BA7
        SHA1:FB534E1826CD669FEA6980B65E690B67A3362CE4
        SHA-256:DA089E83D821CE79DBD48635B05E2D68C53EE2C1D67EE76AD0B71BE994057B0A
        SHA-512:C2FF6B171D53810139683989A048A37246539708AC0FBFFFB274285D93735B1B126A75E6C30D05635401F36971D773463740208F583E86298AEC655D8F98EFB6
        Malicious:false
        Preview:%PDF-1.1..%......1 0 obj..<<../CreationDate (D:191120415114404)../Producer (\376\377\000A\000c\000r\000o\000b\000a\000t\000 \000D\000i\000s\000t\000i\000l\000l\000e\000r\000 \0003\000.\0000\0001\000 \000f\000o\000r\000 \000W\000i\000n\000d\000o\000w\000s)../Subject (tutorial)../Keywords ()../Author (Administrator)../Creator (Adobe PageMaker 6.52)../Title (tutorial)..>>..endobj..3 0 obj..<<../Dest [2 0 R /Fit]../Type /Annot../Subtype /Link../Rect [36 528 450 543]../Border [0 0 0]..>>..endobj..6 0 obj..<<../Dest [5 0 R /Fit]../Type /Annot../Subtype /Link../Rect [47 513 450 526]../Border [0 0 0]..>>..endobj..7 0 obj..<<../Dest [5 0 R /Fit]../Type /Annot../Subtype /Link../Rect [58 498 450 512]../Border [0 0 0]..>>..endobj..9 0 obj..<<../Dest [8 0 R /Fit]../Type /Annot../Subtype /Link../Rect [58 484 450 497]../Border [0 0 0]..>>..endobj..11 0 obj..<<../Dest [10 0 R /Fit]../Type /Annot../Subtype /Link../Rect [58 469 450 482]../Border [0 0 0]..>>..endobj..13 0 obj..<<../Dest [12 0 R /Fit]../T

        C:\Program Files (x86)\PSI\PSIPLOT\control2.gif

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:GIF image data, version 89a, 760 x 560
        Category:dropped
        Size (bytes):33967
        Entropy (8bit):7.967566791772024
        Encrypted:false
        SSDEEP:768:rnQeHgi19sQJK+XTEDD2/7t4nVEqXoRxWIQxHbKn7:rQmgAuSLgDCTNAohQ1G7
        MD5:1AA6A61BAE5109EADDB65B31CEDF8A1C
        SHA1:E91B098FAB6F34C90BFB8F77D3B9026C6B2CA35D
        SHA-256:FE5D51470843F82B74B24EF02319C4190BC555FE8CC1BA97979CE03DA3B073BF
        SHA-512:336AB383CBF31368431D8C756B2751A46352F2B9F5AE3BABDF1AFD523A7012762F92ECD555B18306FBC01D791B1F70B57B32558898636A1768ED2F1D5D922C42
        Malicious:false
        Preview:GIF89a..0.........3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.....................!..NETSCAPE2.0.....!.......,......0.....c.."...0...p0...V.P.0...)&.q....2~....H.%I..yR%.-c...eM.6_....D.:...Q..H.*M.t..P.J.Ju..X.j..u..`...Kv..h.M.v..m.I.&..L...........L.....+^<..`.}.....e}.#O.Ly.d.

        C:\Program Files (x86)\PSI\PSIPLOT\lessn10c.PDW

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):533
        Entropy (8bit):3.9119608164209194
        Encrypted:false
        SSDEEP:12:Bjis9kMQEDzc89lOvgmY8QaF1RL4APFeYseoe:Bjie6cc89sYmY8QkR0ANeYvoe
        MD5:BD3E370EA837D2C488DBA45C4C42AC37
        SHA1:44E905924DAFCE85ECF167E642605220B5906260
        SHA-256:45A27A378A3D8445DBA1D4E0E05636F1A10C4D50618D4FE57E96995BCE58DED4
        SHA-512:94979817922BA6B9AA84B9B645943346BC116CDBD7E7148DB62E2971618BBD82B0955E56E6EF9B060415792240D91DFB4532870F7D7514C8436B734D6A2801F5
        Malicious:false
        Preview:.".PSI-Plot6.0Windows.........................T.........B................4@...............>@...............D@...............I@...............N@...............Q@...............T@...............V@...............Y@...............[@...............^@..............@`@...............a@.........Y.........B...........-....c@...............c@.........W.I...c@..........+H3..b@..............b@.........L...1.a@............?.o[@..........}t...O@.........~o..xE@.............7F@...............E@...............D@..........]K...E@...P.P.P....

        C:\Program Files (x86)\PSI\PSIPLOT\lessn16a.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1360
        Entropy (8bit):4.031274706789076
        Encrypted:false
        SSDEEP:24:Gr6sjgB9Kx447JZDFABNzvepQzr2XXslY7mYdUrnR9DkiS:Grvgvy4ssSQzSXXw+mYdUzR9Dkf
        MD5:C0956C761FB0DD70704F3B5D277AFEB3
        SHA1:0D8E99C8AAA8F3A546FF1815112AE96696B9BA99
        SHA-256:40AA6B10FA8A6DDF07DD0054ECE59429F6A7AD2C8C2B9E5665E4293957B4D88F
        SHA-512:F5C8F1CF5E066FDCC9D4A602E6FDB1AC77C7C4951ADF6FFEC0CA9F271E586E9B16C753D7A670B03527260BD6CAE13D1CBBBD4CD45EB0BF925D84433376B73E0E
        Malicious:false
        Preview:.".PSI-Plot8.1Windows............%............x.........B.....................................$@...............4@...............>@...............D@...............I@...............N@...............Q@...............T@...............V@...............Y@...............[@...............^@..............@`@...............a@...............b@...............d@..............@e@...............f@...............g@...............i@..............@j@...............k@...............l@...............n@..............@o@..............@p@...............p@...............q@.............. r@...............r@..... ........`s@.....!.........t@.....".........t@.....#........@u@.....$.........u@.....%.........v@.........y.........B................................s.~.:.?............t...?................?...........<R...?.........9P.o..?..........LX.z..?..........-RB...?................?................?................?..........-RB...?..........LX.z..?.........9P.o..?...........<R...?................?............

        C:\Program Files (x86)\PSI\PSIPLOT\lessn16b.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):1360
        Entropy (8bit):4.0063571501874415
        Encrypted:false
        SSDEEP:24:Gr6sjgB9Kx447JZDFABNzvepMBfXuDUJRur0BDKpkFsdmobD/1:Grvgvy4ssSI2DSkrQDKpkFsd7//1
        MD5:3DA8503B2BE5D52D5244B6D9A81A9CD2
        SHA1:4272883EFE226E413D4260A019EB0B50EA48327E
        SHA-256:35D4F5BEB4DDE1593D0581537982FDE0D5DBBA7ED6EE1AC8CFF43859055D96E1
        SHA-512:5C77076CB24AE90E6E08BA4A0CA8110FFFADED4A5E2AC7BD090E19FFC4FA263DC9190B375F6C43196B0078451B1F7D632018F6A26FDA321F37FF02ADA661D428
        Malicious:false
        Preview:.".PSI-Plot8.1Windows............%............x.........B.....................................$@...............4@...............>@...............D@...............I@...............N@...............Q@...............T@...............V@...............Y@...............[@...............^@..............@`@...............a@...............b@...............d@..............@e@...............f@...............g@...............i@..............@j@...............k@...............l@...............n@..............@o@..............@p@...............p@...............q@.............. r@...............r@..... ........`s@.....!.........t@.....".........t@.....#........@u@.....$.........u@.....%.........v@.........y.........B.....................?................?..........-RB...?..........LX.z..?.........9P.o..?...........<R...?................?............t...?..........s.~.:.?..........\.3&..<..........s.~.:.............t..............................<R............8P.o............LX.z............-R

        C:\Program Files (x86)\PSI\PSIPLOT\lessn18.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):680
        Entropy (8bit):4.015145965277123
        Encrypted:false
        SSDEEP:12:xgrpBtyy46AUoyecgEydNma2Cd2wP+G9z39m:GrejOeREi/R9j9m
        MD5:0A9F59EDB65BA72000A9FB8CC77DFE8A
        SHA1:97E2AA9A71624B37C2825E3908E50AE11BCD0A50
        SHA-256:A643D9310BDA2129D72CA24577EF0B2AB7D5895590086AFA6710ECC5DD6E7382
        SHA-512:B63C5B99B0C9B8D3513BC7E5FD24D8B5629040CA4BD7287FFD76598F56625F48FD05B2D38BE5594A379AAACC4C2C2990579C64B0EC75A9DEA49FAA97FD1E259A
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................x.........B......................................?................@................@................@................@................@................@............... @..............."@...............$@...............&@...............(@...............*@...............,@................@...............0@.........Y.........B...............5'.J..?.........O..7...@..........z....&@........... .$ ;@.........$.....Z@.........b....r@.........f..*...@..........T.....@.........D..L.@...........47~.@..............{.@.............;..A..........-...A.........b=.2wg.A.............r36A...............RA.............<.tA...P.P.y.......

        C:\Program Files (x86)\PSI\PSIPLOT\lessn18a.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):816
        Entropy (8bit):4.0531670222257095
        Encrypted:false
        SSDEEP:12:xgr9Btyy46AUoyecgEyn51H6T5fewjp8I1kyt+Unm9LWLulxVlt0aM1W:Gr6jOeREUH6TEQkghaBlt0rk
        MD5:7B748CD2049622113C4D0C404BB236C8
        SHA1:DAB98C3995798227C4E464CC088FCBE08C7E98AC
        SHA-256:8165A8B59A8338CED97EBF99AAB1E16E205C801482CB205A41A5086C9E41E4B7
        SHA-512:5820A22B42A92BDA4B8824B139E1A0ADEDACABDF0B4E560B41705DBDBD91880AC02AA8C046211DCFDB9C1D1BF694F2F6D992F5A6FE40017BFBE1445F7523844C
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................x.........B......................................?................@................@................@................@................@................@............... @..............."@...............$@...............&@...............(@...............*@...............,@................@...............0@...............1@...............2@...............3@...............4@.........y.........B................_-;U!@..........0n.."@............|..%@............E..$@..........pX../&@..........V....,@..........!'...,@..........^..H.+@..........9.0.L2@.............O.1@.........r..}.5@...........#...8@............Y..;@.........0L6.p.>@..........s8ds.=@.........E{.[+cD@..........*...C@..........9D..dE@.........X.(.ZM@............Q..L@..........a...lN@...P.P.P.......

        C:\Program Files (x86)\PSI\PSIPLOT\lesson16.pdw

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):782
        Entropy (8bit):3.013056632749083
        Encrypted:false
        SSDEEP:12:xgr4Btyy46AUoyecgEyn0/CaZ5UDamUqc4/JjjO:GrTjOeREjZSDamJT/tO
        MD5:56151AE3D0E14FC1404D1A2D59BDCBD1
        SHA1:60F7B2B35560E65C64FF18CBB6E4E82E177723BF
        SHA-256:AD6E1418098300459C4AD2945B593A2BA9EB3783366C9161E62FF52337D56051
        SHA-512:8F2DF017F47E3AFB542111E3E3E41666E130F8CDF17C69717ADCAAD767A2019190AC773F5583F1865BFCFB31FA232E937D23740EC269596040E40E0D7AC61EA9
        Malicious:false
        Preview:.".PSI-Plot8.1Windows.........................x.........B......................................?................@................@................@................@................@................@............... @..............."@...............$@...............&@...............(@...............*@...............,@................@...............0@...............1@...............2@...............3@.........y.........B.....................?..............2.?..............h.?..............e.?................?................?..............c.?..............x.?................?..............&.?..............+.?................?................?...............?.............@..?................?.............@..?................?..............>.?................?...P.P.P.......

        C:\Program Files (x86)\PSI\PSIPLOT\lesson17.txt

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):56
        Entropy (8bit):3.0560358355937933
        Encrypted:false
        SSDEEP:3:TG1DM/mSWoK11:Jmlf1
        MD5:58E3490534A85EB48D3AF510A0AFFFC6
        SHA1:E891D2C9ABB97D61AFC364FC7DC32503AD960869
        SHA-256:BDB3C751E40CCA592988E19E6C087200B00EAB70D33ED7702347A122F3E58C9E
        SHA-512:E3BD2110B60CCF613E2757869E9D19B2DB969FA14BE9673C03E66BE68C932A93520008187C4A8FC0DEA7C18471923494DB6F2F25AE331C47DC59A9924A029711
        Malicious:false
        Preview:x.y1.y2..1.1.1..2.2.1..3.3.2..4.4.2..5.3.3..6.2.3..7.1.1

        C:\Program Files (x86)\PSI\PSIPLOT\readme.htm

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:HTML document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):3951
        Entropy (8bit):5.228413076950843
        Encrypted:false
        SSDEEP:96:Ofm2r2sthMh6IFZ8jXBMoqeMgwbiLapMKulMLZsr5xOMLZsrA4OMLZsrqqOMLZsF:IH6y66IMqzPbOoNsr59NsrrNsrqWNsrJ
        MD5:D203890440A646787ADB391811966471
        SHA1:33549D2730D8061069CFCD4BD74625E742069F30
        SHA-256:EAB118741B6C22A67D6E6898FF9F2669CE012ACC1ED6EA3144E5CB95E731BF69
        SHA-512:5EB3C55EAB7FD351EDF790B86C3386AEEC1BC8AC1E55DF4D9945A5E988614651D698706C314D20838DFD610E731FDA5BDEDB40711777A618B7E0560D1E84C746
        Malicious:false
        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">....<html>....<head>..<title>PSIPlot readme</title>..<meta name="GENERATOR" content="Microsoft FrontPage 6.0">..</head>....<body bgcolor="#FFFFFF">..<blockquote>..<p align=left><font color="#008000"><font size=5><strong>PSI-Plot Version 10.5</strong></font></font><strong>..</strong><font color="#0080C0"><strong>Working Demo</strong></font></p>..<dl>..<dt><font size=3><strong>Readme Document</strong></font></dt>..<dt><font size=2><strong></strong></font>&nbsp;</dt>..<dt><font size=2>(c) Poly Software International 1992-2012, All Rights Reserved</font></dt>..</dl>..</blockquote>..<hr>..<p><strong>Contents</strong></p>..<ol>..<li><a href="#Packing list">Packing list</a></li>..<li><a href="#Hard disk space requirement">Hard disk space requirement</a> (Important!)</li>..<li><a href="#Installing_PSI-Plot_under_Vista">Trouble shoots under Vista</a></li>..<li><a href="#How to contact Poly Software International">How to contact Poly Software Interna

        C:\Program Files (x86)\PSI\PSIPLOT\templet.FPL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):213
        Entropy (8bit):5.369329694619205
        Encrypted:false
        SSDEEP:3:ROZEJIk29KcvXqhsFpwKhK4VB4mPpuCIfgryOO6IWlFov8Y6VX5gbyv+4Wgw/1v+:lINvisFpwKFVBtPASiYKJD8+4Wh1Nwn
        MD5:53ABEDE688B99BF32FA3D1B794B664A8
        SHA1:80006704F289B0E205CD918905BC382A66750EB6
        SHA-256:B481B330B954C6A1D2BD400F48302F05E65F8DD9E1935F9F5F14535911C3BAA2
        SHA-512:1DCBF41245D042BF06BCBC553797F332F13D672BE6561BF7094DB831366A904CD53D4B8DE4C79C51120247ECE012A9650706B3FAF450803BBA391771FF64551B
        Malicious:false
        Preview://hit F1 key for detailed infomation..[MODEL NAME]: Templet..[INDVAR]: X..[DEPVAR]: Y, PLT..[PARAMS]: a,b....[EQUATIONS]:..TmpVar=sin(x) ..Y=TmpVar+2*a..PLT=cos(x)+b....[PARAMS VALUES]:..a=0.5..b=1......ENDMODEL.

        C:\Program Files (x86)\PSI\PSIPLOT\templet1.FPL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):213
        Entropy (8bit):5.369329694619205
        Encrypted:false
        SSDEEP:3:ROZEJIk29KcvXqhsFpwKhK4VB4mPpuCIfgryOO6IWlFov8Y6VX5gbyv+4Wgw/1v+:lINvisFpwKFVBtPASiYKJD8+4Wh1Nwn
        MD5:53ABEDE688B99BF32FA3D1B794B664A8
        SHA1:80006704F289B0E205CD918905BC382A66750EB6
        SHA-256:B481B330B954C6A1D2BD400F48302F05E65F8DD9E1935F9F5F14535911C3BAA2
        SHA-512:1DCBF41245D042BF06BCBC553797F332F13D672BE6561BF7094DB831366A904CD53D4B8DE4C79C51120247ECE012A9650706B3FAF450803BBA391771FF64551B
        Malicious:false
        Preview://hit F1 key for detailed infomation..[MODEL NAME]: Templet..[INDVAR]: X..[DEPVAR]: Y, PLT..[PARAMS]: a,b....[EQUATIONS]:..TmpVar=sin(x) ..Y=TmpVar+2*a..PLT=cos(x)+b....[PARAMS VALUES]:..a=0.5..b=1......ENDMODEL.

        C:\Program Files (x86)\PSI\PSIPLOT\templet2.FPL

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):153
        Entropy (8bit):5.423232746239388
        Encrypted:false
        SSDEEP:3:ROZEJIk29KcvB3qpv+54VB4mPpuwvyOdNhfhQotfYdb7ovnrGal:lINvopvFVBtPAwZfhnf67ovJl
        MD5:11B816EEEE3F295490B2E5C161B09284
        SHA1:BC014042C084A3FBED08B6AC8811B1A45720ACB4
        SHA-256:EE93960E96C2F805FD24237346A9AE0EF5C4A1CAA3B04A60EA09BB860ECABC8A
        SHA-512:47AE748CACD052B8CFFFAFEBAFB0E4767F8CB2320F54301171C9806ECB395B66777BBEAC7D9CDE59B7FD9AB046915E3B971F1D0A4E7B5A22C2C1C54D5209708A
        Malicious:false
        Preview://hit F1 key for detailed infomation..[[MODEL NAME]: Templet2..[INDVAR]: X..[DEPVAR]: Y, PLT....[EQUATIONS]:..Y=sin(x)+2*0.5..PLT=cos(x)+1..ENDMODEL.....

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\Readme.lnk

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu May 3 18:20:52 2012, mtime=Thu Oct 10 17:18:30 2024, atime=Thu May 3 18:20:52 2012, length=3951, window=hide
        Category:dropped
        Size (bytes):2129
        Entropy (8bit):3.908053825638247
        Encrypted:false
        SSDEEP:48:8v15fdOu/oI68R8WdLdX5aUDmh/Sk1WaUDmhxy:8nX5N6pWN6n
        MD5:206E16AEA74689ED7809B6C70A02FA5E
        SHA1:575FF60B58679CB125AF56ADFA6A7FC72BDA8B13
        SHA-256:26DE0EEBDC027243B3C224BF04B38D1B9FFCBC9FD8BF389D07C8063A3EFA3858
        SHA-512:AC4C30D0402BF0F4AA573417DB62868B3F341904826DFB5E7E9C4CB2E8C24D7C14F6D496B0A467A3AC4C32194A363B20B45F3BADB38D59927619B6841CBB2B7A
        Malicious:false
        Preview:L..................F.@.. .......a)..jH).@.......a)..o............................P.O. .:i.....+00.../C:\.....................1.....JYN...PROGRA~2.........O.IJYN.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....J.1.....JYN...PSI.8......JYN.JYN.....|.........................P.S.I.....V.1.....JYP...PSIPLOT.@......JYN.JYP............................F..P.S.I.P.L.O.T.....`.2.o....@.. .readme.htm..F......@..JYP......G........................r.e.a.d.m.e...h.t.m.......\...............-.......[...........w60......C:\Program Files (x86)\PSI\PSIPLOT\readme.htm....R.e.a.d.m.e. .f.i.l.e.<.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.r.e.a.d.m.e...h.t.m.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.m.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.F.7.D.8.2.7.5.-.3.8.F.3.-.4.2.C.F.-.A.F.3.D.-.2.9.B.1.B.F.9.1.8.9.2.6.}.\.N.e.w.S.h.o.r.t.c.u.t.3._.B.9.4.E.C

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\TUTORIAL.lnk

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Sun Apr 15 14:44:10 2012, mtime=Thu Oct 10 17:18:27 2024, atime=Sun Apr 15 14:44:10 2012, length=2103361, window=hide
        Category:dropped
        Size (bytes):2169
        Entropy (8bit):3.9211436999598326
        Encrypted:false
        SSDEEP:48:8u5fdOuPvCRnjFdWxdX5aUDChCSkKWaUDChmtCj:8qgKb5NeRWNeItC
        MD5:E2806395A4986BA4228674DA9C67F581
        SHA1:C822FDB42BE18182DFDEA41571504E69AF21D71E
        SHA-256:52E18AA7E2570E608A5AFCBC65817DC940A081B08B4F79B8BDD73C5DA88F1C59
        SHA-512:2B8388C37DC13A129DDFE04C0BE45CC3F5519916E28AB4CA7E5F05A4BD92516DB37DCA665601B15BD6BE3D4EEC3F6F4F77B5D6A70D6755C98F4B2C016DC3F2A5
        Malicious:false
        Preview:L..................F.@.. ....Ac......r.@....Ac.....A. ..........................P.O. .:i.....+00.../C:\.....................1.....JYN...PROGRA~2.........O.IJYN.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....J.1.....JYN...PSI.8......JYN.JYN.....|.........................P.S.I.....V.1.....JYP...PSIPLOT.@......JYN.JYP............................F..P.S.I.P.L.O.T.....f.2.A. ..@.} .TUTORIAL.PDF..J......@.}JYN.....z.........................T.U.T.O.R.I.A.L...P.D.F.......^...............-.......]...........w60......C:\Program Files (x86)\PSI\PSIPLOT\TUTORIAL.PDF....P.S.I.-.P.l.o.t. .t.u.t.o.r.i.a.l. .l.e.s.s.o.n.s.>.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.T.U.T.O.R.I.A.L...P.D.F.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.m.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.F.7.D.8.2.7.5.-.3.8.F.3.-.4.2.C.F.-.A.F.3.D.-.2.9.B.1.B.F.9.1.8.9.2.6

        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PSI-Plot\psiplot.lnk

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu May 3 17:52:22 2012, mtime=Thu Oct 10 17:18:27 2024, atime=Thu May 3 17:52:22 2012, length=9342976, window=hide
        Category:dropped
        Size (bytes):2144
        Entropy (8bit):3.9056870266390815
        Encrypted:false
        SSDEEP:48:8hJ5fdOuomlRued9dX5aUDESk1OOWaUDQm:8hD95NpOWNs
        MD5:139B0E1DB439C1EC7F3DBC379C59A1F8
        SHA1:8C4DA7F2CCAF4C8AAB6E637C73D0C2F06C626F7C
        SHA-256:9478CB6AA846A321899C01002900C1229E640C8BB2DD66DF3A5B9AC79E718D6D
        SHA-512:61F791D19B02E5F6EF7FD588B6FA2EF3D96AD8069468F445D7B22FE3F5B0ED449444DF8C59BD909501E60D5E6C57591C6BE003A75954ED65B5B3BCF0903170B6
        Malicious:false
        Preview:L..................F.@.. ....7a.])......@....7a.])...............................P.O. .:i.....+00.../C:\.....................1.....JYN...PROGRA~2.........O.IJYN.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....J.1.....JYN...PSI.8......JYN.JYN.....|.........................P.S.I.....V.1.....JYP...PSIPLOT.@......JYN.JYP............................F..P.S.I.P.L.O.T.....b.2......@.. .PSIPLOT.EXE.H......@..JYN...............................P.S.I.P.L.O.T...E.X.E.......]...............-.......\...........w60......C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE....P.S.I.-.P.l.o.t. .P.r.o.g.r.a.m.=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.P.S.I.P.L.O.T...E.X.E.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.m.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.F.7.D.8.2.7.5.-.3.8.F.3.-.4.2.C.F.-.A.F.3.D.-.2.9.B.1.B.F.9.1.8.9.2.6.}.\.N.e.w.S.h.o.r.t.c.u.

        C:\Users\Public\Desktop\PSI-Plot Working Demo.lnk

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu May 3 17:52:22 2012, mtime=Thu Oct 10 17:18:32 2024, atime=Thu May 3 17:52:22 2012, length=9342976, window=hide
        Category:dropped
        Size (bytes):2092
        Entropy (8bit):3.912749175378985
        Encrypted:false
        SSDEEP:48:8cJ5fdOuomlRWd9dX5aUDLhASknWaUDLhkm:8cD05NHeWNHK
        MD5:305295FDA89E66E3B9BBD2426C2D8B01
        SHA1:8B8A4EAB3A9E7A6048E194E532F11E8B5B1AD5C0
        SHA-256:A7DACA7B59F2895001F9E47D46F2EDC9632D2C0D3731E1C8A02A7CC720485B8E
        SHA-512:8593100CE3A38C9AA03F2FB570119A0C1E8DC50AD57686A4800AAFB3C53602BE35BEA9E9AC4BAB08E0DB23D5A5292160A87A0D00A2C3E19C2B10300A042FB396
        Malicious:false
        Preview:L..................F.@.. ....7a.]).....@....7a.])...............................P.O. .:i.....+00.../C:\.....................1.....JYN...PROGRA~2.........O.IJYN.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....J.1.....JYN...PSI.8......JYN.JYN.....|.........................P.S.I.....V.1.....JYP...PSIPLOT.@......JYN.JYP............................F..P.S.I.P.L.O.T.....b.2......@.. .PSIPLOT.EXE.H......@..JYN...............................P.S.I.P.L.O.T...E.X.E.......]...............-.......\...........w60......C:\Program Files (x86)\PSI\PSIPLOT\PSIPLOT.EXE..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.P.S.I.P.L.O.T...E.X.E.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.S.I.\.P.S.I.P.L.O.T.\.m.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.C.F.7.D.8.2.7.5.-.3.8.F.3.-.4.2.C.F.-.A.F.3.D.-.2.9.B.1.B.F.9.1.8.9.2.6.}.\.N.e.w.S.h.o.r.t.c.u.t.6._.B.9.4.E.C.0.B.E.5.4.2.B.4.F.3.0.8.6.7.9.E.8.D.

        C:\Users\user\AppData\Local\Temp\MSIA4B2.tmp

        Download File
        Process:C:\Windows\SysWOW64\msiexec.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):81920
        Entropy (8bit):4.866192990621714
        Encrypted:false
        SSDEEP:1536:nzykrDtT4NxMQRmWdhi79C0X/niKGn+TcXyc/i9wV6:zrXsx1ljiCn+TcXyc/iWV
        MD5:3CAAC7A39064C06FBA555647FB91C3BB
        SHA1:6DE48C7B28807637412A277926FF8C2770EC9A87
        SHA-256:58245186A18A1A79BEB9A025046B49EC541B5AE44191A851623FD2FBD1A77347
        SHA-512:1063CD4D10F63CD099ED4AC27E06810AFA69133BF564EC42C955D92C8F2C81AA81E3ECDBF6615BFA3E00BF1F5496F41AAED9961767E92B731440AAC881C78008
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@Z.F!4.F!4.F!4..=:.^!4.)>>..!4.)>?.J!4...-.O!4.F!5./!4.@.?.A!4..'2.G!4...0.G!4.RichF!4.........................PE..L......@...........!................{4.......................................`..................................................d....0.......................@..h.......................................................p............................text............................... ..`.rdata..s........ ..................@..@.data...PP.......@..................@....rsrc........0......................@..@.reloc.......@... ... ..............@..B........................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\_is8C78\0x0409.ini

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:Generic INItialization configuration [Languages]
        Category:dropped
        Size (bytes):5495
        Entropy (8bit):4.9817711151194315
        Encrypted:false
        SSDEEP:96:VXoB2MQrl8/T3INLfRtMx76U0KOFWgVl2Uub0QAg80SbtEBapIx0KsLK3C0cTBAj:JFYT3wLfRA0viBAvCSEB9yC
        MD5:6C87581375D4E4789761B9833C2A1B4D
        SHA1:310395FDE36429B08B615831152399DB7E4267A2
        SHA-256:43160E278E4302E378E754149C6394BC51D1969A7941687CFCC6C00B25151282
        SHA-512:FF499900DD9AE154825BB1B8A65F7C53367A4A75131CE1AA08FFBD0BBAAE4D8E3A062455D74B8DCE41FC89648BED33FB2ECD95E7BA57098CAA7CA652F176DFD2
        Malicious:false
        Preview:..[0x0409]..TITLE=Choose Setup Language..DESCRIPTION=Select the language for this installation from the choices below...REBOOTMESSAGE=The installer must restart your system to complete configuring the Windows Installer service. Click Yes to restart now or No if you plan to restart later...ONUPGRADE=This setup will perform an upgrade of '%s'. Do you want to continue?..LATERVERSIONINSTALLED=A later version of '%s' is already installed on the this machine. The setup cannot continue...OK=OK..Cancel=Cancel..1100=Setup Initialization Error..1101=%s..1102=%s Setup is preparing the %s, which will guide you through the program setup process. Please wait...1103=Checking Operating System Version..1104=Checking Windows(R) Installer Version..1105=Configuring Windows Installer..1106=Configuring %s..1107=Setup has completed configuring the Windows Installer on your system. The system needs to be restarted in order to continue with the installation. Please click Restart to reboot the system...1108=%

        C:\Users\user\AppData\Local\Temp\_is8C78\PSI-Plot Ver 10.5 Working Demo.msi

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Welcome to PSI-Plot Version 10.5 Working Demo, Author: InstallShield Software Corporation, Number of Pages: 200, Name of Creating Application: InstallShield X - Express Edition 10.0, Last Saved Time/Date: Thu May 3 16:22:06 2012, Create Time/Date: Thu May 3 16:22:06 2012, Last Printed: Thu May 3 16:22:06 2012, Revision Number: {96644CA9-8EA3-446B-8568-6E1624759883}, Code page: 1252, Template: Intel;1033
        Category:dropped
        Size (bytes):17396224
        Entropy (8bit):7.970993510115528
        Encrypted:false
        SSDEEP:393216:dWvb+jH+xyNAshhQoMEEhorS+Eo5g5+DX:kURmGmeEoo4
        MD5:340535553893D92D33A6EB94A592717B
        SHA1:BDDE2F5D3D356BF841C55B0BC3B8008CD1AAF0EA
        SHA-256:74ADA3893F257184A5D0F13A4D41718DB3A7D6783302CAB54BEDF6C55F312A3C
        SHA-512:5F7B22C519306637976B864B47DA622A2448739FD5E74A76E2ACA41BDBB5084078736D45132CD76E459FC7540EE40960985188F4922E67A68983EAD3E2152964
        Malicious:false
        Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........^.............................................................................../................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......1...0...L...2...3...4...5...6...7...E...e...:...;...<...=...>...?...@...A...B...C...D...\...F...G...H...I...J...K...N...M...b...O...P...Q...R...S...T...U.......W...X...Y...Z...[...`...]..._...d...c...a...r...q...f...h...........i.......j...k...l...m...z...o...p...u...t...s...}...t...v...w...x...y...g...

        C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:Generic INItialization configuration [Startup]
        Category:dropped
        Size (bytes):2013
        Entropy (8bit):5.366695072490581
        Encrypted:false
        SSDEEP:24:HP3Y0oMD5zpXrSjtNDdBOuhHpUbWaFEaFcalejaFBBjaFBL9le9lSJl4FC64qbbe:HP3p5zl2BNHUWhXvCm6mJGCS85EpLega
        MD5:10C078E324860D1EDF6C73658CEDB59D
        SHA1:CF114BB7E1B9C6AF6C5CF4892CE548B57E71D74F
        SHA-256:C4C77EBCBB1B594088BB8A240B8505855B7FCA89B5CCA977165944316FE0B13A
        SHA-512:58227C129EF509E7646B35740B69A6006178936F5AACA364CF65A5937316B4772D03AE662B46BCB7EC3B38609D3C696DED7A5843878FB2909F34C8DDF56BAA44
        Malicious:false
        Preview:[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=0..ScriptVer=1.0.0.1..DotNetOptionalInstallIfSilent=N..OnUpgrade=0..RequireExactLangMatch=0404,0804..Product=PSI-Plot Ver 10.5 Working Demo..PackageName=PSI-Plot Ver 10.5 Working Demo.msi..EnableLangDlg=Y..LogResults=N..DoMaintenance=N..ProductCode={CF7D8275-38F3-42CF-AF3D-29B1BF918926}..ProductVersion=10.50.0001..SuppressReboot=Y..PackageCode={96644CA9-8EA3-446B-8568-6E1624759883}....[MsiVersion]..2.0.2600.0=SupportOS....[SupportOSMsi11] ;Supported platforms for MSI 1.1..Win95=1..Win98=1..WinNT4SP3=1....[SupportOSMsi12] ;Supported platforms for MSI 1.2..Win95=1..Win98=1..WinME=1..WinNT4SP3=1....[SupportOS] ;Supported platforms for MSI 2.0..Win95=1..Win98=1..WinME=1..WinNT4SP6=1..Win2K=1....[SupportOSMsi30] ;Supported platforms for MSI 3.0..Win2KSP3=1..WinXP=1..Win2003Server=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=

        C:\Users\user\AppData\Local\Temp\_is8C78\_ISMSIDEL.INI

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):11
        Entropy (8bit):3.0957952550009344
        Encrypted:false
        SSDEEP:3:Pivn:Kvn
        MD5:3FDD2635AA94921522AF8186F3C3D736
        SHA1:0FE63553E9F993C0CB2CB36B8CDCFBA4F4A2650D
        SHA-256:17AD78845C9C6A8E97A5BD14BE56700A51EE85867C979ED6CF538E1FED82CF7C
        SHA-512:EBDBEEFBDC777937FCE516A1CBD9AF7C305FC242091D695AD919A27C98FAC5B6B16B44130BDF97DBFD10561CCE701180B1FBB303D848944C3B33B8A3C058653A
        Malicious:false
        Preview:[Files]....

        C:\Users\user\AppData\Local\Temp\~8C68.tmp

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:Generic INItialization configuration [Startup]
        Category:dropped
        Size (bytes):2013
        Entropy (8bit):5.366695072490581
        Encrypted:false
        SSDEEP:24:HP3Y0oMD5zpXrSjtNDdBOuhHpUbWaFEaFcalejaFBBjaFBL9le9lSJl4FC64qbbe:HP3p5zl2BNHUWhXvCm6mJGCS85EpLega
        MD5:10C078E324860D1EDF6C73658CEDB59D
        SHA1:CF114BB7E1B9C6AF6C5CF4892CE548B57E71D74F
        SHA-256:C4C77EBCBB1B594088BB8A240B8505855B7FCA89B5CCA977165944316FE0B13A
        SHA-512:58227C129EF509E7646B35740B69A6006178936F5AACA364CF65A5937316B4772D03AE662B46BCB7EC3B38609D3C696DED7A5843878FB2909F34C8DDF56BAA44
        Malicious:false
        Preview:[Info]..Name=INTL..Version=1.00.000..DiskSpace=8000.;DiskSpace requirement in KB....[Startup]..CmdLine=..SuppressWrongOS=Y..ScriptDriven=0..ScriptVer=1.0.0.1..DotNetOptionalInstallIfSilent=N..OnUpgrade=0..RequireExactLangMatch=0404,0804..Product=PSI-Plot Ver 10.5 Working Demo..PackageName=PSI-Plot Ver 10.5 Working Demo.msi..EnableLangDlg=Y..LogResults=N..DoMaintenance=N..ProductCode={CF7D8275-38F3-42CF-AF3D-29B1BF918926}..ProductVersion=10.50.0001..SuppressReboot=Y..PackageCode={96644CA9-8EA3-446B-8568-6E1624759883}....[MsiVersion]..2.0.2600.0=SupportOS....[SupportOSMsi11] ;Supported platforms for MSI 1.1..Win95=1..Win98=1..WinNT4SP3=1....[SupportOSMsi12] ;Supported platforms for MSI 1.2..Win95=1..Win98=1..WinME=1..WinNT4SP3=1....[SupportOS] ;Supported platforms for MSI 2.0..Win95=1..Win98=1..WinME=1..WinNT4SP6=1..Win2K=1....[SupportOSMsi30] ;Supported platforms for MSI 3.0..Win2KSP3=1..WinXP=1..Win2003Server=1....[Win95]..MajorVer=4..MinorVer=0..MinorVerMax=1..BuildNo=950..PlatformId=

        C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msi

        Download File
        Process:C:\Users\user\Desktop\plotdemo.exe
        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Welcome to PSI-Plot Version 10.5 Working Demo, Author: InstallShield Software Corporation, Number of Pages: 200, Name of Creating Application: InstallShield X - Express Edition 10.0, Last Saved Time/Date: Thu May 3 16:22:06 2012, Create Time/Date: Thu May 3 16:22:06 2012, Last Printed: Thu May 3 16:22:06 2012, Revision Number: {96644CA9-8EA3-446B-8568-6E1624759883}, Code page: 1252, Template: Intel;1033
        Category:dropped
        Size (bytes):17396224
        Entropy (8bit):7.970993510115528
        Encrypted:false
        SSDEEP:393216:dWvb+jH+xyNAshhQoMEEhorS+Eo5g5+DX:kURmGmeEoo4
        MD5:340535553893D92D33A6EB94A592717B
        SHA1:BDDE2F5D3D356BF841C55B0BC3B8008CD1AAF0EA
        SHA-256:74ADA3893F257184A5D0F13A4D41718DB3A7D6783302CAB54BEDF6C55F312A3C
        SHA-512:5F7B22C519306637976B864B47DA622A2448739FD5E74A76E2ACA41BDBB5084078736D45132CD76E459FC7540EE40960985188F4922E67A68983EAD3E2152964
        Malicious:false
        Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........^.............................................................................../................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......1...0...L...2...3...4...5...6...7...E...e...:...;...<...=...>...?...@...A...B...C...D...\...F...G...H...I...J...K...N...M...b...O...P...Q...R...S...T...U.......W...X...Y...Z...[...`...]..._...d...c...a...r...q...f...h...........i.......j...k...l...m...z...o...p...u...t...s...}...t...v...w...x...y...g...

        C:\Windows\Installer\5ee891.msi

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Welcome to PSI-Plot Version 10.5 Working Demo, Author: InstallShield Software Corporation, Number of Pages: 200, Name of Creating Application: InstallShield X - Express Edition 10.0, Last Saved Time/Date: Thu May 3 16:22:06 2012, Create Time/Date: Thu May 3 16:22:06 2012, Last Printed: Thu May 3 16:22:06 2012, Revision Number: {96644CA9-8EA3-446B-8568-6E1624759883}, Code page: 1252, Template: Intel;1033
        Category:dropped
        Size (bytes):17396224
        Entropy (8bit):7.970993510115528
        Encrypted:false
        SSDEEP:393216:dWvb+jH+xyNAshhQoMEEhorS+Eo5g5+DX:kURmGmeEoo4
        MD5:340535553893D92D33A6EB94A592717B
        SHA1:BDDE2F5D3D356BF841C55B0BC3B8008CD1AAF0EA
        SHA-256:74ADA3893F257184A5D0F13A4D41718DB3A7D6783302CAB54BEDF6C55F312A3C
        SHA-512:5F7B22C519306637976B864B47DA622A2448739FD5E74A76E2ACA41BDBB5084078736D45132CD76E459FC7540EE40960985188F4922E67A68983EAD3E2152964
        Malicious:false
        Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........^.............................................................................../................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......1...0...L...2...3...4...5...6...7...E...e...:...;...<...=...>...?...@...A...B...C...D...\...F...G...H...I...J...K...N...M...b...O...P...Q...R...S...T...U.......W...X...Y...Z...[...`...]..._...d...c...a...r...q...f...h...........i.......j...k...l...m...z...o...p...u...t...s...}...t...v...w...x...y...g...

        C:\Windows\Installer\5ee893.msi

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Welcome to PSI-Plot Version 10.5 Working Demo, Author: InstallShield Software Corporation, Number of Pages: 200, Name of Creating Application: InstallShield X - Express Edition 10.0, Last Saved Time/Date: Thu May 3 16:22:06 2012, Create Time/Date: Thu May 3 16:22:06 2012, Last Printed: Thu May 3 16:22:06 2012, Revision Number: {96644CA9-8EA3-446B-8568-6E1624759883}, Code page: 1252, Template: Intel;1033
        Category:dropped
        Size (bytes):17396224
        Entropy (8bit):7.970993510115528
        Encrypted:false
        SSDEEP:393216:dWvb+jH+xyNAshhQoMEEhorS+Eo5g5+DX:kURmGmeEoo4
        MD5:340535553893D92D33A6EB94A592717B
        SHA1:BDDE2F5D3D356BF841C55B0BC3B8008CD1AAF0EA
        SHA-256:74ADA3893F257184A5D0F13A4D41718DB3A7D6783302CAB54BEDF6C55F312A3C
        SHA-512:5F7B22C519306637976B864B47DA622A2448739FD5E74A76E2ACA41BDBB5084078736D45132CD76E459FC7540EE40960985188F4922E67A68983EAD3E2152964
        Malicious:false
        Preview:......................>...................................8........6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........^.............................................................................../................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-.......1...0...L...2...3...4...5...6...7...E...e...:...;...<...=...>...?...@...A...B...C...D...\...F...G...H...I...J...K...N...M...b...O...P...Q...R...S...T...U.......W...X...Y...Z...[...`...]..._...d...c...a...r...q...f...h...........i.......j...k...l...m...z...o...p...u...t...s...}...t...v...w...x...y...g...

        C:\Windows\Installer\MSIED35.tmp

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):205227
        Entropy (8bit):5.392603495112571
        Encrypted:false
        SSDEEP:1536:tBQqSG2h8f71cpayZbSct9a8f71clJFZxE1iIfOTrZAJCQKu:trSG2+RcL1t9NRclDZeoVxAJCW
        MD5:85B6C9E4B959ACAFA6C35A39AEE8BAB8
        SHA1:3527981F549121011AF89C3B980DD8B82FED0482
        SHA-256:085AC0CB64FB1CDCA47403ED0032CF71B998B344F6A82B467D21402896310E24
        SHA-512:ACC51A1C125E66FC4C93733230F70AA4B3E15354F6F4701CE3A02395DA7202B4B7BF3D7CC197D1596DBB54C067EF7D12CBE3A0B9785FDD864C390A1942031CF9
        Malicious:false
        Preview:...@IXOS.@.....@NrJY.@.....@.....@.....@.....@.....@......&.{CF7D8275-38F3-42CF-AF3D-29B1BF918926}..PSI-Plot Ver 10.5 Working Demo".PSI-Plot Ver 10.5 Working Demo.msi.@.....@..2..@.....@......ARPPRODUCTICON.exe..&.{96644CA9-8EA3-446B-8568-6E1624759883}.....@.....@.....@.....@.......@.....@.....@.......@......PSI-Plot Ver 10.5 Working Demo......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B9B49F47-72FB-4C42-A0F9-9E4492A71FE0}8.C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\GrafPaper\.@.......@.....@.....@......&.{BAB24BF8-D4F6-4030-9A13-DC98383C6B25}/.C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe.@.......@.....@.....@......&.{B45E55D7-6469-4A47-B74A-0003A25261EC}..C:\Program Files (x86)\PSI\PSIPLOT\SamplePlot\.@.......@.....@.....@......&.{C24FD770-3983-48C6-B5EE-AB03577F5AA3}8.C:\Program Files (x86)\PSI\PSIPLOT\POSTSCRP\WIN95HLP.HLP.@.......@.....@...

        C:\Windows\Installer\SourceHash{CF7D8275-38F3-42CF-AF3D-29B1BF918926}

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):20480
        Entropy (8bit):1.1749401837473998
        Encrypted:false
        SSDEEP:12:JSbX72FjqAGiLIlHVRpVh/7777777777777777777777777vDHFFip09pal0i8Q:JkQI5x1F
        MD5:4A82174B477006F7D86CEFE06FEB79A3
        SHA1:3750407EE3436A9473C90FBDBE4C089B53460B00
        SHA-256:CB8CF9D8592F4280A1A916B96AC5E773CF3132DA3B9274C54B262EA38C1B2C91
        SHA-512:A10F02189D85CDC0CAEE74085A2EE744A39B0EC344C13C453C0F2D4CD9B25459FCE072C57B5194553C117F868D109351547B065B0E472CF1D315BA015D3ED9CE
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Installer\inprogressinstallinfo.ipi

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):24576
        Entropy (8bit):1.8643118131466125
        Encrypted:false
        SSDEEP:48:l8PhX7uRc06WXzEFT5RwYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUednlV:Ihr15FTPBhwcdsoC7isoK
        MD5:EE2C12A9292AC9AFB1025F455DF08BA6
        SHA1:D5D4E2DE03E01F05AEF9217779CCFD5EAA0E01A6
        SHA-256:850380B07F3EB3C54B144935DA4A17A8C78321D993E88F37CECF9157CB7EAC6D
        SHA-512:9FB5BB1A290687CAAE689B9AA4E4347725992AF7EADA0F1CDE048BE35DC6D4E7834912682E9BA0BCCBBE23E0573D60E084B2B0CD5D4F7BEB78E69F3BB2865E67
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\ARPPRODUCTICON.exe

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 5 icons, 32x32, 8 bits/pixel, 48x48, 8 bits/pixel
        Category:dropped
        Size (bytes):9822
        Entropy (8bit):4.816506424697984
        Encrypted:false
        SSDEEP:96:RtXyg408xGnrlqnqOtJyg4U93U9hbfemIjkOtJyg4DR9gM1L+CU+ALwN5XeSrtIj:RE08xGrlqPKU9EDbW1KDvt6+0wDeSgn
        MD5:BE9562971CE7DBF11E23794B8A9E5EA9
        SHA1:F28DE23C8AAB0D70B2D952995F607CDE7511038A
        SHA-256:1E78F455B86224319E4A555E64FC0030BB4C927190BE3363FC3D447FAE882C8D
        SHA-512:ABFA8B24C0389955FF1D4B871ED76681749E5BB626B6A0A489FEEC927AD5AEC06AF9BF7276EF12DB2B2A0440CCDAFA6C79BE77F8A3A9F2089D1C4329E77CDE91
        Malicious:false
        Preview:...... ..........V...00......................h....... ..............00......h.......(... ...@...............................................................................................S...._.UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f....<..{...f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f.......3....3...f...................3.f.f..................3...f...................3...f..........3...j...3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f............3...f...................

        C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut1_E57AF06D4375496697A2B3227B8F52A3.EXE

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 5 icons, 32x32, 8 bits/pixel, 48x48, 8 bits/pixel
        Category:dropped
        Size (bytes):9822
        Entropy (8bit):4.816506424697984
        Encrypted:false
        SSDEEP:96:RtXyg408xGnrlqnqOtJyg4U93U9hbfemIjkOtJyg4DR9gM1L+CU+ALwN5XeSrtIj:RE08xGrlqPKU9EDbW1KDvt6+0wDeSgn
        MD5:BE9562971CE7DBF11E23794B8A9E5EA9
        SHA1:F28DE23C8AAB0D70B2D952995F607CDE7511038A
        SHA-256:1E78F455B86224319E4A555E64FC0030BB4C927190BE3363FC3D447FAE882C8D
        SHA-512:ABFA8B24C0389955FF1D4B871ED76681749E5BB626B6A0A489FEEC927AD5AEC06AF9BF7276EF12DB2B2A0440CCDAFA6C79BE77F8A3A9F2089D1C4329E77CDE91
        Malicious:false
        Preview:...... ..........V...00......................h....... ..............00......h.......(... ...@...............................................................................................S...._.UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f....<..{...f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f.......3....3...f...................3.f.f..................3...f...................3...f..........3...j...3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f............3...f...................

        C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut3_B94EC0BE542B4F308679E8D52BAD769F.htm

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.958635638607587
        Encrypted:false
        SSDEEP:768:QnkpTBPJn7qcnDcDWeuIKeunHeu/9Ugucytnb6XXtct4:Q8f71cpayZbSct4
        MD5:A0790CA5995B2E56B65C89A61E57D1CD
        SHA1:B715DE24F510D75C33E350272DBBE337B8235281
        SHA-256:D41633D4EF288D72E1B5A06AFB5F752E2287133095B136EAFB13C88DB9CE59C5
        SHA-512:D91905E7201434A8E55BFD24DED57D36D12E2F36E12D4B69274D9FF0350BD064B0EAEA69B93A8CA23FF868A6576CAEEEA3EB5A5F24E1917DA7F5557EF0B29584
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L......@.................@...................P....@.........................................................................4T..(........g...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....g.......p..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut6_B94EC0BE542B4F308679E8D52BAD769F.exe

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:MS Windows icon resource - 5 icons, 32x32, 8 bits/pixel, 48x48, 8 bits/pixel
        Category:dropped
        Size (bytes):9822
        Entropy (8bit):4.816506424697984
        Encrypted:false
        SSDEEP:96:RtXyg408xGnrlqnqOtJyg4U93U9hbfemIjkOtJyg4DR9gM1L+CU+ALwN5XeSrtIj:RE08xGrlqPKU9EDbW1KDvt6+0wDeSgn
        MD5:BE9562971CE7DBF11E23794B8A9E5EA9
        SHA1:F28DE23C8AAB0D70B2D952995F607CDE7511038A
        SHA-256:1E78F455B86224319E4A555E64FC0030BB4C927190BE3363FC3D447FAE882C8D
        SHA-512:ABFA8B24C0389955FF1D4B871ED76681749E5BB626B6A0A489FEEC927AD5AEC06AF9BF7276EF12DB2B2A0440CCDAFA6C79BE77F8A3A9F2089D1C4329E77CDE91
        Malicious:false
        Preview:...... ..........V...00......................h....... ..............00......h.......(... ...@...............................................................................................S...._.UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f....<..{...f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f.......3....3...f...................3.f.f..................3...f...................3...f..........3...j...3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f............3...f...................

        C:\Windows\Installer\{CF7D8275-38F3-42CF-AF3D-29B1BF918926}\NewShortcut7_B94EC0BE542B4F308679E8D52BAD769F.PDF

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):65536
        Entropy (8bit):4.989785853987418
        Encrypted:false
        SSDEEP:768:EnkpTBPJn7qcnDclJFZAgE/NiIfOTrvRAJCc:E8f71clJFZxE1iIfOTrZAJCc
        MD5:F1E0A51D6010825B4C1FA5430E9D031B
        SHA1:B596698FDD89432AEC6DE5B3D725D7B2E4ABD6CF
        SHA-256:DD5D854A850F1E59F92C80002F43F805E5C774427DD2444E50699E4D92A26860
        SHA-512:1A6A10AF59BA4BC7C4E191D8703DE21637669D08871BA377AB6A58F8B352FEA0E49550E2C09DA1D27619E1985D5D1D89971649AC34AA5880F69855BC10609F7B
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.'.'.'...'.'...'.'q..'...'.'..'...'.'...'...'5..'.'Rich.'........PE..L......@.................@...................P....@.........................................................................4T..(.......(a...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...(a.......p..................@..@........................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
        Category:dropped
        Size (bytes):432221
        Entropy (8bit):5.375172305062548
        Encrypted:false
        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauG:zTtbmkExhMJCIpErL
        MD5:D637C7CDDD42AB3C1A36803DFF9E7665
        SHA1:6C41A9298B74388CB8400D214A7299EB9EAAB025
        SHA-256:DF38B7DC1DA68A97EB77E32026B2E2A507C18664DE66EE39186ACC89BB1E5971
        SHA-512:883A43275BFEC9B74781BD079F97F997510E81715A6B578A23EEE8C9E7596570630E925029DE2DEE0E195D3A54EA7E079936A7FF53E4B461ABF9CA3AEF875ED1
        Malicious:false
        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

        C:\Windows\PSIPLOT.INI

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Generic INItialization configuration [CreateColumn]
        Category:dropped
        Size (bytes):1817
        Entropy (8bit):5.5437721839708
        Encrypted:false
        SSDEEP:48:8e0FRAeRRLNO2bRN6k4Gu1QySquyF0gi1siBdiJiRO2uiCNegiLP8iz8iWi67JNE:d0FRAeRRxTbRNyDXhi1siziJiRTuige1
        MD5:3BECDA5DB32179456566FA78FD8011EC
        SHA1:AD4021E1F448DC77DE13B4419FCFBDA08D71790F
        SHA-256:425AE9D7540E753E3A617FE769A1EC91CE87E6BD072660839B807974BD6FA7B5
        SHA-512:59E3B8C7083B04435D6797F4EEE89BDD531FC8C24AC4AF2AB15BF1EC62FE4AA78EF9DC356362AC048C12134056612F985F1BD3C031B1592A900487D11A68924B
        Malicious:false
        Preview:[MAINWINDOW]..X=0..Y=0..CX=-1..CY=-1....[CreateColumn]..String1=SIN(X)....[Create3DCurveX]..String1=T*COS(T)....[Create3DCurveY]..String1=T*SIN(T)....[Create3DCurveZ]..String1=2*T....[Create3DMesh]..String1=Sin(X*Y)....[Transform]..String1=Z2=H2O_OUT-H2O_IN..String2=Z1=H2O_OUT-H2O_IN..String3=Z1=X*X..String4=Z=X+Y..String5=Y=SIN(X)....[FillSelection]..String1=COS(X)....[OneDimensionMap]..String1=3*X*(1-X)....[TwoDimensionMapX]..String1=1-1.4*X*X+Y....[TwoDimensionMapY]..String1=0.3*X....[ThreeDimensionMapX]..String1=3*X*(1-X)....[ThreeDimensionMapY]..String1=3*Y*(1-Y)....[ThreeDimensionMapZ]..String1=3*Z*(1-Z)....[FuncPlotRect]..String1=SIN(X)....[FuncPlotPolar]..String1=SIN(X*PI/180)....[FuncPlotSmith]..String1=ABS(X)....[FuncPlot3DCurveX]..String1=T*SIN(T)....[FuncPlot3DCurveY]..String1=T*COS(T)....[FuncPlot3DCurveZ]..String1=T+1..String2=T....[FuncPlotSurfXYZ]..String1=sin(X*Y)+3....[FuncPlotSurfSphere]..String1=(Y/360)*SIN(X*PI/180)..String2=1....[FuncPlotSurfCylinder]..String1=Y/7

        C:\Windows\System32\spool\drivers\x64\3\PSIPSCRP.PPD

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:PPD file, version "4.3"
        Category:dropped
        Size (bytes):6748
        Entropy (8bit):5.29328268785933
        Encrypted:false
        SSDEEP:192:ltLfXoc5snTSsyjshJsC1Cs3zspSscJscIsAJ4sSSs5s2sCxs+szsZs4sl36K2iF:ltL3WS9iICfpwcrSaLVL+Ip23b2ioip
        MD5:28C493B44925221AA69F020E6AF6176B
        SHA1:45D04D3E144CA3A9BA7A038CE50B5960E5903AE7
        SHA-256:9258203F212D58C04C81A2CCE6511D6FA53D65F569C14DCF35CEA19AF815CDBB
        SHA-512:BC873725E54A866B11150928A1913C455BA5833E2EC9BC4183D7AB8BD53440980591DE118BCB0DE9FB1A47C68E229794F6C870F9ECD1E5E2EA7A3C65EC07CA73
        Malicious:false
        Preview:*PPD-Adobe: "4.3"..*% Adobe Systems PostScript(R) Printer Description File..*% Copyright 1995, 2001, 2003, Microsoft Corporation..*% All rights reserved...*% Permission is granted for redistribution of this file as..*% long as this copyright notice is intact and the contents..*% of the file is not altered in any way from its original form...*%..*% This PPD is designed to generate a composite CMYK..*% PostScript file suitable for converting to a PDF file in a..*% commercial printing workflow. It originally shipped with..*% Microsoft Publisher version 11...*%..*FormatVersion: "4.3"..*FileVersion: "1.0"..*PCFileName: "PSIPSCRP.PPD"..*LanguageEncoding: ISOLatin1..*LanguageVersion: English..*Manufacturer: "Poly Software International"..*Product: "(PSI Color PostScript)"..*PSVersion: "(3011.0) 0"..*ModelName: "PSI Color PostScript"..*NickName: "PSI Color PostScript"..*ShortNickName: "PSI Color PostScript"....*% ==== General Information and Defaults ================..*FreeVM: "9992192"..*VMOp

        C:\Windows\System32\spool\drivers\x64\PS5UI.DLL

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):854016
        Entropy (8bit):5.956259482904397
        Encrypted:false
        SSDEEP:12288:5rOSJf44R1/kwm018HwzEo2x2S/2RHCyO/XWseji6XxpW:Zf44R1/kwH1WoLCyO/XFe9vW
        MD5:2A5755B795E19A833BE731E306C2B393
        SHA1:FD63627AE3E0B6B8D51C3052ABD772BB7388BAE7
        SHA-256:CCDEB169EAFDFDD96588DF803543B4A912A3096B2FE24767E8D8C129667EF448
        SHA-512:5D02E87A96C5B60A86717BE8150ADEA692E11AD5047B7C5550732704D50566C2B2ADC840E8D3EB2D594CA18C72D503F642CAB54DA73D733B2B38F80B4C664450
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2$..vE..vE..vE..Q..wE..Q..yE..vE...E..Q...gE..Q..ME..Q...wE..Q...E..Q..wE..Q..wE..Q..wE..RichvE..........................PE..d...\..G.........." ................(.........2F.............................0............@.........................................P'..Z...(............_......./..................@................................................................................text............................... ..`.data...pL...0...F..................@....pdata.../.......0...d..............@..@.rsrc....`.......`..................@..@.reloc..............................@..Bk..GX....Gc.....Gm......Gx......G.....Gc.....G.......G.....G.......G............msvcrt.dll.NTDLL.DLL.USER32.dll.ole32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll..........................................................................................

        C:\Windows\System32\spool\drivers\x64\PSCRIPT.HLP

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:MS Windows 3.1 help, Tue Apr 17 13:11:49 2001, 26038 bytes
        Category:dropped
        Size (bytes):26038
        Entropy (8bit):4.55580668806265
        Encrypted:false
        SSDEEP:384:uX0EppE1e80vvpyGf7t1ayKu0rtP1dOxjPp:uboUXpLB1+u0RP18xjPp
        MD5:02C3F8C32018F3AAF66E7421400F1781
        SHA1:A04F2E40287AF78867161FA3F1606045088DA212
        SHA-256:6FAEF4C998E810FFF139958F28722C79879EC2FD66C97C7E3E2C5040FD5550D9
        SHA-512:C30FEE64D74A536117DE46C81B6E22EC82634D1284783A317BC15E85CFD561FAD7D50A63CA863EA6520B5CBAECF9061F7B52D3D99050484CE8A004F81DAB7990
        Malicious:false
        Preview:?_..J........e..:...1.....(),.aadv@ancedA.@a.ndareasa ssign..ut.omaticav.ailableb.ebitmapb oxbyc<.ha.ngeclick@Commun+.t.ionscomp.uterconn.ectedCTR.Ldefault.dependin@gdialo..f.ferentdiFr*.=.disl.d docum..owpnloa...0..r.iverEdge.e..n. erro.rexample.featuref.i..ine-tu@nefont..s@forFor..m...-to-tra.y..atfrom.Generall.ygraphic.s..yIfima.geinin.....telyin50..(isl..u".le.tslevelL.istsmaym.S.....memor...ta....j.gb..vr.tworko...onlyop...t$.Optimi8zeo..... so.routl....g..p..pa1.pa.. elpla..Po.stScript.P..c.cesprHint. ed.0r..@-specif\ic.@*0..P.@p.rovi}.rel.. resetr...rs..s..ctsq..ser......s@houlds..s@ourceSd0e.sm0yspoo...gsuchtha@ttheTh8.h...ghtoTru.eTyph.m.g...us..>.want.Whenw. e8..rw..hwill.wt.Yesyou...r),).+-.011.3Aal.waysanan.yASCIIat*a..b..r..st.binaryB. ...B.2."sboo2k..ca...2sC.."los........`ntrol....t.cR.tecur...cusS.CutDjdw.D.Rn..H.y.fi...sfarf-..F....g..avpehig... ".o.w..tItits.job..slon.gL..m%.man.ualmaximXummp...m?.tVm....i0.No.tbO..onek...O.T"PT"..pixe2l..rt..@2sP.rotocolR@GBRoll..l.s

        C:\Windows\System32\spool\drivers\x64\PSCRIPT.NTF

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:data
        Category:dropped
        Size (bytes):1062732
        Entropy (8bit):5.327224938603629
        Encrypted:false
        SSDEEP:24576:aLpbAtwnsRdpq5Ii/8AbQ7d9R+3UXbdwTwTJg:8M+n8oe/vbdWwTJg
        MD5:C18E8DA3F5C91760E00DFAE8B6364BED
        SHA1:566D28948DAE855C8E5F560EAD7E0D8CC73DC1D5
        SHA-256:F49C950531E485BBC4B35161CF049ADF8363D0BD222CFED2EEDE2A13FE418187
        SHA-512:65C7F8C129D71DE9B887B5741760D86955035F977B32B89CF43A31EB973178AF6BAE1E5D39DCA19B56F6BB0139634F44E90C31CFAC00F75E64908D7B36A75D3A
        Malicious:false
        Preview:1FTNSPTN............................0...........@$......x....$...................&...........&...................,......T....,..................$/......L.......................p1..Q.......@1..................,4..1........3...................6..5...<....6...................8...........8...................@...........@...................K......d....K..................LN..q5..|....N...................P..q........P...................V....1.....\V...................Y..r.k.....\Y...................a...........a..................Xo......d....n...................x..m...P...4x......................y........~....................._...4...\.......................l...........................4...............................D..........................................P..............................`...............................8.......................}...P...................................d...............................l...............................|.......................m...................

        C:\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
        Category:dropped
        Size (bytes):628736
        Entropy (8bit):6.675098433423424
        Encrypted:false
        SSDEEP:12288:aCiHW5JC2rb9T2JPyc3sgTaWDwUjXZAjlxfUAC3LZui:aVW5JdrS+geWDwpj3cAC3LY
        MD5:BAD12C605CA489C061E636E840720056
        SHA1:D4006D6CA409289012F4506897B2CEC10B527DF0
        SHA-256:A3A71C558C96FEDA11CFF875C90779B90B3540EBCF52ACEB465C69B01DD0B1D4
        SHA-512:8C5381690AB37952E4DD2503E7601833BFBB8C565009CD99CC76C651720F9F4D78F3D84EE3DF9779DDC3E6175043FCDB6E4F17EF46F4884CB4BC4162F6AD1B83
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.ye"..6"..6"..6.gj6#..6.gy6-..6"..6..6.gl63..6.gz6...6.gm6#..6.gf6l..6.gi6#..6.gk6#..6.go6#..6Rich"..6........PE..d...]..G.........." ...........................A..........................................@.........................................`...................t....p...(.................. ................................................................................text............................... ..`.data....I... ...D..................@....pdata...(...p...*...L..............@..@.rsrc................v..............@..@.reloc..B...........................@..Bk..GX....Gc....Gc......Gm......Gz....Gc....G......G....b..G.......G............msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.GDI32.dll.USER32.dll.mscms.dll.ole32.dll.........................................................................................................................

        C:\Windows\System32\spool\drivers\x64\PSIPSCRP.PPD

        Download File
        Process:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        File Type:PPD file, version "4.3"
        Category:dropped
        Size (bytes):6748
        Entropy (8bit):5.29328268785933
        Encrypted:false
        SSDEEP:192:ltLfXoc5snTSsyjshJsC1Cs3zspSscJscIsAJ4sSSs5s2sCxs+szsZs4sl36K2iF:ltL3WS9iICfpwcrSaLVL+Ip23b2ioip
        MD5:28C493B44925221AA69F020E6AF6176B
        SHA1:45D04D3E144CA3A9BA7A038CE50B5960E5903AE7
        SHA-256:9258203F212D58C04C81A2CCE6511D6FA53D65F569C14DCF35CEA19AF815CDBB
        SHA-512:BC873725E54A866B11150928A1913C455BA5833E2EC9BC4183D7AB8BD53440980591DE118BCB0DE9FB1A47C68E229794F6C870F9ECD1E5E2EA7A3C65EC07CA73
        Malicious:false
        Preview:*PPD-Adobe: "4.3"..*% Adobe Systems PostScript(R) Printer Description File..*% Copyright 1995, 2001, 2003, Microsoft Corporation..*% All rights reserved...*% Permission is granted for redistribution of this file as..*% long as this copyright notice is intact and the contents..*% of the file is not altered in any way from its original form...*%..*% This PPD is designed to generate a composite CMYK..*% PostScript file suitable for converting to a PDF file in a..*% commercial printing workflow. It originally shipped with..*% Microsoft Publisher version 11...*%..*FormatVersion: "4.3"..*FileVersion: "1.0"..*PCFileName: "PSIPSCRP.PPD"..*LanguageEncoding: ISOLatin1..*LanguageVersion: English..*Manufacturer: "Poly Software International"..*Product: "(PSI Color PostScript)"..*PSVersion: "(3011.0) 0"..*ModelName: "PSI Color PostScript"..*NickName: "PSI Color PostScript"..*ShortNickName: "PSI Color PostScript"....*% ==== General Information and Defaults ================..*FreeVM: "9992192"..*VMOp

        C:\Windows\Temp\~DF236A664A65A73CE7.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF2475FED551644849.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF26CD9645139C62E1.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):24576
        Entropy (8bit):1.8643118131466125
        Encrypted:false
        SSDEEP:48:l8PhX7uRc06WXzEFT5RwYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUednlV:Ihr15FTPBhwcdsoC7isoK
        MD5:EE2C12A9292AC9AFB1025F455DF08BA6
        SHA1:D5D4E2DE03E01F05AEF9217779CCFD5EAA0E01A6
        SHA-256:850380B07F3EB3C54B144935DA4A17A8C78321D993E88F37CECF9157CB7EAC6D
        SHA-512:9FB5BB1A290687CAAE689B9AA4E4347725992AF7EADA0F1CDE048BE35DC6D4E7834912682E9BA0BCCBBE23E0573D60E084B2B0CD5D4F7BEB78E69F3BB2865E67
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF2931FAC31C296BB1.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF2A6266BC8FED5E8A.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):77824
        Entropy (8bit):0.30229942818458116
        Encrypted:false
        SSDEEP:48:nUMXSLqOdRzkdtXdfZdnlLfdnl6dyd4xdEdUednlAc2/dxS8qOdRzkdtXdfZdnlR:UyisordsoCtwaB
        MD5:709B492FC7C81CC85B671A015E4618D5
        SHA1:4845C712FE8F6047D478F0DEB372CF05A16DF548
        SHA-256:CD55A869633B132F28CF28660D5B12ECA0AD2EAEA0C16A39E8BEFAD160672B91
        SHA-512:B78AC7FB0ECB5CA14E2E6669EB76EA28D1EEBE82BE5356CB85736CF86941F5E71E3A0F50BBB50BCC0AFB62F7CDE737FAF8487C9CE7DE0D0BDCE8ECACA817A3C0
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF2BB1FF67CCB2BA08.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):24576
        Entropy (8bit):1.8643118131466125
        Encrypted:false
        SSDEEP:48:l8PhX7uRc06WXzEFT5RwYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUednlV:Ihr15FTPBhwcdsoC7isoK
        MD5:EE2C12A9292AC9AFB1025F455DF08BA6
        SHA1:D5D4E2DE03E01F05AEF9217779CCFD5EAA0E01A6
        SHA-256:850380B07F3EB3C54B144935DA4A17A8C78321D993E88F37CECF9157CB7EAC6D
        SHA-512:9FB5BB1A290687CAAE689B9AA4E4347725992AF7EADA0F1CDE048BE35DC6D4E7834912682E9BA0BCCBBE23E0573D60E084B2B0CD5D4F7BEB78E69F3BB2865E67
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF733BBCDF67162C3E.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):49152
        Entropy (8bit):1.2207272217947325
        Encrypted:false
        SSDEEP:48:SyP7uoLb0CXz5T5Z7Uby7wYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUed3:pzq4T/7ywBhwcdsoC7isoK
        MD5:48EBB802BBA18F9E2B96883EA0B4478C
        SHA1:B4FF37EE73BE61589B1AAAA586B8E45006C6863F
        SHA-256:23176B2DBB8C6897778DCEA09993BEAA221EECCB7E9550A5C44F7A7CE8566FA5
        SHA-512:8AB610DE4ED8C753C64379A1691DE7FD422F840810D60F54DEE79F6A1123CD6B50BB9EE45884B964050108F971E3A76A6490661318CC2CC1B828DE12F7C22555
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DF8FDFF2A96AE69220.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DFA870BB9D712FD90A.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):49152
        Entropy (8bit):1.2207272217947325
        Encrypted:false
        SSDEEP:48:SyP7uoLb0CXz5T5Z7Uby7wYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUed3:pzq4T/7ywBhwcdsoC7isoK
        MD5:48EBB802BBA18F9E2B96883EA0B4478C
        SHA1:B4FF37EE73BE61589B1AAAA586B8E45006C6863F
        SHA-256:23176B2DBB8C6897778DCEA09993BEAA221EECCB7E9550A5C44F7A7CE8566FA5
        SHA-512:8AB610DE4ED8C753C64379A1691DE7FD422F840810D60F54DEE79F6A1123CD6B50BB9EE45884B964050108F971E3A76A6490661318CC2CC1B828DE12F7C22555
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DFBCCBE9E0F6F29FA5.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):512
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:BF619EAC0CDF3F68D496EA9344137E8B
        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
        Malicious:false
        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DFC634E747B8F69118.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:data
        Category:dropped
        Size (bytes):32768
        Entropy (8bit):0.07999698103264716
        Encrypted:false
        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOYkip0BzjTA3EltwVky6la:2F0i8n0itFzDHFFip09pa
        MD5:8407B98A4EBAA05F83B3F8F37084407E
        SHA1:9D70A8683BE211B8509497CC79445F2CF61FE673
        SHA-256:FC63C182190B46127AB6077BE06BF436D1E34D4385FA75E45F373CA5C958EDDE
        SHA-512:6233FBCA4FF3AF2F22542F2DF2B3204784F7BC5386D724ADC180524CDCC5A66FE498F311EF7B1AF12558DADD6A3DE8568FDAC5B7A08D3792446039EF67E6BC56
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Windows\Temp\~DFCD410FC2588C4F64.TMP

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):49152
        Entropy (8bit):1.2207272217947325
        Encrypted:false
        SSDEEP:48:SyP7uoLb0CXz5T5Z7Uby7wYjhwbWVS8qOdRzkdtXdfZdnlLfdnl6dyd4xdEdUed3:pzq4T/7ywBhwcdsoC7isoK
        MD5:48EBB802BBA18F9E2B96883EA0B4478C
        SHA1:B4FF37EE73BE61589B1AAAA586B8E45006C6863F
        SHA-256:23176B2DBB8C6897778DCEA09993BEAA221EECCB7E9550A5C44F7A7CE8566FA5
        SHA-512:8AB610DE4ED8C753C64379A1691DE7FD422F840810D60F54DEE79F6A1123CD6B50BB9EE45884B964050108F971E3A76A6490661318CC2CC1B828DE12F7C22555
        Malicious:false
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\gdiplus.dll

        Download File
        Process:C:\Windows\System32\msiexec.exe
        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):1700352
        Entropy (8bit):6.821409907895513
        Encrypted:false
        SSDEEP:24576:i0CiGmsJ2LC4jJmNwP+6fBUAK8C0m1DQucWM9nul/SuyZfWPP90bTv6:i0K2L1Pjf2AKWmFcLulMZ9H
        MD5:D0AAAE16BA162DD89D646887F1539855
        SHA1:0A222F319B7712B861EF6ADF0C38CC2C5A2790FA
        SHA-256:D84E7EB505ADEE8EA660F48C89705977F5EB33B7299D0BD981624E3ECE320223
        SHA-512:6D7CF7B3A1DC0560791BC3DB4FC836AD0F58B8B531C593D96A37BB77AFA3AB7DD6BD4D66A97E37CDE3443078EB189609D8D36119198C60CE6B74C1A093000769
        Malicious:false
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9=.XS..XS..XS.r{J..XS..XR..YS.r{...XS.R{O.GXS.r{l..XS..{...XS.R{N..YS.r{n..XS.Rich.XS.........PE..L......;...........!.........`.......r.............z................................7...............................@j..CN...w..x....`..........................hs..h...8.......................................|.......,............................text............................... ..`.data...L...........................@...Shared.......P.......@..............@....rsrc........`... ...P..............@..@.reloc..hs...........p..............@..B..w;8...b.v;E.....w;O.....w;Z.....w;d.....w;n...........KERNEL32.dll.NTDLL.DLL.USER32.dll.GDI32.dll.ole32.dll.ADVAPI32.dll..............................................................................................................................................................................................................

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.997607446175884
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.53%
        • InstallShield setup (43055/19) 0.43%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:plotdemo.exe
        File size:21'190'666 bytes
        MD5:fbce37d191eb18a9b005539336aea939
        SHA1:37588e9f8796a0480638a4ff00d305dbdb472146
        SHA256:60f39e5220113596f51c5eabca7d6f81c603487971d58b7df9b8dbc093edbfae
        SHA512:395ae9369e330906257ba8b3359fe85e7c6a6e808ee034558d34de9c554409b719f58e356e9b5f36288ab3b621ee32391faa8f1ef436a46ef4bb3f3195fe4521
        SSDEEP:393216:l1h9r7MWN1xS7AY9fmZ4HSZQBVYvZ7cMU0C8BPZFPGX07dFjuD6oDH:l1v27AYBmZqloIR0LG07du/DH
        TLSH:FA2723203EB18432F5101E741E582E57DB7A2C8DD02BB132ED769B8A7511A6FCC3AB5D
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v..&j...v...i..%v...j...v...i...v..Mi...v...T...v...v...w.._U...v...U...v..bp...v..Rich.v..........PE..L...z..@...

        File Icon

        Icon Hash:89adaca1e18e0183

        Static PE Info

        General

        Entrypoint:0x41db0c
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:
        Time Stamp:0x40C7D47A [Thu Jun 10 03:24:42 2004 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:de43819f6987002d63a5772e7e87ff4d

        Entrypoint Preview

        Instruction
        push ebp
        mov ebp, esp
        push FFFFFFFFh
        push 00429F70h
        push 00421B1Ch
        mov eax, dword ptr fs:[00000000h]
        push eax
        mov dword ptr fs:[00000000h], esp
        sub esp, 58h
        push ebx
        push esi
        push edi
        mov dword ptr [ebp-18h], esp
        call dword ptr [00429134h]
        xor edx, edx
        mov dl, ah
        mov dword ptr [00435C88h], edx
        mov ecx, eax
        and ecx, 000000FFh
        mov dword ptr [00435C84h], ecx
        shl ecx, 08h
        add ecx, edx
        mov dword ptr [00435C80h], ecx
        shr eax, 10h
        mov dword ptr [00435C7Ch], eax
        push 00000001h
        call 00007FAFD0DBB77Dh
        pop ecx
        test eax, eax
        jne 00007FAFD0DB8A4Ah
        push 0000001Ch
        call 00007FAFD0DB8B08h
        pop ecx
        call 00007FAFD0DBA995h
        test eax, eax
        jne 00007FAFD0DB8A4Ah
        push 00000010h
        call 00007FAFD0DB8AF7h
        pop ecx
        xor esi, esi
        mov dword ptr [ebp-04h], esi
        call 00007FAFD0DBEDD4h
        call dword ptr [004291C4h]
        mov dword ptr [00437364h], eax
        call 00007FAFD0DBEC92h
        mov dword ptr [00435CBCh], eax
        call 00007FAFD0DBEA3Bh
        call 00007FAFD0DBE97Dh
        call 00007FAFD0DB8096h
        mov dword ptr [ebp-30h], esi
        lea eax, dword ptr [ebp-5Ch]
        push eax
        call dword ptr [004291C8h]
        call 00007FAFD0DBE90Eh
        mov dword ptr [ebp-64h], eax
        test byte ptr [ebp-30h], 00000001h
        je 00007FAFD0DB8A48h
        movzx eax, word ptr [ebp+00h]

        Rich Headers

        Programming Language:
        • [C++] VS98 (6.0) build 8168
        • [EXP] VC++ 6.0 SP5 build 8804

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x2c3e80xc8.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000xa2d0.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x290000x440.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x270960x2800046c7af0d4d60e2846b5eb4a547784134False0.563623046875data6.500548201030205IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x290000x4a9a0x500030f97b2245f7509efbb6bfc67044846bFalse0.40546875data5.132198421768311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x2e0000x93780x50009c8bd3fc3e1f76cd5b1478de400a1ea4False0.256201171875data3.2258995298307713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x380000xa2d00xb00052c801ef17d9d153a47591d37bb5ba94False0.8197132457386364data7.239904689008006IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        GIF0x3a6300x7aeaGIF image data, version 89a, 219 x 373EnglishUnited States0.9879552532892646
        RT_CURSOR0x3a4e00x134dataEnglishUnited States0.37012987012987014
        RT_ICON0x38ca00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5472972972972973
        RT_ICON0x38dc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.8424855491329479
        RT_ICON0x393300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.5013440860215054
        RT_ICON0x396180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.8217509025270758
        RT_DIALOG0x39f000x136dataEnglishUnited States0.6064516129032258
        RT_DIALOG0x3a2f00x1eadataEnglishUnited States0.5122448979591837
        RT_DIALOG0x3a1f80xf8dataEnglishUnited States0.6693548387096774
        RT_DIALOG0x3a0380xc8dataEnglishUnited States0.7
        RT_DIALOG0x3a1000xf2dataEnglishUnited States0.6900826446280992
        RT_STRING0x421200x6edataEnglishUnited States0.6818181818181818
        RT_STRING0x421900x6edataEnglishUnited States0.6
        RT_STRING0x422000xccdataEnglishUnited States0.5392156862745098
        RT_GROUP_CURSOR0x3a6180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
        RT_GROUP_ICON0x39ec00x3edataEnglishUnited States0.8387096774193549
        RT_VERSION0x387100x590dataEnglishUnited States0.300561797752809
        RT_MANIFEST0x384700x29aXML 1.0 document, ASCII text, with CRLF line terminators0.48348348348348347

        Imports

        DLLImport
        VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
        SHELL32.dllSHBrowseForFolderA, SHGetMalloc, SHGetPathFromIDListA
        COMCTL32.dll
        KERNEL32.dllGetLastError, WideCharToMultiByte, DeleteFileA, lstrlenW, InterlockedIncrement, InterlockedDecrement, QueryPerformanceFrequency, CreateEventA, Sleep, lstrcatA, CompareStringA, CompareStringW, GetVersionExA, SetFilePointer, SetFileAttributesA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, FreeLibrary, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceA, CreateProcessA, GetSystemDefaultLCID, GlobalHandle, VerLanguageNameA, SetCurrentDirectoryA, WaitForSingleObject, GetSystemInfo, MulDiv, GetModuleFileNameA, IsValidCodePage, GetVersion, FlushFileBuffers, SetEndOfFile, LocalFree, FormatMessageA, GetDiskFreeSpaceA, GetDriveTypeA, CreateDirectoryA, RemoveDirectoryA, GetExitCodeProcess, GetCurrentProcess, GetCurrentThread, GetLocaleInfoA, UnhandledExceptionFilter, lstrlenA, GetACP, GetCPInfo, SetUnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, SetLastError, HeapDestroy, GetEnvironmentVariableA, LCMapStringW, LCMapStringA, DeleteCriticalSection, InitializeCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, HeapSize, HeapReAlloc, LeaveCriticalSection, EnterCriticalSection, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, TerminateProcess, ExitProcess, RaiseException, RtlUnwind, SystemTimeToFileTime, QueryPerformanceCounter, ResetEvent, SetEvent, GetShortPathNameA, SearchPathA, FindFirstFileA, VirtualProtect, VirtualQuery, FindClose, GetStdHandle, GetFileType, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CreateFileA, GetFileSize, GlobalAlloc, CloseHandle, GlobalLock, ReadFile, GlobalUnlock, GlobalFree, CopyFileA, MultiByteToWideChar, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, CreateThread, GetExitCodeThread, GetTickCount, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GetTempPathA, SetErrorMode, GetWindowsDirectoryA, GetTempFileNameA, GetFileAttributesA, GetProcessHeap, HeapAlloc, HeapFree, WriteFile, lstrcpynA, lstrcpyA, CreateFileMappingA, MapViewOfFile, HeapCreate, UnmapViewOfFile, SetHandleCount, GetOEMCP
        USER32.dllGetParent, GetWindowTextLengthA, GetWindowTextA, MoveWindow, GetWindowPlacement, DrawIcon, DestroyIcon, GetDlgCtrlID, SetWindowTextA, FillRect, GetSysColor, GetSysColorBrush, IsDialogMessageA, SendMessageA, EnableWindow, GetDlgItemTextA, GetWindow, SetCursor, UpdateWindow, GetClassInfoA, wvsprintfA, LoadStringA, GetSystemMetrics, SetRect, FindWindowA, IntersectRect, SubtractRect, CharPrevA, DestroyWindow, CreateDialogParamA, MessageBoxIndirectA, CharNextA, MessageBoxA, WaitForInputIdle, GetWindowLongA, BeginPaint, EndPaint, SetWindowLongA, GetClientRect, ClientToScreen, SetWindowPos, GetWindowDC, EndDialog, GetDlgItem, ShowWindow, DialogBoxParamA, GetDesktopWindow, wsprintfA, MsgWaitForMultipleObjects, PeekMessageA, DefWindowProcA, PostMessageA, KillTimer, PostQuitMessage, SetTimer, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, GetMessageA, TranslateMessage, DispatchMessageA, GetDC, ReleaseDC, ExitWindowsEx, SendDlgItemMessageA, IsWindow, CharLowerBuffA, GetWindowRect
        GDI32.dllGetTextExtentPoint32A, SetBkMode, SetTextColor, GetObjectA, CreateFontIndirectA, CreateSolidBrush, CreateCompatibleDC, SelectObject, CreateFontA, DeleteDC, DeleteObject, GetStockObject, GetSystemPaletteEntries, CreatePalette, GetDeviceCaps, SelectPalette, RealizePalette, CreateDIBitmap, BitBlt, TranslateCharsetInfo
        ADVAPI32.dllRegQueryValueA, RegOpenKeyA, RegQueryValueExA, RegCloseKey, RegDeleteValueA, RegSetValueExA, RegCreateKeyExA, RegEnumValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenThreadToken, RegOpenKeyExA
        ole32.dllStringFromCLSID, CoTaskMemFree, CoCreateGuid, CoCreateInstance, GetRunningObjectTable, StgIsStorageFile, StgOpenStorage, CoUninitialize, CoInitialize, CreateItemMoniker
        OLEAUT32.dllVariantChangeType, SysAllocString, SysAllocStringLen, SysStringLen, SysReAllocStringLen, SysFreeString, VariantClear

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:14:18:01
        Start date:10/10/2024
        Path:C:\Users\user\Desktop\plotdemo.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\plotdemo.exe"
        Imagebase:0x400000
        File size:21'190'666 bytes
        MD5 hash:FBCE37D191EB18A9B005539336AEA939
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        General

        Target ID:1
        Start time:14:18:07
        Start date:10/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):true
        Commandline:MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{96644CA9-8EA3-446B-8568-6E1624759883}\PSI-Plot Ver 10.5 Working Demo.msi" SETUPEXEDIR="C:\Users\user\Desktop"
        Imagebase:0xdb0000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:2
        Start time:14:18:07
        Start date:10/10/2024
        Path:C:\Windows\System32\msiexec.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\msiexec.exe /V
        Imagebase:0x7ff6902e0000
        File size:69'632 bytes
        MD5 hash:E5DA170027542E25EDE42FC54C929077
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:3
        Start time:14:18:08
        Start date:10/10/2024
        Path:C:\Windows\SysWOW64\msiexec.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8C8A1754951F47B4EB3715E07FE2E622 C
        Imagebase:0xdb0000
        File size:59'904 bytes
        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:7
        Start time:14:18:30
        Start date:10/10/2024
        Path:C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\PSI\PSIPLOT\InstPost.exe"
        Imagebase:0x400000
        File size:229'376 bytes
        MD5 hash:AEE180154B6C0A64DB80E8824B9DED9A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 0%, ReversingLabs
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:14.8%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:5.6%
          Total number of Nodes:2000
          Total number of Limit Nodes:50
          execution_graph 17637 413001 17642 41301d 17637->17642 17640 413016 17643 413027 __EH_prolog 17642->17643 17644 406d48 ctype 29 API calls 17643->17644 17645 413046 17644->17645 17646 406d48 ctype 29 API calls 17645->17646 17647 413051 17646->17647 17648 406d48 ctype 29 API calls 17647->17648 17649 41305c 17648->17649 17659 40b584 17649->17659 17651 41307e 17666 401fac 17651->17666 17656 406d48 17748 41d06a 17656->17748 17677 41c340 17659->17677 17661 40b58e GetLastError 17662 406d48 ctype 29 API calls 17661->17662 17663 40b5c6 SysFreeString 17662->17663 17678 410140 17663->17678 17667 401fb6 17666->17667 17668 401fcb 17666->17668 17667->17668 17669 406d48 ctype 29 API calls 17667->17669 17670 4028a3 17668->17670 17669->17668 17682 40313f 17670->17682 17673 406d48 ctype 29 API calls 17674 4028c2 17673->17674 17675 406d48 ctype 29 API calls 17674->17675 17676 4028e9 17674->17676 17675->17676 17676->17640 17676->17656 17677->17661 17679 41014a 17678->17679 17680 40b5e2 SetLastError 17678->17680 17679->17680 17681 410163 SysFreeString 17679->17681 17680->17651 17681->17680 17683 40314f 17682->17683 17685 403187 ctype 17682->17685 17684 40315b 17683->17684 17683->17685 17689 4037bb 17684->17689 17687 4028ba 17685->17687 17695 402eb9 17685->17695 17687->17673 17690 4037f3 17689->17690 17693 4037ce 17689->17693 17690->17687 17691 4037bb ctype 29 API calls 17691->17693 17693->17690 17693->17691 17694 406d48 ctype 29 API calls 17693->17694 17701 403316 17693->17701 17694->17693 17700 402ec3 __EH_prolog ctype 17695->17700 17698 406d48 ctype 29 API calls 17699 40311f 17698->17699 17699->17685 17743 40492b 17700->17743 17702 403320 __EH_prolog 17701->17702 17707 4032b7 17702->17707 17705 401fac ctype 29 API calls 17706 40333c 17705->17706 17706->17693 17714 40399e 17707->17714 17710 406d48 ctype 29 API calls 17711 4032d6 17710->17711 17712 4032fd 17711->17712 17713 406d48 ctype 29 API calls 17711->17713 17712->17705 17713->17712 17715 4039e6 ctype 17714->17715 17716 4039ae 17714->17716 17720 4032ce 17715->17720 17727 403f29 17715->17727 17716->17715 17717 4039ba 17716->17717 17721 404219 17717->17721 17720->17710 17722 404251 17721->17722 17723 40422c 17721->17723 17722->17720 17723->17722 17724 404219 ctype 29 API calls 17723->17724 17726 406d48 ctype 29 API calls 17723->17726 17733 403349 17723->17733 17724->17723 17726->17723 17728 403f33 __EH_prolog ctype 17727->17728 17738 404947 17728->17738 17731 406d48 ctype 29 API calls 17732 40418f 17731->17732 17732->17715 17734 401fac ctype 29 API calls 17733->17734 17735 403356 17734->17735 17736 401fac ctype 29 API calls 17735->17736 17737 40335f 17736->17737 17737->17723 17739 403349 ctype 29 API calls 17738->17739 17740 40494f 17739->17740 17741 404189 17740->17741 17742 406d48 ctype 29 API calls 17740->17742 17741->17731 17742->17741 17744 403316 ctype 29 API calls 17743->17744 17745 404933 17744->17745 17746 403119 17745->17746 17747 406d48 ctype 29 API calls 17745->17747 17746->17698 17747->17746 17749 406d51 17748->17749 17750 41d098 17748->17750 17749->17640 17751 41d0a2 17750->17751 17752 41d0dd 17750->17752 17765 4202d7 17751->17765 17754 41d0ce 17752->17754 17756 4202d7 ctype 28 API calls 17752->17756 17754->17749 17755 41d136 RtlFreeHeap 17754->17755 17755->17749 17758 41d0e9 ctype 17756->17758 17757 41d0a9 ctype 17759 41d0c3 17757->17759 17780 420972 17757->17780 17760 41d115 17758->17760 17789 4216f9 17758->17789 17786 41d0d4 17759->17786 17793 41d12c 17760->17793 17766 4202ef 17765->17766 17767 42032d EnterCriticalSection 17765->17767 17796 41cf30 17766->17796 17767->17757 17770 420305 17772 4202d7 ctype 27 API calls 17770->17772 17773 42030d 17772->17773 17774 420314 InitializeCriticalSection 17773->17774 17775 42031e 17773->17775 17776 420323 17774->17776 17777 41d06a ctype 27 API calls 17775->17777 17805 420338 LeaveCriticalSection 17776->17805 17777->17776 17779 42032b 17779->17767 17781 4209b0 17780->17781 17785 420c66 ctype 17780->17785 17782 420bac VirtualFree 17781->17782 17781->17785 17783 420c10 17782->17783 17784 420c1f VirtualFree HeapFree 17783->17784 17783->17785 17784->17785 17785->17759 17889 420338 LeaveCriticalSection 17786->17889 17788 41d0db 17788->17754 17790 421726 17789->17790 17791 42173c 17789->17791 17790->17791 17890 4215e0 17790->17890 17791->17760 17899 420338 LeaveCriticalSection 17793->17899 17795 41d133 17795->17754 17806 41cf42 17796->17806 17799 41dc14 17800 41dc22 17799->17800 17801 41dc1d 17799->17801 17875 424116 17800->17875 17869 4240dd 17801->17869 17805->17779 17807 41cf3f 17806->17807 17809 41cf49 ctype 17806->17809 17807->17770 17807->17799 17809->17807 17810 41cf6e 17809->17810 17811 41cf9b 17810->17811 17812 41cfde 17810->17812 17813 4202d7 ctype 28 API calls 17811->17813 17823 41cfc9 17811->17823 17818 41d000 17812->17818 17812->17823 17815 41cfb1 17813->17815 17814 41d04d RtlAllocateHeap 17817 41cfd0 17814->17817 17828 420c9b 17815->17828 17817->17809 17820 4202d7 ctype 28 API calls 17818->17820 17822 41d007 17820->17822 17837 42173e 17822->17837 17823->17814 17823->17817 17825 41d01a 17844 41d034 17825->17844 17832 420ccd 17828->17832 17829 420d6c 17831 41cfbc 17829->17831 17854 421055 17829->17854 17834 41cfd5 17831->17834 17832->17829 17832->17831 17847 420fa4 17832->17847 17858 420338 LeaveCriticalSection 17834->17858 17836 41cfdc 17836->17823 17838 42174c ctype 17837->17838 17839 42190d 17838->17839 17841 421838 VirtualAlloc 17838->17841 17843 421809 ctype 17838->17843 17859 421446 17839->17859 17841->17843 17843->17825 17843->17843 17868 420338 LeaveCriticalSection 17844->17868 17846 41d027 17846->17817 17846->17823 17848 420fe7 HeapAlloc 17847->17848 17849 420fb7 HeapReAlloc 17847->17849 17851 421037 17848->17851 17852 42100d VirtualAlloc 17848->17852 17850 420fd6 17849->17850 17849->17851 17850->17848 17851->17829 17852->17851 17853 421027 HeapFree 17852->17853 17853->17851 17855 421067 VirtualAlloc 17854->17855 17857 4210b0 17855->17857 17857->17831 17858->17836 17860 421453 17859->17860 17861 42145a HeapAlloc 17859->17861 17862 421477 VirtualAlloc 17860->17862 17861->17862 17867 4214af ctype 17861->17867 17863 421497 VirtualAlloc 17862->17863 17864 42156c 17862->17864 17865 42155e VirtualFree 17863->17865 17863->17867 17866 421574 HeapFree 17864->17866 17864->17867 17865->17864 17866->17867 17867->17843 17868->17846 17870 4240e7 17869->17870 17871 424116 ctype 7 API calls 17870->17871 17874 424114 17870->17874 17872 4240fe 17871->17872 17873 424116 ctype 7 API calls 17872->17873 17873->17874 17874->17800 17878 424129 17875->17878 17876 41dc2b 17876->17770 17877 424240 __vprintf_l 17881 424253 GetStdHandle WriteFile 17877->17881 17878->17876 17878->17877 17879 424169 17878->17879 17879->17876 17880 424175 GetModuleFileNameA 17879->17880 17882 42418d __vprintf_l ctype 17880->17882 17881->17876 17884 425eb8 17882->17884 17885 425ec5 LoadLibraryA 17884->17885 17887 425f07 17884->17887 17886 425ed6 GetProcAddress 17885->17886 17885->17887 17886->17887 17888 425eed GetProcAddress GetProcAddress 17886->17888 17887->17876 17888->17887 17889->17788 17892 4215ed 17890->17892 17891 42169d 17891->17791 17892->17891 17893 42160e VirtualFree 17892->17893 17895 42158a VirtualFree 17892->17895 17893->17892 17896 4215a7 17895->17896 17897 4215d7 17896->17897 17898 4215b7 HeapFree 17896->17898 17897->17892 17898->17892 17899->17795 17900 408300 17901 408312 17900->17901 17902 4083af 17900->17902 17904 408315 17901->17904 17905 40837e GetWindowLongA 17901->17905 17921 41b948 17902->17921 17906 40831a 17904->17906 17907 40833e GetWindowLongA BeginPaint 17904->17907 17908 408393 17905->17908 17909 408336 17905->17909 17906->17909 17911 40831f DefWindowProcA 17906->17911 17927 40826b CreateCompatibleDC 17907->17927 17913 4083a3 17908->17913 17914 408399 DeleteObject 17908->17914 17911->17909 17917 406d48 ctype 29 API calls 17913->17917 17914->17913 17917->17909 17918 40840c __ftol 17919 40841b SetWindowPos 17918->17919 17924 408223 FindResourceA SizeofResource LoadResource LockResource 17919->17924 17922 41cf42 ctype 29 API calls 17921->17922 17923 4083b6 SetWindowLongA GetClientRect ClientToScreen 17922->17923 17923->17918 17934 4080cb 17924->17934 17928 408281 17927->17928 17929 408283 SelectObject 17927->17929 17928->17929 17930 408294 BitBlt 17929->17930 17932 4082c1 DeleteDC 17930->17932 17933 4082c8 EndPaint 17930->17933 17932->17933 17933->17909 17935 4080d5 __EH_prolog 17934->17935 17954 419a49 17935->17954 17942 41b948 __vprintf_l 29 API calls 17943 40812e __vprintf_l 17942->17943 17944 4081ae GetWindowDC CreateDIBitmap 17943->17944 17945 4081e8 ReleaseDC 17944->17945 17946 4081d9 17944->17946 17949 408203 17945->17949 17950 4081fb 17945->17950 17947 4081e6 17946->17947 17948 4081dd DeleteObject 17946->17948 17947->17945 17948->17947 17978 419a8e 17949->17978 17952 406d48 ctype 29 API calls 17950->17952 17952->17949 17985 419aae 17954->17985 17956 4080eb 17957 419b18 17956->17957 18021 419b71 17957->18021 17960 408106 17969 41a0e2 17960->17969 17961 41b948 __vprintf_l 29 API calls 17962 419b37 17961->17962 17962->17960 18031 41a1e1 17962->18031 17964 419b4b 17965 419b51 17964->17965 17966 419b62 17964->17966 18035 41a27d 17965->18035 17967 406d48 ctype 29 API calls 17966->17967 17967->17960 17970 41a0ee 17969->17970 17971 41b948 __vprintf_l 29 API calls 17970->17971 17977 408117 17970->17977 17972 41a126 17971->17972 17973 41a151 17972->17973 17974 41a140 17972->17974 17972->17977 17976 406d48 ctype 29 API calls 17973->17976 17975 41a27d 29 API calls 17974->17975 17975->17977 17976->17977 17977->17942 17979 419aae ctype 29 API calls 17978->17979 17980 419a9c 17979->17980 17981 41a2d2 ctype 29 API calls 17980->17981 17982 419aa4 17981->17982 17983 41a2b1 ctype 29 API calls 17982->17983 17984 408213 17983->17984 17984->17909 17988 419ab8 17985->17988 17986 419ad3 17995 41a2d2 17986->17995 17988->17986 18003 41a160 17988->18003 17993 406d48 ctype 29 API calls 17994 419af0 ctype 17993->17994 17994->17956 17997 41a2d5 17995->17997 17996 419adb 17999 41a2b1 17996->17999 17997->17996 18011 41a342 17997->18011 18000 41a2b4 17999->18000 18001 419ae3 18000->18001 18017 41a2f3 18000->18017 18001->17993 18001->17994 18004 41a16d 18003->18004 18005 41a171 18003->18005 18004->17988 18005->18004 18006 41a19a 18005->18006 18010 406d48 ctype 29 API calls 18005->18010 18006->18004 18007 41a1cf 18006->18007 18008 406d48 ctype 29 API calls 18006->18008 18009 41a342 ctype 29 API calls 18007->18009 18008->18007 18009->18004 18010->18006 18012 41a34f 18011->18012 18013 406d48 ctype 29 API calls 18012->18013 18014 41a37e 18013->18014 18015 406d48 ctype 29 API calls 18014->18015 18016 41a384 18015->18016 18016->17997 18018 41a300 18017->18018 18019 406d48 ctype 29 API calls 18018->18019 18020 41a33a 18019->18020 18020->18000 18022 419b93 __vprintf_l 18021->18022 18028 419b2a 18021->18028 18023 419ba3 lstrcmpA 18022->18023 18024 419bc4 lstrcmpA 18023->18024 18025 419bbf __vprintf_l 18023->18025 18024->18025 18024->18028 18026 41b948 __vprintf_l 29 API calls 18025->18026 18025->18028 18029 419c9b __vprintf_l ctype 18025->18029 18026->18029 18028->17960 18028->17961 18029->18028 18038 419eaf 18029->18038 18047 419d7c 18029->18047 18032 41a1ee 18031->18032 18034 41a1f7 __vprintf_l 18031->18034 18033 41b948 __vprintf_l 29 API calls 18032->18033 18033->18034 18034->17964 18036 41b948 __vprintf_l 29 API calls 18035->18036 18037 41a28b 18036->18037 18037->17960 18039 41b948 __vprintf_l 29 API calls 18038->18039 18040 419eba 18039->18040 18041 419ec6 18040->18041 18060 41a38d 18040->18060 18045 419ed0 __vprintf_l 18041->18045 18054 41a42a 18041->18054 18043 419ee5 18044 41a27d 29 API calls 18043->18044 18043->18045 18044->18045 18045->18029 18048 419d8d __vprintf_l 18047->18048 18053 419dc0 __vprintf_l 18047->18053 18049 419e9f 18048->18049 18051 419db1 18048->18051 18093 419f22 18049->18093 18051->18053 18084 419f91 18051->18084 18053->18029 18055 41a444 __vprintf_l 18054->18055 18058 41a50c ctype 18054->18058 18056 41b948 __vprintf_l 29 API calls 18055->18056 18055->18058 18059 41a504 __vprintf_l ctype 18055->18059 18056->18059 18058->18043 18059->18058 18064 41ac10 18059->18064 18061 41a395 18060->18061 18078 41a3e5 18061->18078 18063 41a3aa 18063->18041 18065 41ac1d __vprintf_l 18064->18065 18072 41abc5 18065->18072 18068 41b948 __vprintf_l 29 API calls 18069 41ac8d 18068->18069 18070 41b948 __vprintf_l 29 API calls 18069->18070 18071 41ac9a 18070->18071 18071->18058 18073 41abd5 18072->18073 18074 41abdb 18072->18074 18075 406d48 ctype 29 API calls 18073->18075 18076 41abec 18074->18076 18077 406d48 ctype 29 API calls 18074->18077 18075->18074 18076->18068 18077->18076 18079 41a3ee ctype 18078->18079 18080 406d48 ctype 29 API calls 18079->18080 18083 41a3fd 18079->18083 18080->18083 18081 406d48 ctype 29 API calls 18082 41a40b ctype 18081->18082 18082->18063 18083->18081 18083->18082 18098 41a007 18084->18098 18086 419fac 18087 41b948 __vprintf_l 29 API calls 18086->18087 18091 419fd2 18086->18091 18088 419fbc 18087->18088 18090 419fc8 18088->18090 18102 41a970 18088->18102 18090->18091 18092 41a27d 29 API calls 18090->18092 18091->18053 18092->18091 18094 41b948 __vprintf_l 29 API calls 18093->18094 18095 419f2d 18094->18095 18096 419f43 __vprintf_l 18095->18096 18097 41a27d 29 API calls 18095->18097 18096->18053 18097->18096 18099 41a033 __vprintf_l 18098->18099 18101 41a07e __vprintf_l 18098->18101 18100 41a062 lstrcmpA 18099->18100 18099->18101 18100->18101 18101->18086 18103 41a978 18102->18103 18106 41a9c4 18103->18106 18107 41a9cc ctype 18106->18107 18108 41a989 18107->18108 18109 406d48 ctype 29 API calls 18107->18109 18108->18090 18109->18108 18110 409d11 IsWindow 18111 409d50 18110->18111 18112 409d21 18110->18112 18115 409daf 18112->18115 18116 409dc0 18115->18116 18117 409d27 GetDlgItem SendMessageA 18115->18117 18116->18117 18118 409dd0 PeekMessageA 18116->18118 18118->18117 18119 409de3 IsDialogMessageA 18118->18119 18119->18116 18120 409df7 TranslateMessage DispatchMessageA 18119->18120 18120->18116 18121 406d53 ReadFile 18122 406d74 GetLastError 18121->18122 18123 406d8b 18121->18123 18124 406d86 18122->18124 18125 41d256 18134 41d2fb 18125->18134 18128 41d267 GetCurrentProcess TerminateProcess 18129 41d278 18128->18129 18130 41d2e2 18129->18130 18131 41d2e9 ExitProcess 18129->18131 18137 41d304 18130->18137 18135 4202d7 ctype 29 API calls 18134->18135 18136 41d25c 18135->18136 18136->18128 18136->18129 18140 420338 LeaveCriticalSection 18137->18140 18139 41d2e7 18140->18139 18141 4018fa 18142 401973 SetTimer 18141->18142 18143 401903 18141->18143 18146 401952 18142->18146 18144 401906 18143->18144 18145 40195b KillTimer PostQuitMessage 18143->18145 18147 401921 18144->18147 18148 40190d DefWindowProcA 18144->18148 18145->18146 18147->18146 18152 401579 18147->18152 18148->18146 18151 401943 PostMessageA 18151->18146 18153 401583 __vprintf_l __EH_prolog 18152->18153 18160 4015dd 18153->18160 18187 4160af lstrlenA 18153->18187 18155 4015c7 18194 416211 GetFileAttributesA 18155->18194 18158 4015d7 18202 41624b 18158->18202 18160->18146 18160->18151 18161 4015e2 ctype 18161->18160 18196 401998 18161->18196 18171 401758 18174 401fac ctype 29 API calls 18171->18174 18173 41624b 4 API calls 18176 401660 18173->18176 18175 401767 18174->18175 18179 4028a3 ctype 29 API calls 18175->18179 18176->18160 18218 401ae9 18176->18218 18177 401d30 47 API calls 18184 4016ee 18177->18184 18178 416285 9 API calls 18180 40168c 18178->18180 18179->18160 18180->18178 18182 4016da lstrlenA 18180->18182 18180->18184 18232 401d30 18180->18232 18277 401a4a 18180->18277 18181 41624b 4 API calls 18181->18184 18182->18180 18182->18184 18184->18171 18184->18177 18184->18181 18186 401747 lstrlenA 18184->18186 18280 401a64 18184->18280 18186->18171 18186->18184 18188 4160c2 18187->18188 18189 4160dd lstrcpyA 18187->18189 18188->18189 18191 4160ce lstrcpynA 18188->18191 18190 4160e7 18189->18190 18283 415f56 18190->18283 18191->18190 18195 4015d3 18194->18195 18195->18158 18195->18161 18300 4019c4 18196->18300 18199 4019ae 18200 4019c4 120 API calls 18199->18200 18201 401646 18200->18201 18201->18176 18209 416285 18201->18209 18313 41622e GetFileAttributesA 18202->18313 18205 41625b SetErrorMode RemoveDirectoryA 18207 416277 18205->18207 18208 41627a SetErrorMode 18205->18208 18206 41627f 18206->18160 18207->18208 18208->18206 18210 416211 GetFileAttributesA 18209->18210 18211 416290 18210->18211 18212 401656 18211->18212 18315 4162da SetErrorMode CreateFileA 18211->18315 18212->18173 18212->18176 18215 4162a6 SetErrorMode SetFileAttributesA DeleteFileA 18216 4162cb 18215->18216 18217 4162ce SetErrorMode 18215->18217 18216->18217 18217->18212 18219 401af3 __EH_prolog 18218->18219 18319 4037f9 18219->18319 18222 401fac ctype 29 API calls 18223 40167a 18222->18223 18224 401b31 18223->18224 18225 401b3d __vprintf_l 18224->18225 18326 402a64 18225->18326 18227 401b4b 18329 4031b6 18227->18329 18233 401d3a __EH_prolog 18232->18233 18234 401f81 18233->18234 18235 401fac ctype 29 API calls 18233->18235 18234->18180 18236 401d5c __vprintf_l 18235->18236 18237 40355c 30 API calls 18236->18237 18238 401d71 18237->18238 19074 4031ca 18238->19074 18241 401fac ctype 29 API calls 18242 401d93 18241->18242 18243 401f85 lstrcpynA 18242->18243 18244 401d9f 18242->18244 18243->18234 18245 401fac ctype 29 API calls 18244->18245 18246 401dae 18245->18246 18247 401ef1 18246->18247 18248 401dba 18246->18248 18249 401fac ctype 29 API calls 18247->18249 18250 401fac ctype 29 API calls 18248->18250 18251 401f00 __vprintf_l 18249->18251 18252 401dc9 __vprintf_l 18250->18252 18253 40355c 30 API calls 18251->18253 18254 40355c 30 API calls 18252->18254 18255 401f15 18253->18255 18256 401ddf 18254->18256 18258 4028ec 45 API calls 18255->18258 19079 4028ec 18256->19079 18260 401f2d 18258->18260 18261 40348e 30 API calls 18260->18261 18263 401f41 18261->18263 18262 40348e 30 API calls 18264 401e0b 18262->18264 18265 401fac ctype 29 API calls 18263->18265 18266 401fac ctype 29 API calls 18264->18266 18267 401f4e 18265->18267 18268 401e18 18266->18268 18269 401fac ctype 29 API calls 18267->18269 18270 401fac ctype 29 API calls 18268->18270 18271 401f5b lstrcpynA 18269->18271 18276 401e25 18270->18276 18274 401ec7 18271->18274 18273 401fac ctype 29 API calls 18273->18234 18274->18273 18275 402e0b 30 API calls 18275->18276 18276->18274 18276->18275 19127 401a7e 18277->19127 18281 401a7e 122 API calls 18280->18281 18282 401a7b 18281->18282 18282->18184 18284 415f72 CharPrevA 18283->18284 18285 415f6a CharNextA 18283->18285 18286 415f81 18284->18286 18287 415f97 lstrcatA 18284->18287 18285->18284 18285->18285 18291 416103 18286->18291 18287->18155 18290 415f8b CharNextA CharNextA 18290->18287 18294 416114 18291->18294 18295 416125 CharNextA 18294->18295 18296 41612d 18294->18296 18295->18296 18297 415f87 18295->18297 18296->18297 18298 41613f CharNextA 18296->18298 18297->18287 18297->18290 18298->18297 18299 416147 CharNextA CharNextA 18298->18299 18299->18297 18301 4019ce __EH_prolog 18300->18301 18302 401ae9 29 API calls 18301->18302 18303 4019da 18302->18303 18304 401b31 117 API calls 18303->18304 18305 4019ea 18304->18305 18306 401d30 47 API calls 18305->18306 18307 401a03 lstrlenA 18306->18307 18308 401a10 18307->18308 18309 401fac ctype 29 API calls 18308->18309 18310 401a2d 18309->18310 18311 4028a3 ctype 29 API calls 18310->18311 18312 401628 18311->18312 18312->18176 18312->18199 18314 41623d 18313->18314 18314->18205 18314->18206 18316 416312 CloseHandle 18315->18316 18317 416309 SetErrorMode 18315->18317 18318 4162a2 18316->18318 18317->18318 18318->18212 18318->18215 18320 41b948 __vprintf_l 29 API calls 18319->18320 18321 403805 18320->18321 18322 40383d 18321->18322 18323 406d48 ctype 29 API calls 18321->18323 18324 41b948 __vprintf_l 29 API calls 18322->18324 18323->18322 18325 401b0f 18324->18325 18325->18222 18384 402a99 18326->18384 18328 402a74 __vprintf_l 18328->18227 18330 40313f ctype 29 API calls 18329->18330 18331 401b52 18330->18331 18332 4023b8 18331->18332 18333 4023c2 __EH_prolog 18332->18333 18464 402bdb 18333->18464 18336 4023e8 18517 403300 18336->18517 18337 401fac ctype 29 API calls 18338 4023fc 18337->18338 18473 402c48 GetFileSize 18338->18473 18343 401b59 18343->18180 18344 402417 18346 401fac ctype 29 API calls 18344->18346 18345 402446 __vprintf_l 18482 4036b3 18345->18482 18346->18336 18348 4024a3 18349 401fac ctype 29 API calls 18348->18349 18351 4024b8 18349->18351 18350 402463 __vprintf_l 18350->18348 18352 4036b3 61 API calls 18350->18352 18353 401fac ctype 29 API calls 18351->18353 18358 40248a __vprintf_l 18352->18358 18354 4024cb 18353->18354 18355 401fac ctype 29 API calls 18354->18355 18356 4024de 18355->18356 18357 401fac ctype 29 API calls 18356->18357 18359 4024f1 18357->18359 18358->18348 18520 403437 18358->18520 18487 402cd5 18359->18487 18362 402735 18363 401fac ctype 29 API calls 18362->18363 18364 402745 18363->18364 18366 401fac ctype 29 API calls 18364->18366 18365 402dd8 30 API calls 18382 402509 __vprintf_l 18365->18382 18367 402752 18366->18367 18368 401fac ctype 29 API calls 18367->18368 18369 40275f 18368->18369 18370 401fac ctype 29 API calls 18369->18370 18371 40276c 18370->18371 18372 401fac ctype 29 API calls 18371->18372 18373 402778 18372->18373 18373->18343 18374 40277e CloseHandle 18373->18374 18374->18343 18375 402cd5 61 API calls 18375->18382 18376 4035f8 61 API calls 18376->18382 18377 40348e 30 API calls 18377->18382 18379 401fac 29 API calls ctype 18379->18382 18380 40355c 30 API calls 18380->18382 18381 402d44 47 API calls 18381->18382 18382->18362 18382->18365 18382->18375 18382->18376 18382->18377 18382->18379 18382->18380 18382->18381 18493 402798 18382->18493 18526 403241 18382->18526 18385 402aa6 18384->18385 18386 402aab 18384->18386 18396 41b3bd 18385->18396 18388 402abf 18386->18388 18389 402ac3 18386->18389 18390 402aed 18386->18390 18388->18389 18392 402b08 18388->18392 18391 402ad0 18389->18391 18395 401fac ctype 29 API calls 18389->18395 18390->18391 18390->18392 18393 401fac ctype 29 API calls 18390->18393 18391->18328 18392->18391 18406 402b1e 18392->18406 18393->18392 18395->18391 18397 41b3c7 __EH_prolog 18396->18397 18398 401fac ctype 29 API calls 18397->18398 18399 41b3db __vprintf_l 18398->18399 18400 402a64 __vprintf_l 30 API calls 18399->18400 18401 41b3f1 18400->18401 18412 41b417 18401->18412 18405 41b416 18407 402b28 __EH_prolog 18406->18407 18408 41b948 __vprintf_l 29 API calls 18407->18408 18410 402b57 __vprintf_l 18408->18410 18409 401fac ctype 29 API calls 18411 402bac 18409->18411 18410->18409 18411->18391 18413 41b421 __EH_prolog 18412->18413 18421 41e25b 18413->18421 18415 41b43b 18416 401fac ctype 29 API calls 18415->18416 18417 41b452 18416->18417 18425 41b6d1 18417->18425 18419 41b401 18420 41d153 RaiseException 18419->18420 18420->18405 18422 41e270 __vprintf_l 18421->18422 18423 41b948 __vprintf_l 29 API calls 18422->18423 18424 41e277 ctype 18423->18424 18424->18415 18426 41b6e4 18425->18426 18427 41b6e9 18425->18427 18439 41b5e9 18426->18439 18429 41b6ff 18427->18429 18435 41b71d 18427->18435 18449 41b79f 18429->18449 18431 41b760 18432 402a99 __vprintf_l 30 API calls 18431->18432 18437 41b71b __vprintf_l 18432->18437 18434 41b79f __vprintf_l 30 API calls 18434->18437 18435->18431 18436 41b737 18435->18436 18438 401fac ctype 29 API calls 18436->18438 18437->18419 18438->18437 18440 41b5f3 __EH_prolog 18439->18440 18441 401fac ctype 29 API calls 18440->18441 18442 41b607 __vprintf_l 18441->18442 18443 402a64 __vprintf_l 30 API calls 18442->18443 18444 41b61d 18443->18444 18445 41b417 __vprintf_l 30 API calls 18444->18445 18446 41b62d 18445->18446 18457 41d153 RaiseException 18446->18457 18448 41b642 18450 41b7b2 18449->18450 18451 41b7ad 18449->18451 18458 41b806 18450->18458 18452 41b5e9 __vprintf_l 30 API calls 18451->18452 18452->18450 18454 41b70f 18454->18434 18455 41b7b9 ctype 18455->18454 18456 402a99 __vprintf_l 30 API calls 18455->18456 18456->18454 18457->18448 18459 41b811 18458->18459 18460 41b833 18458->18460 18459->18460 18461 401fac ctype 29 API calls 18459->18461 18460->18455 18462 41b823 __vprintf_l 18461->18462 18463 402a64 __vprintf_l 30 API calls 18462->18463 18463->18460 18540 403414 18464->18540 18469 402c04 CreateFileA 18470 402c27 18469->18470 18472 4023e4 18469->18472 18471 402c2c CloseHandle 18470->18471 18470->18472 18471->18472 18472->18336 18472->18337 18474 402c63 18473->18474 18475 402413 18473->18475 18474->18475 18476 402c69 GetProcessHeap RtlAllocateHeap 18474->18476 18475->18344 18475->18345 18476->18475 18477 402c84 ReadFile 18476->18477 18478 402cc1 GetProcessHeap HeapFree 18477->18478 18479 402ca1 __vprintf_l 18477->18479 18478->18475 18880 40355c 18479->18880 18481 402cb1 GetProcessHeap HeapFree 18481->18475 18483 4036c1 18482->18483 18485 4036cf 18482->18485 18483->18350 18484 41ccb1 46 API calls 18484->18485 18485->18483 18485->18484 18901 41cbb0 18485->18901 18488 402ce5 __vprintf_l 18487->18488 18489 402d03 18487->18489 18910 4035f8 18488->18910 18489->18382 18491 402cfb __vprintf_l 18491->18489 18492 4035f8 61 API calls 18491->18492 18492->18489 18494 4027a2 __EH_prolog 18493->18494 18919 403e56 18494->18919 18496 4027bf ctype 18497 401fac ctype 29 API calls 18496->18497 18498 4027ef __vprintf_l 18497->18498 18499 40355c 30 API calls 18498->18499 18500 40280c 18499->18500 18922 402e37 18500->18922 18518 40243e 18517->18518 18519 40330a CloseHandle 18517->18519 18518->18343 18519->18518 18521 403451 18520->18521 18522 40344c 18520->18522 18524 403736 30 API calls 18521->18524 18525 403464 __vprintf_l 18521->18525 18523 41b3bd __vprintf_l 30 API calls 18522->18523 18523->18521 18524->18525 18525->18348 18527 40324b __EH_prolog 18526->18527 18528 401fac ctype 29 API calls 18527->18528 18529 403261 18528->18529 19049 403aa7 18529->19049 18534 401fac ctype 29 API calls 18535 40328e 18534->18535 18536 401fac ctype 29 API calls 18535->18536 18537 403298 18536->18537 18538 401fac ctype 29 API calls 18537->18538 18539 4032a2 18538->18539 18539->18382 18541 403420 GetFileAttributesA 18540->18541 18542 40341b 18540->18542 18543 402be3 18541->18543 18542->18541 18543->18472 18544 403361 18543->18544 18557 403b11 18544->18557 18549 41b948 __vprintf_l 29 API calls 18550 4033b5 ctype 18549->18550 18568 41c712 18550->18568 18552 406d48 ctype 29 API calls 18554 403405 18552->18554 18575 41c695 18554->18575 18556 402bee 18556->18469 18556->18472 18558 403b18 18557->18558 18559 403b1d CreateFileA GetFileSize 18557->18559 18558->18559 18560 403b56 18559->18560 18561 403b46 18559->18561 18562 403379 18560->18562 18564 403b61 CloseHandle 18560->18564 18561->18562 18563 403b4b CloseHandle 18561->18563 18562->18556 18565 41c85a 18562->18565 18563->18562 18564->18562 18583 41c829 18565->18583 18567 4033a5 18567->18549 18567->18556 18780 41e156 18568->18780 18570 41c71e 18786 41c741 18570->18786 18573 41e1a8 2 API calls 18574 4033d0 18573->18574 18574->18552 18576 41c6aa 18575->18576 18582 41c6a4 18575->18582 18577 41e156 30 API calls 18576->18577 18578 41c6b0 18577->18578 18825 41c6c6 18578->18825 18581 41e1a8 2 API calls 18581->18582 18582->18556 18591 4201e6 18583->18591 18586 41c835 18586->18567 18590 41c852 18590->18567 18592 4202d7 ctype 29 API calls 18591->18592 18601 4201f4 18592->18601 18593 42023f 18613 420338 LeaveCriticalSection 18593->18613 18594 420246 18596 41cf30 ctype 29 API calls 18594->18596 18598 420250 18596->18598 18597 41c82f 18597->18586 18603 420076 18597->18603 18598->18593 18600 420266 InitializeCriticalSection EnterCriticalSection 18598->18600 18600->18593 18601->18593 18601->18594 18614 41e185 18601->18614 18619 41e1d7 18601->18619 18604 420095 18603->18604 18606 41c84a 18604->18606 18625 424f91 18604->18625 18607 41e1a8 18606->18607 18608 41e1b5 18607->18608 18609 41e1cc LeaveCriticalSection 18607->18609 18608->18609 18610 41e1bc 18608->18610 18609->18590 18779 420338 LeaveCriticalSection 18610->18779 18612 41e1ca 18612->18590 18613->18597 18615 41e199 EnterCriticalSection 18614->18615 18616 41e18e 18614->18616 18615->18601 18617 4202d7 ctype 29 API calls 18616->18617 18618 41e197 18617->18618 18618->18601 18620 41e1e0 18619->18620 18621 41e1eb LeaveCriticalSection 18619->18621 18624 420338 LeaveCriticalSection 18620->18624 18621->18601 18623 41e1e9 18623->18601 18624->18623 18629 424fae 18625->18629 18626 425095 18701 41e795 18626->18701 18629->18626 18632 42506a 18629->18632 18631 4250a5 18631->18606 18663 424cb0 18632->18663 18635 425131 CreateFileA 18638 425150 GetLastError 18635->18638 18639 425164 GetFileType 18635->18639 18636 425117 18637 41e795 35 API calls 18636->18637 18642 42511c 18637->18642 18707 41e722 18638->18707 18640 425178 18639->18640 18641 42516f CloseHandle 18639->18641 18678 424dd3 18640->18678 18641->18638 18644 41e79e 35 API calls 18642->18644 18644->18631 18647 42515c 18778 424f6f LeaveCriticalSection 18647->18778 18650 4251d6 18651 4251e1 18650->18651 18652 4251fa 18650->18652 18653 41e79e 35 API calls 18651->18653 18734 41fe9d 18652->18734 18655 4251e6 18653->18655 18655->18647 18657 4251ee 18655->18657 18687 41fc51 18657->18687 18658 425220 18658->18657 18660 424aa7 37 API calls 18658->18660 18660->18655 18661 4251f4 18661->18647 18664 4202d7 ctype 29 API calls 18663->18664 18674 424cc0 18664->18674 18665 424d74 18666 41cf30 ctype 29 API calls 18665->18666 18671 424d7f 18666->18671 18667 424d72 18669 420338 ctype LeaveCriticalSection 18667->18669 18668 424d14 EnterCriticalSection 18672 424d24 LeaveCriticalSection 18668->18672 18668->18674 18673 424dc9 18669->18673 18670 4202d7 ctype 29 API calls 18670->18674 18671->18667 18675 424f10 31 API calls 18671->18675 18672->18674 18673->18635 18673->18636 18674->18665 18674->18667 18674->18668 18674->18670 18676 424cff InitializeCriticalSection 18674->18676 18677 420338 ctype LeaveCriticalSection 18674->18677 18675->18667 18676->18674 18677->18674 18679 424de1 18678->18679 18680 424e36 18678->18680 18679->18680 18686 424e00 18679->18686 18681 41e795 35 API calls 18680->18681 18682 424e3b 18681->18682 18684 41e79e 35 API calls 18682->18684 18683 424e2c 18683->18647 18724 424aa7 18683->18724 18684->18683 18685 424e26 SetStdHandle 18685->18683 18686->18683 18686->18685 18688 41fc96 18687->18688 18689 41fc5e 18687->18689 18690 41e795 35 API calls 18688->18690 18689->18688 18691 41fc79 18689->18691 18693 41fc9b 18690->18693 18692 424f10 31 API calls 18691->18692 18694 41fc80 18692->18694 18695 41e79e 35 API calls 18693->18695 18696 41fcae 38 API calls 18694->18696 18697 41fca6 18695->18697 18698 41fc86 18696->18698 18697->18661 18699 424f6f LeaveCriticalSection 18698->18699 18702 41fb33 35 API calls 18701->18702 18703 41e79a 18702->18703 18704 41e79e 18703->18704 18705 41fb33 35 API calls 18704->18705 18706 41e7a3 18705->18706 18706->18631 18708 41e79e 35 API calls 18707->18708 18709 41e728 18708->18709 18710 41e75b 18709->18710 18712 41e744 18709->18712 18711 41e795 35 API calls 18710->18711 18714 41e760 18711->18714 18713 41e76b 18712->18713 18715 41e74e 18712->18715 18716 41e788 18713->18716 18719 41e77b 18713->18719 18714->18647 18718 41e795 35 API calls 18715->18718 18717 41e795 35 API calls 18716->18717 18720 41e78d 18717->18720 18721 41e753 18718->18721 18722 41e795 35 API calls 18719->18722 18720->18647 18721->18647 18723 41e780 18722->18723 18723->18647 18725 424ece 35 API calls 18724->18725 18726 424ab3 18725->18726 18727 424ac6 SetFilePointer 18726->18727 18728 424ab9 18726->18728 18730 424ae6 18727->18730 18731 424ade GetLastError 18727->18731 18729 41e795 35 API calls 18728->18729 18733 424abe 18729->18733 18732 41e722 35 API calls 18730->18732 18730->18733 18731->18730 18732->18733 18733->18650 18736 41feb9 18734->18736 18744 41ff3e 18734->18744 18735 41ff08 ReadFile 18737 41ff21 GetLastError 18735->18737 18746 41ff5a 18735->18746 18736->18735 18736->18744 18738 41ff42 18737->18738 18739 41ff2e 18737->18739 18742 41e722 35 API calls 18738->18742 18738->18744 18740 41e795 35 API calls 18739->18740 18741 41ff33 18740->18741 18743 41e79e 35 API calls 18741->18743 18742->18744 18743->18744 18744->18658 18750 426100 18744->18750 18745 41ffd3 ReadFile 18747 41fff1 GetLastError 18745->18747 18748 41fffb 18745->18748 18746->18744 18746->18745 18747->18748 18748->18746 18749 424aa7 37 API calls 18748->18749 18749->18748 18751 42610d __vprintf_l 18750->18751 18752 424aa7 37 API calls 18751->18752 18753 42611c 18752->18753 18754 426217 18753->18754 18755 424aa7 37 API calls 18753->18755 18754->18658 18756 426138 18755->18756 18756->18754 18757 4261c2 18756->18757 18758 42614d ctype 18756->18758 18759 4261be 18757->18759 18760 424aa7 37 API calls 18757->18760 18763 426c51 35 API calls 18758->18763 18761 424aa7 37 API calls 18759->18761 18762 4261d1 18760->18762 18761->18754 18769 42616d 18763->18769 18778->18631 18779->18612 18781 41e163 18780->18781 18782 41e17a EnterCriticalSection 18780->18782 18781->18782 18783 41e16a 18781->18783 18782->18570 18784 4202d7 ctype 29 API calls 18783->18784 18785 41e178 18784->18785 18785->18570 18789 41c72f 18786->18789 18790 41c765 __vprintf_l 18786->18790 18789->18573 18790->18789 18791 41fe38 18790->18791 18805 41fd5c 18790->18805 18792 41fe85 18791->18792 18793 41fe45 18791->18793 18794 41e795 35 API calls 18792->18794 18793->18792 18795 41fe60 18793->18795 18797 41fe8a 18794->18797 18811 424f10 18795->18811 18799 41e79e 35 API calls 18797->18799 18798 41fe67 18800 41fe9d 41 API calls 18798->18800 18801 41fe95 18799->18801 18802 41fe75 18800->18802 18801->18790 18820 424f6f LeaveCriticalSection 18802->18820 18804 41fe7d 18804->18790 18807 41fd6c 18805->18807 18810 41fd78 18805->18810 18806 41fd93 18809 41fe38 44 API calls 18806->18809 18807->18806 18807->18810 18822 424b1a 18807->18822 18809->18810 18810->18790 18812 424f3b 18811->18812 18813 424f5e EnterCriticalSection 18811->18813 18814 4202d7 ctype 29 API calls 18812->18814 18813->18798 18815 424f42 18814->18815 18816 424f56 18815->18816 18817 424f49 InitializeCriticalSection 18815->18817 18821 420338 LeaveCriticalSection 18816->18821 18817->18816 18819 424f5d 18819->18813 18820->18804 18821->18819 18823 41cf30 ctype 29 API calls 18822->18823 18824 424b2a 18823->18824 18824->18806 18826 41c6d5 18825->18826 18833 41c6b6 18825->18833 18835 41df91 18826->18835 18831 41fc51 41 API calls 18832 41c6eb 18831->18832 18832->18833 18834 41d06a ctype 29 API calls 18832->18834 18833->18581 18834->18833 18836 41dfa7 18835->18836 18838 41c6db 18835->18838 18836->18838 18843 4242fc 18836->18843 18839 41fd31 18838->18839 18840 41fd3d 18839->18840 18842 41c6e3 18839->18842 18841 41d06a ctype 29 API calls 18840->18841 18840->18842 18841->18842 18842->18831 18844 424349 18843->18844 18845 424309 18843->18845 18846 41e795 35 API calls 18844->18846 18845->18844 18847 424324 18845->18847 18849 42434e 18846->18849 18848 424f10 31 API calls 18847->18848 18850 42432b 18848->18850 18851 41e79e 35 API calls 18849->18851 18857 424361 18850->18857 18853 424359 18851->18853 18853->18838 18856 424341 18856->18838 18858 424381 18857->18858 18875 424339 18857->18875 18859 424aa7 37 API calls 18858->18859 18861 4243ae 18858->18861 18859->18861 18860 424480 WriteFile 18863 4244a2 GetLastError 18860->18863 18864 424447 18860->18864 18861->18860 18866 4243bf 18861->18866 18862 4244bb 18865 41e795 35 API calls 18862->18865 18862->18875 18863->18864 18864->18862 18868 424459 18864->18868 18864->18875 18869 4244d5 18865->18869 18866->18862 18866->18864 18867 42440b WriteFile 18866->18867 18867->18866 18870 424475 GetLastError 18867->18870 18871 424461 18868->18871 18872 4244ad 18868->18872 18873 41e79e 35 API calls 18869->18873 18870->18864 18874 41e795 35 API calls 18871->18874 18876 41e722 35 API calls 18872->18876 18873->18875 18877 424466 18874->18877 18879 424f6f LeaveCriticalSection 18875->18879 18876->18875 18878 41e79e 35 API calls 18877->18878 18878->18875 18879->18856 18883 403736 18880->18883 18882 40356c __vprintf_l 18882->18481 18884 403743 18883->18884 18886 403748 18883->18886 18885 41b3bd __vprintf_l 30 API calls 18884->18885 18885->18886 18887 40378a 18886->18887 18889 40375c 18886->18889 18891 403760 18886->18891 18888 4037a5 18887->18888 18890 40376d 18887->18890 18892 401fac ctype 29 API calls 18887->18892 18888->18890 18895 403c88 18888->18895 18889->18888 18889->18891 18890->18882 18891->18890 18894 401fac ctype 29 API calls 18891->18894 18892->18888 18894->18890 18896 403c92 __EH_prolog 18895->18896 18897 41b948 __vprintf_l 29 API calls 18896->18897 18900 403cc1 __vprintf_l 18897->18900 18898 401fac ctype 29 API calls 18899 403d16 18898->18899 18899->18890 18900->18898 18902 41cbc1 18901->18902 18904 41cbd3 18901->18904 18903 4202d7 ctype 29 API calls 18902->18903 18902->18904 18908 41cc31 18902->18908 18903->18908 18904->18485 18905 41cc7f 18905->18904 18909 420338 LeaveCriticalSection 18905->18909 18906 4203bc 15 API calls 18906->18908 18908->18905 18908->18906 18909->18904 18913 40360b 18910->18913 18911 40365c 18911->18491 18913->18911 18914 41cbb0 44 API calls 18913->18914 18915 403672 18913->18915 18914->18913 18918 403680 18915->18918 18916 4036a9 18916->18913 18917 41ccb1 46 API calls 18917->18918 18918->18916 18918->18917 18942 404257 18919->18942 18923 402e41 __EH_prolog 18922->18923 18924 404257 29 API calls 18923->18924 18925 402e5f 18924->18925 18949 4038ee 18925->18949 18943 41b948 __vprintf_l 29 API calls 18942->18943 18944 404263 18943->18944 18945 40429b 18944->18945 18946 406d48 ctype 29 API calls 18944->18946 18947 41b948 __vprintf_l 29 API calls 18945->18947 18946->18945 18948 403e76 18947->18948 18948->18496 18950 4038f8 __EH_prolog 18949->18950 18951 401fac ctype 29 API calls 18950->18951 18952 403910 18951->18952 18967 40348e 18952->18967 18954 40391f 18968 4034a1 18967->18968 18969 4034a6 18967->18969 18970 41b5e9 __vprintf_l 30 API calls 18968->18970 18971 4034bc 18969->18971 18976 4034da 18969->18976 18970->18969 18984 403591 18971->18984 18972 40351d 18974 403736 30 API calls 18972->18974 18980 4034d8 __vprintf_l 18974->18980 18976->18972 18978 4034f4 18976->18978 18979 401fac ctype 29 API calls 18978->18979 18979->18980 18980->18954 18985 4035a4 18984->18985 18986 40359f 18984->18986 18992 403d45 18985->18992 18987 41b5e9 __vprintf_l 30 API calls 18986->18987 18987->18985 18993 403d50 18992->18993 18994 403d72 18992->18994 18993->18994 19050 403ab1 __EH_prolog 19049->19050 19051 401fac ctype 29 API calls 19050->19051 19052 403ac9 19051->19052 19053 40348e 30 API calls 19052->19053 19054 403ad8 19053->19054 19055 401fac ctype 29 API calls 19054->19055 19056 403aed 19055->19056 19057 40348e 30 API calls 19056->19057 19058 403274 19057->19058 19059 403e7c 19058->19059 19060 403e8f 19059->19060 19061 403eb7 19060->19061 19062 404a3b 45 API calls 19060->19062 19063 404a3b 45 API calls 19061->19063 19066 403ebd 19061->19066 19062->19060 19063->19066 19065 403284 19065->18534 19066->19065 19067 404500 19066->19067 19068 41b948 __vprintf_l 29 API calls 19067->19068 19069 40450f 19068->19069 19070 4048fe 30 API calls 19069->19070 19071 404536 19070->19071 19072 404a3b 45 API calls 19071->19072 19073 404558 ctype 19071->19073 19072->19073 19073->19065 19106 403e22 19074->19106 19077 401d83 19077->18241 19078 404a3b 45 API calls 19078->19077 19080 4028f6 __EH_prolog 19079->19080 19081 40290c 19080->19081 19082 4029ee 19080->19082 19083 401fac ctype 29 API calls 19081->19083 19118 403a66 19082->19118 19085 40291b __vprintf_l ctype 19083->19085 19103 403437 30 API calls 19085->19103 19105 402966 19085->19105 19110 403b6e 19085->19110 19087 402a04 19091 401fac ctype 29 API calls 19087->19091 19088 402a27 19090 401fac ctype 29 API calls 19088->19090 19089 4029ba 19092 401fac ctype 29 API calls 19089->19092 19098 402a37 __vprintf_l 19090->19098 19094 402a16 19091->19094 19095 4029ca 19092->19095 19096 40348e 30 API calls 19094->19096 19097 40348e 30 API calls 19095->19097 19104 401df7 19096->19104 19100 4029dc 19097->19100 19101 40355c 30 API calls 19098->19101 19099 402e0b 30 API calls 19099->19105 19102 401fac ctype 29 API calls 19100->19102 19101->19104 19102->19104 19103->19085 19104->18262 19105->19089 19105->19099 19107 403e2c 19106->19107 19108 4031d9 19107->19108 19109 404a3b 45 API calls 19107->19109 19108->19077 19108->19078 19109->19107 19111 403b81 19110->19111 19112 403b86 19110->19112 19113 41b5e9 __vprintf_l 30 API calls 19111->19113 19114 403ba5 19112->19114 19115 41b3bd __vprintf_l 30 API calls 19112->19115 19113->19112 19116 403736 30 API calls 19114->19116 19117 403bbb __vprintf_l 19114->19117 19115->19114 19116->19117 19117->19085 19123 404657 19118->19123 19121 4029fc 19121->19087 19121->19088 19122 404a3b 45 API calls 19122->19121 19124 404661 19123->19124 19125 403a75 19124->19125 19126 404a3b 45 API calls 19124->19126 19125->19121 19125->19122 19126->19124 19128 401a88 __EH_prolog 19127->19128 19129 401ae9 29 API calls 19128->19129 19130 401a93 19129->19130 19131 401b31 117 API calls 19130->19131 19132 401aa2 19131->19132 19141 401b70 19132->19141 19137 401fac ctype 29 API calls 19138 401acc 19137->19138 19139 4028a3 ctype 29 API calls 19138->19139 19140 401a61 19139->19140 19140->18180 19142 401b7a __EH_prolog 19141->19142 19143 401fac ctype 29 API calls 19142->19143 19159 401ab3 19142->19159 19144 401ba2 __vprintf_l 19143->19144 19145 40355c 30 API calls 19144->19145 19146 401bb7 19145->19146 19147 4031ca 45 API calls 19146->19147 19148 401bc9 19147->19148 19149 401fac ctype 29 API calls 19148->19149 19150 401bd9 19149->19150 19151 401be3 19150->19151 19152 401c2c 19150->19152 19157 401fac ctype 29 API calls 19151->19157 19177 401c2a 19151->19177 19153 401d11 19152->19153 19152->19177 19156 402eb9 ctype 29 API calls 19153->19156 19154 401c40 19158 401fac ctype 29 API calls 19154->19158 19155 401c84 19161 401fac ctype 29 API calls 19155->19161 19156->19159 19160 401bf7 __vprintf_l 19157->19160 19162 401c4f __vprintf_l 19158->19162 19186 401b5d 19159->19186 19164 40355c 30 API calls 19160->19164 19163 401c93 __vprintf_l 19161->19163 19165 40355c 30 API calls 19162->19165 19167 40355c 30 API calls 19163->19167 19166 401c0c 19164->19166 19169 401c64 19165->19169 19170 402798 45 API calls 19166->19170 19168 401ca8 19167->19168 19171 401fac ctype 29 API calls 19168->19171 19190 403a15 19169->19190 19173 401c1a 19170->19173 19174 401cbe __vprintf_l 19171->19174 19176 401fac ctype 29 API calls 19173->19176 19179 40355c 30 API calls 19174->19179 19175 401c77 19178 401fac ctype 29 API calls 19175->19178 19176->19177 19177->19154 19177->19155 19178->19159 19180 401cd3 19179->19180 19181 403241 45 API calls 19180->19181 19182 401ce3 19181->19182 19183 40348e 30 API calls 19182->19183 19184 401cf5 19183->19184 19185 401fac ctype 29 API calls 19184->19185 19185->19175 19187 401b64 19186->19187 19201 401fe8 19187->19201 19197 404715 19190->19197 19193 404657 45 API calls 19194 403a32 ctype 19193->19194 19195 40399e ctype 29 API calls 19194->19195 19196 403a5c 19195->19196 19196->19175 19199 40471f 19197->19199 19198 403a26 19198->19193 19199->19198 19200 404a3b 45 API calls 19199->19200 19200->19199 19236 41c340 19201->19236 19203 401ff2 CreateFileA 19204 402034 19203->19204 19205 402029 19203->19205 19207 40203a 19204->19207 19208 40204b 19204->19208 19206 403300 CloseHandle 19205->19206 19209 402031 19206->19209 19210 403300 CloseHandle 19207->19210 19211 401fac ctype 29 API calls 19208->19211 19209->19204 19212 402046 19210->19212 19225 40205a __vprintf_l ctype 19211->19225 19213 401abb 19212->19213 19213->19137 19214 402371 __vprintf_l 19215 402a64 __vprintf_l 30 API calls 19214->19215 19216 402389 19215->19216 19217 401fac ctype 29 API calls 19216->19217 19219 402396 19217->19219 19218 40355c 30 API calls 19218->19225 19219->19213 19220 40239c CloseHandle 19219->19220 19220->19213 19223 40348e 30 API calls 19223->19225 19224 401fac 29 API calls ctype 19224->19225 19225->19214 19225->19218 19225->19223 19225->19224 19226 40218a WriteFile 19225->19226 19237 4047c2 19225->19237 19251 40484b 19225->19251 19265 40320b 19226->19265 19228 4021af __vprintf_l ctype 19229 40355c 30 API calls 19228->19229 19230 402338 WriteFile 19228->19230 19232 40484b 30 API calls 19228->19232 19233 40348e 30 API calls 19228->19233 19234 401fac 29 API calls ctype 19228->19234 19235 4022e5 WriteFile 19228->19235 19229->19228 19231 4032b7 ctype 29 API calls 19230->19231 19231->19225 19232->19228 19233->19228 19234->19228 19235->19228 19236->19203 19238 4047cc __EH_prolog 19237->19238 19239 401fac ctype 29 API calls 19238->19239 19240 4047e8 19239->19240 19241 40348e 30 API calls 19240->19241 19242 4047f8 __vprintf_l 19241->19242 19243 403437 30 API calls 19242->19243 19244 404810 19243->19244 19245 401fac ctype 29 API calls 19244->19245 19246 404821 19245->19246 19247 40348e 30 API calls 19246->19247 19248 404830 19247->19248 19249 401fac ctype 29 API calls 19248->19249 19250 40483a 19249->19250 19250->19225 19252 404855 __EH_prolog 19251->19252 19253 401fac ctype 29 API calls 19252->19253 19254 404871 19253->19254 19255 40348e 30 API calls 19254->19255 19256 404881 19255->19256 19257 403b6e 30 API calls 19256->19257 19258 404896 19257->19258 19259 401fac ctype 29 API calls 19258->19259 19260 4048a7 19259->19260 19261 40348e 30 API calls 19260->19261 19262 4048b6 19261->19262 19263 401fac ctype 29 API calls 19262->19263 19264 4048c0 19263->19264 19264->19225 19266 404257 29 API calls 19265->19266 19267 403231 19266->19267 19268 4041af 30 API calls 19267->19268 19269 403239 19268->19269 19269->19228 19270 41db0c GetVersion 19301 4208a2 HeapCreate 19270->19301 19272 41db6a 19273 41db77 19272->19273 19274 41db6f 19272->19274 19313 41facc 19273->19313 19424 41dc39 19274->19424 19278 41db7c 19279 41db80 19278->19279 19280 41db88 19278->19280 19281 41dc39 8 API calls 19279->19281 19323 423f21 19280->19323 19283 41db87 19281->19283 19283->19280 19284 41db92 GetCommandLineA 19337 423def 19284->19337 19288 41dbac 19369 423ae9 19288->19369 19290 41dbb1 19291 41dbb6 GetStartupInfoA 19290->19291 19382 423a91 19291->19382 19293 41dbc8 GetModuleHandleA 19386 4148f8 19293->19386 19296 41dbec 19430 41d234 19296->19430 19300 41dc06 19302 4208c2 19301->19302 19303 4208f8 19301->19303 19438 42075a 19302->19438 19303->19272 19306 4208d1 19450 4208ff HeapAlloc 19306->19450 19307 4208de 19309 4208fb 19307->19309 19311 421446 ctype 5 API calls 19307->19311 19309->19272 19310 4208db 19310->19309 19312 4208ec HeapDestroy 19310->19312 19311->19310 19312->19303 19520 4202ae InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 19313->19520 19315 41fad2 TlsAlloc 19316 41fae2 19315->19316 19317 41fb1c 19315->19317 19521 4244ec 19316->19521 19317->19278 19320 41faf3 TlsSetValue 19320->19317 19321 41fb04 19320->19321 19322 41fb0a GetCurrentThreadId 19321->19322 19322->19278 19324 41cf30 ctype 29 API calls 19323->19324 19325 423f34 19324->19325 19326 423f42 GetStartupInfoA 19325->19326 19327 41dc14 ctype 7 API calls 19325->19327 19329 423f90 19326->19329 19330 424061 19326->19330 19327->19326 19329->19330 19332 424007 19329->19332 19334 41cf30 ctype 29 API calls 19329->19334 19331 42408c GetStdHandle 19330->19331 19333 4240cc SetHandleCount 19330->19333 19331->19330 19335 42409a GetFileType 19331->19335 19332->19330 19336 424029 GetFileType 19332->19336 19333->19284 19334->19329 19335->19330 19336->19332 19338 423e0a GetEnvironmentStringsW 19337->19338 19339 423e3d 19337->19339 19340 423e12 19338->19340 19341 423e1e GetEnvironmentStrings 19338->19341 19339->19340 19342 423e2e 19339->19342 19344 423e4a GetEnvironmentStringsW 19340->19344 19347 423e56 19340->19347 19341->19342 19343 41dba2 19341->19343 19342->19343 19345 423ed0 GetEnvironmentStrings 19342->19345 19348 423edc 19342->19348 19360 423ba2 19343->19360 19344->19343 19344->19347 19345->19343 19345->19348 19346 423e6b WideCharToMultiByte 19349 423e8a 19346->19349 19350 423ebc FreeEnvironmentStringsW 19346->19350 19347->19346 19347->19347 19348->19348 19351 41cf30 ctype 29 API calls 19348->19351 19352 41cf30 ctype 29 API calls 19349->19352 19350->19343 19358 423ef7 __vprintf_l 19351->19358 19353 423e90 19352->19353 19353->19350 19354 423e99 WideCharToMultiByte 19353->19354 19356 423eaa 19354->19356 19357 423eb3 19354->19357 19355 423f0d FreeEnvironmentStringsA 19355->19343 19359 41d06a ctype 29 API calls 19356->19359 19357->19350 19358->19355 19359->19357 19361 423bb4 19360->19361 19362 423bb9 GetModuleFileNameA 19360->19362 19538 422f80 19361->19538 19363 423bdc 19362->19363 19365 41cf30 ctype 29 API calls 19363->19365 19366 423bfd 19365->19366 19367 423c0d 19366->19367 19368 41dc14 ctype 7 API calls 19366->19368 19367->19288 19368->19367 19370 423af6 19369->19370 19372 423afb __vprintf_l 19369->19372 19371 422f80 48 API calls 19370->19371 19371->19372 19373 41cf30 ctype 29 API calls 19372->19373 19374 423b28 19373->19374 19375 41dc14 ctype 7 API calls 19374->19375 19381 423b3c __vprintf_l ctype 19374->19381 19375->19381 19376 423b7f 19377 41d06a ctype 29 API calls 19376->19377 19378 423b8b 19377->19378 19378->19290 19379 41cf30 ctype 29 API calls 19379->19381 19380 41dc14 ctype 7 API calls 19380->19381 19381->19376 19381->19379 19381->19380 19383 423a9a 19382->19383 19385 423a9f 19382->19385 19384 422f80 48 API calls 19383->19384 19384->19385 19385->19293 19388 41491f ctype 19386->19388 19387 414aeb 19389 414b26 19387->19389 19394 414b17 lstrlenA 19387->19394 19388->19387 19391 4149af 19388->19391 19392 414957 wsprintfA 19388->19392 19567 41604b 19389->19567 19396 414a0e 19391->19396 19397 4149c6 wsprintfA 19391->19397 19619 416429 19392->19619 19394->19389 19395 414c4f 19394->19395 19572 415d59 LoadLibraryA 19395->19572 19396->19387 19404 414a2d lstrcpyA lstrlenA 19396->19404 19630 416506 19397->19630 19403 414991 19627 401569 19403->19627 19412 414a85 lstrcpyA 19404->19412 19405 414c54 19578 4088e5 19405->19578 19406 414b3e 19406->19395 19408 414b47 GetTempPathA 19406->19408 19407 414a09 19416 4149a2 ctype 19407->19416 19408->19395 19410 414b91 GetTempFileNameA CopyFileA 19408->19410 19410->19395 19414 414bc6 CreateFileA wsprintfA 19410->19414 19633 416d3f 19412->19633 19417 416506 2 API calls 19414->19417 19416->19296 19419 414c29 19417->19419 19420 414c40 19419->19420 19421 414c2d 19419->19421 19420->19395 19423 414c46 CloseHandle 19420->19423 19421->19416 19422 414c33 CloseHandle 19421->19422 19422->19416 19423->19395 19425 41dc42 19424->19425 19426 41dc47 19424->19426 19427 4240dd ctype 7 API calls 19425->19427 19428 424116 ctype 7 API calls 19426->19428 19427->19426 19429 41dc50 ExitProcess 19428->19429 22799 41d256 19430->22799 19433 423919 19434 41fb33 35 API calls 19433->19434 19436 423924 19434->19436 19435 423a4a UnhandledExceptionFilter 19437 423949 19435->19437 19436->19435 19436->19437 19437->19300 19437->19437 19452 41c310 19438->19452 19441 420783 19442 42079d GetEnvironmentVariableA 19441->19442 19444 420795 19441->19444 19443 42087a 19442->19443 19446 4207bc 19442->19446 19443->19444 19457 42072d GetModuleHandleA 19443->19457 19444->19306 19444->19307 19447 420801 GetModuleFileNameA 19446->19447 19448 4207f9 19446->19448 19447->19448 19448->19443 19454 41b956 19448->19454 19451 42091b 19450->19451 19451->19310 19453 41c31c GetVersionExA 19452->19453 19453->19441 19453->19442 19459 41b96d 19454->19459 19458 420744 19457->19458 19458->19444 19461 41b985 19459->19461 19463 41b9b5 19461->19463 19468 41e8e2 19461->19468 19462 41e8e2 6 API calls 19462->19463 19463->19462 19465 41bade 19463->19465 19467 41b969 19463->19467 19472 41e7a7 19463->19472 19466 41e795 35 API calls 19465->19466 19465->19467 19466->19467 19467->19443 19469 41e900 19468->19469 19471 41e8f4 19468->19471 19483 4248f9 19469->19483 19471->19461 19473 41e7c5 InterlockedIncrement 19472->19473 19474 41e7b2 19472->19474 19475 41e7e1 InterlockedDecrement 19473->19475 19476 41e7eb 19473->19476 19474->19463 19478 4202d7 ctype 29 API calls 19475->19478 19495 41e816 19476->19495 19478->19476 19480 41e801 19501 420338 LeaveCriticalSection 19480->19501 19481 41e80b InterlockedDecrement 19481->19474 19484 42492a GetStringTypeW 19483->19484 19485 424942 19483->19485 19484->19485 19487 424946 GetStringTypeA 19484->19487 19486 42496d GetStringTypeA 19485->19486 19491 424991 19485->19491 19488 424a2e 19486->19488 19487->19485 19487->19488 19488->19471 19490 4249a7 MultiByteToWideChar 19490->19488 19492 4249cb __vprintf_l ctype 19490->19492 19491->19488 19491->19490 19492->19488 19493 424a05 MultiByteToWideChar 19492->19493 19493->19488 19494 424a1e GetStringTypeW 19493->19494 19494->19488 19496 41e841 19495->19496 19500 41e7f8 19495->19500 19497 41e85d 19496->19497 19498 41e8e2 6 API calls 19496->19498 19497->19500 19502 4246aa 19497->19502 19498->19497 19500->19480 19500->19481 19501->19474 19503 4246da LCMapStringW 19502->19503 19504 4246f6 19502->19504 19503->19504 19505 4246fe LCMapStringA 19503->19505 19506 42473f LCMapStringA 19504->19506 19508 42475c 19504->19508 19505->19504 19507 424838 19505->19507 19506->19507 19507->19500 19508->19507 19509 424772 MultiByteToWideChar 19508->19509 19509->19507 19510 42479c __vprintf_l 19509->19510 19510->19507 19511 4247d2 MultiByteToWideChar 19510->19511 19511->19507 19512 4247eb LCMapStringW 19511->19512 19512->19507 19513 424806 19512->19513 19514 42480c 19513->19514 19516 42484c __vprintf_l 19513->19516 19514->19507 19515 42481a LCMapStringW 19514->19515 19515->19507 19516->19507 19517 424884 LCMapStringW 19516->19517 19517->19507 19518 42489c WideCharToMultiByte 19517->19518 19518->19507 19520->19315 19529 424521 ctype 19521->19529 19522 41faeb 19522->19317 19522->19320 19523 4245d9 HeapAlloc 19523->19529 19524 4202d7 29 API calls ctype 19524->19529 19525 420c9b ctype 5 API calls 19525->19529 19526 42173e ctype 6 API calls 19526->19529 19529->19522 19529->19523 19529->19524 19529->19525 19529->19526 19530 424585 19529->19530 19533 42460e 19529->19533 19536 420338 LeaveCriticalSection 19530->19536 19532 42458c 19532->19529 19537 420338 LeaveCriticalSection 19533->19537 19535 424615 19535->19529 19536->19532 19537->19535 19539 422f90 19538->19539 19540 422f89 19538->19540 19539->19362 19542 422ba8 19540->19542 19543 4202d7 ctype 29 API calls 19542->19543 19544 422bb8 19543->19544 19553 422d55 19544->19553 19548 422d4d 19548->19539 19550 422bf4 GetCPInfo 19552 422c0a 19550->19552 19551 422bcf 19566 420338 LeaveCriticalSection 19551->19566 19552->19551 19558 422dfb GetCPInfo 19552->19558 19554 422d75 19553->19554 19555 422d65 GetOEMCP 19553->19555 19556 422d7a GetACP 19554->19556 19557 422bc0 19554->19557 19555->19554 19556->19557 19557->19550 19557->19551 19557->19552 19559 422e1e 19558->19559 19565 422ee6 19558->19565 19560 4248f9 6 API calls 19559->19560 19561 422e9a 19560->19561 19562 4246aa 9 API calls 19561->19562 19563 422ebe 19562->19563 19564 4246aa 9 API calls 19563->19564 19564->19565 19565->19551 19566->19548 19648 416021 19567->19648 19569 41607b lstrlenA 19570 414b30 19569->19570 19571 41608d GetDriveTypeA 19569->19571 19570->19395 19643 414c9c 19570->19643 19571->19570 19573 415d70 GetProcAddress 19572->19573 19574 415da3 19572->19574 19575 415d80 19573->19575 19576 415d96 #17 19573->19576 19574->19405 19577 415d9c FreeLibrary 19575->19577 19576->19577 19577->19574 19579 4088ef __EH_prolog 19578->19579 19650 409a43 RegOpenKeyExA 19579->19650 19582 41b948 __vprintf_l 29 API calls 19583 408917 19582->19583 19584 40892c 19583->19584 19655 412e18 19583->19655 19666 4130cd 19584->19666 19587 408941 19673 415e6e 19587->19673 19591 40896c 19684 408b9a 19591->19684 19593 408973 19618 4089a4 ctype 19593->19618 19692 40133c 19593->19692 19595 408a0d 19696 416da4 19595->19696 19600 4089a0 19600->19595 19603 4160af 12 API calls 19600->19603 19600->19618 19605 4089f8 19603->19605 19740 414265 19605->19740 19618->19416 19620 416445 ctype 19619->19620 19621 41646c lstrcpyA CreateProcessA 19620->19621 19622 4164fb 19621->19622 19623 41649d MsgWaitForMultipleObjects 19621->19623 19622->19403 19624 4164d8 GetExitCodeProcess CloseHandle 19623->19624 19626 4164b4 19623->19626 19624->19622 19625 4164b8 PeekMessageA 19625->19624 19625->19626 19626->19623 19626->19624 19626->19625 22558 401814 lstrcpyA LoadIconA LoadCursorA GetStockObject RegisterClassA 19627->22558 19631 41651f ctype 19630->19631 19632 416546 lstrcpyA CreateProcessA 19631->19632 19632->19407 19634 416d49 __EH_prolog 19633->19634 22564 407515 LoadLibraryA 19634->22564 19636 416d53 22565 407611 19636->22565 19642 416d80 22593 407529 19642->22593 19644 414caf 19643->19644 19645 414d10 19644->19645 19646 416da4 178 API calls 19644->19646 19645->19406 19647 414cf2 lstrcmpiA 19646->19647 19647->19406 19649 41602c ctype 19648->19649 19649->19569 19651 409a64 RegQueryValueExA 19650->19651 19652 408905 19650->19652 19653 409a91 RegCloseKey 19651->19653 19654 409a8a 19651->19654 19652->19582 19653->19652 19654->19653 19656 412e22 __EH_prolog 19655->19656 19657 401ae9 29 API calls 19656->19657 19658 412e8b 19657->19658 19776 40fe20 19658->19776 19660 412eab 19661 412f22 GetModuleFileNameA 19660->19661 19662 41b948 __vprintf_l 29 API calls 19661->19662 19663 412f33 19662->19663 19665 412f4d ctype 19663->19665 19781 414d56 19663->19781 19665->19584 19667 413106 lstrlenA 19666->19667 19668 41311d GetModuleFileNameA 19666->19668 19667->19668 19669 41310f lstrcpyA 19667->19669 19670 413135 lstrlenA 19668->19670 19669->19670 19671 41b948 __vprintf_l 29 API calls 19670->19671 19672 413145 lstrcpyA 19671->19672 19672->19587 19674 40895d 19673->19674 19675 415e7e 19673->19675 19681 4131b3 lstrlenA 19674->19681 19675->19674 19676 415e83 lstrcpyA 19675->19676 19677 415ea4 19676->19677 19678 415eb7 lstrcpyA lstrcpyA 19677->19678 19679 415eac CharNextA 19677->19679 19678->19674 19679->19678 19682 41b948 __vprintf_l 29 API calls 19681->19682 19683 4131c7 lstrcpyA 19682->19683 19683->19591 19844 413cf4 19684->19844 19687 413cf4 30 API calls 19691 408baf __vprintf_l 19687->19691 19688 408bec 19688->19593 19689 408c00 19689->19593 19690 408bf7 MessageBoxA 19690->19689 19691->19688 19691->19689 19691->19690 19694 40134b 19692->19694 19695 401380 19692->19695 19694->19695 19856 409682 19694->19856 19695->19600 20413 41c340 19696->20413 19698 416dae GetModuleFileNameA 19699 414d56 62 API calls 19698->19699 19700 416dfa 19699->19700 19701 416f51 30 API calls 19700->19701 19702 416e25 19701->19702 19703 416e88 19702->19703 19704 416e2b GetTempPathA GetTempFileNameA 19702->19704 19706 415e6e 4 API calls 19703->19706 19705 414fb8 51 API calls 19704->19705 19707 416e86 19705->19707 19708 416eb8 19706->19708 19710 401ae9 29 API calls 19707->19710 19709 4160af 12 API calls 19708->19709 19709->19707 19711 416edc 19710->19711 19712 401b31 117 API calls 19711->19712 19713 416eef 19712->19713 19714 401d30 47 API calls 19713->19714 19715 416f08 19714->19715 19716 416f1a 19715->19716 19717 416f0d DeleteFileA 19715->19717 19718 401fac ctype 29 API calls 19716->19718 19717->19716 19719 416f28 19718->19719 19720 4028a3 ctype 29 API calls 19719->19720 19721 416f33 19720->19721 20414 414e9b 19721->20414 19741 41426f __vprintf_l __EH_prolog 19740->19741 19742 4142b9 19741->19742 19745 4142f7 19741->19745 19744 40fb20 43 API calls 19742->19744 19743 414372 wsprintfA 19746 414388 19743->19746 19747 4142ca 19744->19747 19745->19743 19756 414323 19745->19756 19748 40fb20 43 API calls 19746->19748 19749 4114f8 __vprintf_l 32 API calls 19747->19749 19751 41439f 19748->19751 19750 4142eb 19749->19750 19754 40b584 __vprintf_l 33 API calls 19750->19754 19752 4114f8 __vprintf_l 32 API calls 19751->19752 19752->19750 19753 414351 wsprintfA 19753->19746 19755 4143cf 19754->19755 19755->19595 19756->19753 19777 40fe2a __EH_prolog 19776->19777 19778 40fe47 GetLastError 19777->19778 19779 410140 __vprintf_l SysFreeString 19778->19779 19780 40fe69 SetLastError 19779->19780 19780->19660 19798 41c340 19781->19798 19783 414d60 lstrcpyA 19799 4152e0 CreateFileA 19783->19799 19786 414dd9 GetLastError 19788 414e6d 19786->19788 19787 414dea 19789 41b948 __vprintf_l 29 API calls 19787->19789 19788->19665 19790 414dfb ctype 19789->19790 19813 41556e SetFilePointer GetLastError 19790->19813 19793 414e26 ReadFile 19793->19788 19794 414e43 19793->19794 19794->19788 19815 414f09 lstrcmpiA 19794->19815 19796 414e4f 19796->19788 19816 41525c 19796->19816 19798->19783 19800 415325 ReadFile 19799->19800 19801 415317 GetLastError 19799->19801 19803 41556e 2 API calls 19800->19803 19802 414daf CreateFileA 19801->19802 19802->19786 19802->19787 19804 415347 19803->19804 19804->19802 19805 41534b ReadFile 19804->19805 19806 41556e 2 API calls 19805->19806 19807 415370 19806->19807 19807->19802 19808 4153b4 19807->19808 19809 415384 ReadFile 19807->19809 19823 4153cf CreateFileMappingA 19808->19823 19810 41539b 19809->19810 19810->19808 19810->19809 19814 414e22 19813->19814 19814->19788 19814->19793 19815->19796 19817 4152d9 19816->19817 19819 415270 ctype 19816->19819 19817->19788 19818 41b948 __vprintf_l 29 API calls 19818->19819 19819->19817 19819->19818 19820 415286 ReadFile 19819->19820 19822 41556e 2 API calls 19819->19822 19838 4155af 19819->19838 19820->19817 19820->19819 19822->19819 19824 4153bd CloseHandle 19823->19824 19825 4153fb MapViewOfFile 19823->19825 19824->19802 19826 4154a0 CloseHandle 19825->19826 19827 415412 19825->19827 19826->19824 19828 415495 UnmapViewOfFile 19827->19828 19834 4154b0 19827->19834 19828->19826 19831 4154b0 44 API calls 19833 41543d 19831->19833 19832 41548e 19832->19828 19833->19828 19833->19832 19833->19833 19835 4154c5 19834->19835 19836 415434 19834->19836 19835->19836 19837 41cbb0 44 API calls 19835->19837 19836->19831 19836->19833 19837->19835 19839 4155e7 19838->19839 19840 4155bc 19838->19840 19841 41b948 __vprintf_l 29 API calls 19839->19841 19842 41b948 __vprintf_l 29 API calls 19840->19842 19843 4155c1 19841->19843 19842->19843 19843->19819 19847 416f51 19844->19847 19848 41b948 __vprintf_l 29 API calls 19847->19848 19849 416f62 ctype 19848->19849 19852 414f3b 19849->19852 19853 408bab 19852->19853 19855 414f50 19852->19855 19853->19687 19853->19691 19854 414f67 lstrcmpiA 19854->19853 19854->19855 19855->19853 19855->19854 19857 40968c __vprintf_l __EH_prolog 19856->19857 19897 404ae1 19857->19897 19944 401000 19897->19944 19900 404b24 19901 404b37 19900->19901 19974 413164 lstrlenA 19901->19974 19903 404b5a 19977 404cd5 19903->19977 19906 404b80 20063 41576e 19906->20063 19907 404ba3 GetTempFileNameA 19908 416285 9 API calls 19907->19908 19909 404bca 19908->19909 19912 41622e GetFileAttributesA 19909->19912 19913 404be9 19912->19913 19915 404bf9 ctype 19913->19915 20066 416184 lstrlenA 19913->20066 19947 413c8f 19944->19947 19950 41416f IsWindow 19947->19950 19951 40101d 19950->19951 19952 414189 19950->19952 19951->19900 19953 415942 142 API calls 19952->19953 19954 41419d 19953->19954 19955 414215 SetWindowTextA 19954->19955 19956 4141a9 lstrlenA 19954->19956 19955->19951 19957 4141ba 19956->19957 19960 4141ed 19957->19960 19963 415862 19957->19963 19962 4141f8 wsprintfA 19960->19962 19961 41d234 32 API calls 19961->19960 19962->19955 19964 415942 142 API calls 19963->19964 19965 41587f wsprintfA wvsprintfA 19964->19965 19968 41568f 19965->19968 19967 4141e1 19967->19961 19969 415699 __EH_prolog 19968->19969 19970 409ba3 IsWindow KillTimer KiUserCallbackDispatcher DestroyWindow 19969->19970 19971 4156a5 19970->19971 19972 406bd7 lstrcpyA DialogBoxParamA 19971->19972 19973 4156c7 ctype 19972->19973 19973->19967 19975 41b948 __vprintf_l 29 API calls 19974->19975 19976 41317a lstrcpyA lstrcpyA 19975->19976 19976->19903 19978 404cdf 19977->19978 19979 404ce6 GetTempPathA 19978->19979 19980 404d16 GetWindowsDirectoryA 19979->19980 19981 404cfe SetErrorMode 19979->19981 19983 404d32 lstrcpyA 19980->19983 19984 404d25 19980->19984 20099 404d6b 19981->20099 20104 415e04 19983->20104 19987 404d6b 22 API calls 19984->19987 19990 404d2e 19987->19990 19989 404b7c 19989->19906 19989->19907 19990->19983 19990->19989 19991 415e04 23 API calls 19992 404d57 19991->19992 19992->19989 20209 4156e7 20063->20209 20067 41b948 __vprintf_l 29 API calls 20066->20067 20110 415c0b 20099->20110 20101 404d12 20101->19980 20101->19989 20105 415e28 GetDriveTypeA 20104->20105 20108 415e3e 20105->20108 20106 415c0b 15 API calls 20106->20108 20107 404d47 20107->19989 20107->19991 20108->20105 20108->20106 20108->20107 20109 415da6 15 API calls 20108->20109 20109->20108 20111 415c1e 20110->20111 20113 404d78 20111->20113 20119 415c4f LoadLibraryA 20111->20119 20113->20101 20114 415da6 20113->20114 20115 4160af 12 API calls 20114->20115 20116 415dc4 CreateFileA 20115->20116 20117 415de7 20116->20117 20118 415deb CloseHandle DeleteFileA 20116->20118 20117->20101 20118->20101 20120 415d52 20119->20120 20121 415c7a GetProcAddress 20119->20121 20120->20113 20122 415ce1 GetDiskFreeSpaceA 20121->20122 20123 415c8d lstrcpyA 20121->20123 20124 415d31 20122->20124 20125 415d48 FreeLibrary 20122->20125 20131 416165 20123->20131 20127 415cd2 20124->20127 20125->20120 20127->20125 20129 415cb9 GetDiskFreeSpaceExA 20129->20125 20129->20127 20130 415f56 8 API calls 20130->20129 20132 415ca9 20131->20132 20133 41616e CharNextA 20131->20133 20132->20129 20132->20130 20133->20132 20210 415942 142 API calls 20209->20210 20211 415704 20210->20211 20212 41568f 6 API calls 20211->20212 20213 415713 20212->20213 20413->19698 20415 414ea5 __EH_prolog 20414->20415 20416 414ec6 20415->20416 20417 414eec 20415->20417 20418 406d48 ctype 29 API calls 20416->20418 20424 415615 20417->20424 20420 414ed1 20418->20420 22559 401897 CreateWindowExA 22558->22559 22560 401576 22558->22560 22559->22560 22561 4018c0 22559->22561 22560->19416 22562 4018cd GetMessageA 22561->22562 22562->22560 22563 4018d3 TranslateMessage DispatchMessageA 22562->22563 22563->22562 22564->19636 22566 40761b __EH_prolog 22565->22566 22567 407635 GetProcAddress 22566->22567 22575 407648 22566->22575 22568 40764f ctype 22567->22568 22567->22575 22569 407667 MultiByteToWideChar 22568->22569 22570 41b948 __vprintf_l 29 API calls 22569->22570 22571 40768b MultiByteToWideChar 22570->22571 22572 4076c2 ctype 22571->22572 22573 4076fb GetProcAddress 22572->22573 22574 40775b 22572->22574 22573->22574 22576 407711 GetProcAddress 22573->22576 22574->22575 22577 406d48 ctype 29 API calls 22574->22577 22575->19642 22583 407537 22575->22583 22576->22574 22579 407729 22576->22579 22577->22575 22579->22574 22580 407738 GetProcAddress 22579->22580 22581 40774a 22580->22581 22596 407797 22581->22596 22584 407541 __EH_prolog 22583->22584 22585 407555 GetProcAddress 22584->22585 22586 407568 22584->22586 22585->22586 22587 407572 ctype 22585->22587 22586->19642 22588 40758a MultiByteToWideChar 22587->22588 22589 41b948 __vprintf_l 29 API calls 22588->22589 22590 4075ab MultiByteToWideChar 22589->22590 22591 4075dd 22590->22591 22591->22586 22592 406d48 ctype 29 API calls 22591->22592 22592->22586 22594 407536 22593->22594 22595 40752f FreeLibrary 22593->22595 22594->19416 22595->22594 22763 41c340 22596->22763 22598 4077a1 MultiByteToWideChar 22599 41b948 __vprintf_l 29 API calls 22598->22599 22600 4077d6 MultiByteToWideChar StgIsStorageFile 22599->22600 22601 407807 22600->22601 22602 40780e StgOpenStorage 22600->22602 22764 41d153 RaiseException 22601->22764 22604 407824 22602->22604 22605 40782b 22602->22605 22765 41d153 RaiseException 22604->22765 22607 40784d 22605->22607 22766 41d153 RaiseException 22605->22766 22608 41b948 __vprintf_l 29 API calls 22607->22608 22610 407857 ctype 22608->22610 22611 407894 22610->22611 22767 41d153 RaiseException 22610->22767 22613 4078b2 22611->22613 22768 41d153 RaiseException 22611->22768 22615 41b948 __vprintf_l 29 API calls 22613->22615 22617 4078df 22613->22617 22616 4078be 22615->22616 22616->22617 22769 41d153 RaiseException 22616->22769 22618 407918 22617->22618 22770 41d153 RaiseException 22617->22770 22620 407945 22618->22620 22622 41b948 __vprintf_l 29 API calls 22618->22622 22624 40797c 22620->22624 22772 41d153 RaiseException 22620->22772 22623 407925 22622->22623 22623->22620 22771 41d153 RaiseException 22623->22771 22626 4079a9 22624->22626 22627 41b948 __vprintf_l 29 API calls 22624->22627 22630 4079df 22626->22630 22774 41d153 RaiseException 22626->22774 22629 407988 22627->22629 22629->22626 22773 41d153 RaiseException 22629->22773 22632 41b948 __vprintf_l 29 API calls 22630->22632 22635 407a0c 22630->22635 22634 4079eb 22632->22634 22634->22635 22775 41d153 RaiseException 22634->22775 22636 407a3f 22635->22636 22776 41d153 RaiseException 22635->22776 22639 407a5d 22636->22639 22777 41d153 RaiseException 22636->22777 22641 407a7b 22639->22641 22778 41d153 RaiseException 22639->22778 22643 41b948 __vprintf_l 29 API calls 22641->22643 22645 407aa8 22641->22645 22644 407a87 22643->22644 22644->22645 22779 41d153 RaiseException 22644->22779 22646 407adb 22645->22646 22780 41d153 RaiseException 22645->22780 22648 407b08 22646->22648 22650 41b948 __vprintf_l 29 API calls 22646->22650 22652 407b39 22648->22652 22782 41d153 RaiseException 22648->22782 22651 407ae8 22650->22651 22651->22648 22781 41d153 RaiseException 22651->22781 22654 407b66 22652->22654 22655 41b948 __vprintf_l 29 API calls 22652->22655 22658 407b9f 22654->22658 22784 41d153 RaiseException 22654->22784 22657 407b45 22655->22657 22657->22654 22783 41d153 RaiseException 22657->22783 22660 41b948 __vprintf_l 29 API calls 22658->22660 22664 407bcc 22658->22664 22662 407bab 22660->22662 22662->22664 22785 41d153 RaiseException 22662->22785 22663 407c05 22667 407c23 22663->22667 22787 41d153 RaiseException 22663->22787 22664->22663 22786 41d153 RaiseException 22664->22786 22669 41b948 __vprintf_l 29 API calls 22667->22669 22672 407c50 22667->22672 22670 407c2f 22669->22670 22670->22672 22788 41d153 RaiseException 22670->22788 22671 407c83 22675 407ca1 22671->22675 22790 41d153 RaiseException 22671->22790 22672->22671 22789 41d153 RaiseException 22672->22789 22677 41b948 __vprintf_l 29 API calls 22675->22677 22679 407cce 22675->22679 22678 407cad 22677->22678 22678->22679 22791 41d153 RaiseException 22678->22791 22680 407d07 22679->22680 22792 41d153 RaiseException 22679->22792 22683 407d25 22680->22683 22793 41d153 RaiseException 22680->22793 22684 41b948 __vprintf_l 29 API calls 22683->22684 22686 407d2c ctype 22684->22686 22687 407d6d 22686->22687 22794 41d153 RaiseException 22686->22794 22689 407da0 22687->22689 22690 41b948 __vprintf_l 29 API calls 22687->22690 22692 407dd8 22689->22692 22796 41d153 RaiseException 22689->22796 22691 407d7a 22690->22691 22691->22689 22795 41d153 RaiseException 22691->22795 22694 407df9 22692->22694 22797 41d153 RaiseException 22692->22797 22763->22598 22764->22602 22765->22605 22766->22607 22767->22611 22768->22613 22769->22617 22770->22618 22771->22620 22772->22624 22773->22626 22774->22630 22775->22635 22776->22636 22777->22639 22778->22641 22779->22645 22780->22646 22781->22648 22782->22652 22783->22654 22784->22658 22785->22664 22786->22663 22787->22667 22788->22672 22789->22671 22790->22675 22791->22679 22792->22680 22793->22683 22794->22687 22795->22689 22796->22692 22797->22694 22800 41d2fb 29 API calls 22799->22800 22801 41d25c 22800->22801 22802 41d267 GetCurrentProcess TerminateProcess 22801->22802 22803 41d278 22801->22803 22802->22803 22804 41d2e2 22803->22804 22805 41d2e9 ExitProcess 22803->22805 22806 41d304 LeaveCriticalSection 22804->22806 22807 41d241 22806->22807 22807->19433 22808 4115cc 22809 4115e1 22808->22809 22810 4115dc 22808->22810 22812 411624 22809->22812 22814 4115f5 22809->22814 22816 4115f9 22809->22816 22811 41b3bd __vprintf_l 30 API calls 22810->22811 22811->22809 22813 41163f 22812->22813 22815 411606 22812->22815 22819 410140 __vprintf_l SysFreeString 22812->22819 22813->22815 22820 4116c1 22813->22820 22814->22813 22814->22816 22816->22815 22818 410140 __vprintf_l SysFreeString 22816->22818 22818->22815 22819->22813 22821 4116d6 22820->22821 22822 4116d9 SysAllocStringLen 22820->22822 22821->22822 22823 4116ef 22822->22823 22824 410140 __vprintf_l SysFreeString 22823->22824 22825 411722 22824->22825 22825->22815 22826 409e5f 22827 40a243 DeleteObject 22826->22827 22828 409e76 22826->22828 22842 409e9a 22827->22842 22829 40a1a6 22828->22829 22830 409e7f 22828->22830 22831 40a1b4 7 API calls 22829->22831 22829->22842 22832 409e8a 22830->22832 22833 409f8e 22830->22833 22834 40a222 FillRect 22831->22834 22835 40a219 CreateSolidBrush 22831->22835 22836 409e91 22832->22836 22837 409f56 22832->22837 22838 409f9e LoadCursorA 22833->22838 22834->22842 22835->22834 22840 409e95 22836->22840 22841 409f06 22836->22841 22839 409f62 22837->22839 22837->22842 22881 416807 SendMessageA GetObjectA 22838->22881 22846 409ba3 4 API calls 22839->22846 22840->22842 22847 409ec5 SetBkMode GetDlgCtrlID 22840->22847 22844 409f3c KillTimer 22841->22844 22845 409f0f 22841->22845 22844->22842 22845->22842 22849 409f1d SendMessageA 22845->22849 22850 409f77 PostMessageA 22846->22850 22851 409ee0 22847->22851 22852 409ef4 SetTextColor 22847->22852 22848 409fb8 22853 415942 142 API calls 22848->22853 22849->22842 22850->22842 22851->22852 22854 409ee7 22851->22854 22856 409ee9 GetStockObject 22852->22856 22855 409fce lstrlenA 22853->22855 22854->22856 22857 409fe2 22855->22857 22856->22842 22858 415862 150 API calls 22857->22858 22860 40a016 22857->22860 22859 40a00a 22858->22859 22861 41d234 32 API calls 22859->22861 22862 40a021 7 API calls 22860->22862 22861->22860 22863 40a0a0 22862->22863 22884 416a19 22863->22884 22866 416a19 142 API calls 22867 40a0c6 22866->22867 22889 4169de SendDlgItemMessageA 22867->22889 22869 40a0d7 22890 4169de SendDlgItemMessageA 22869->22890 22871 40a0e4 22891 4169de SendDlgItemMessageA 22871->22891 22873 40a0f5 22892 4169de SendDlgItemMessageA 22873->22892 22875 40a109 22875->22842 22876 40a119 GetDlgItem SendMessageA GetObjectA GetDC GetDeviceCaps 22875->22876 22877 40a173 ctype 22876->22877 22893 416774 22877->22893 22882 416774 8 API calls 22881->22882 22883 416837 CreateFontIndirectA SendMessageA 22882->22883 22883->22848 22905 41690e 22884->22905 22886 416a2a 22909 4169de SendDlgItemMessageA 22886->22909 22888 40a0b3 22888->22866 22889->22869 22890->22871 22891->22873 22892->22875 22894 416785 22893->22894 22895 41678f GetLocaleInfoA 22893->22895 22894->22895 22897 40a17e CreateFontIndirectA 22894->22897 22896 4167a5 22895->22896 22895->22897 22898 41cdc7 6 API calls 22896->22898 22900 4169f5 22897->22900 22899 4167ae TranslateCharsetInfo 22898->22899 22899->22897 22910 416975 22900->22910 22902 416a06 22913 4169de SendDlgItemMessageA 22902->22913 22904 416a14 22904->22842 22906 415987 140 API calls 22905->22906 22907 416943 ctype 22906->22907 22908 41695c SendDlgItemMessageA 22907->22908 22908->22886 22909->22888 22911 415942 142 API calls 22910->22911 22912 4169aa SendDlgItemMessageA 22911->22912 22912->22902 22913->22904

          Executed Functions

          Function 0040E3D8 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 83libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 543 40e3d8-40e400 call 41c340 LoadLibraryA 546 40e406-40e418 GetProcAddress 543->546 547 40e4a9-40e4b8 543->547 548 40e4a0-40e4a8 FreeLibrary 546->548 549 40e41e-40e42b 546->549 548->547 549->548 551 40e42d-40e444 GetProcAddress * 2 549->551 552 40e494-40e498 551->552 553 40e446-40e456 551->553 552->548 554 40e49a 552->554 553->552 556 40e458-40e46b GetProcAddress 553->556 554->548 557 40e489-40e48c 556->557 558 40e46d-40e483 556->558 557->548 559 40e48e 557->559 558->557 561 40e485 558->561 559->552 561->557
          APIs
          • __EH_prolog.LIBCMT ref: 0040E3DD
          • LoadLibraryA.KERNELBASE(Msi.DLL,00000001,?,?,?,?,?,?,?,?,00000000), ref: 0040E3EB
          • GetProcAddress.KERNEL32(00000000,MsiOpenDatabaseA), ref: 0040E414
          • GetProcAddress.KERNEL32(00000000,MsiGetSummaryInformationA), ref: 0040E433
          • GetProcAddress.KERNEL32(00000000,MsiCloseHandle), ref: 0040E43D
          • GetProcAddress.KERNEL32(00000000,MsiSummaryInfoGetPropertyA), ref: 0040E465
          • FreeLibrary.KERNELBASE(00000000), ref: 0040E4A1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$Library$FreeH_prologLoad
          • String ID: H$Msi.DLL$MsiCloseHandle$MsiGetSummaryInformationA$MsiOpenDatabaseA$MsiSummaryInfoGetPropertyA
          • API String ID: 1090236637-2739935362
          • Opcode ID: cc52b2ab50203d5b056496bb15dc4a3e683609ba5e606f67e8ab3881c7f3ac4d
          • Instruction ID: 94dba1260473b668c8b52e84d75dc17c2fbb8d5a0a48534d0180c77dcc4fc909
          • Opcode Fuzzy Hash: cc52b2ab50203d5b056496bb15dc4a3e683609ba5e606f67e8ab3881c7f3ac4d
          • Instruction Fuzzy Hash: 7021A131E0021AAADB119BD6DC44BEFBE78AF44750F50842AF904B11D0DBBC8A05DBA8
          Function 00415C4F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88librarystringloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(KERNEL32,00404D47,00000000), ref: 00415C69
          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 00415C81
          • lstrcpyA.KERNEL32(?,00000000), ref: 00415C97
            • Part of subcall function 00416165: CharNextA.USER32(?,00415CA9,?), ref: 0041616F
          • GetDiskFreeSpaceExA.KERNELBASE(?,00000000,?,00404D47,?), ref: 00415CCC
            • Part of subcall function 00415F56: CharNextA.USER32(?,?,?,00000000,004160EF,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F6B
            • Part of subcall function 00415F56: CharPrevA.USER32(?,?,?,?,00000000,004160EF,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F74
            • Part of subcall function 00415F56: CharNextA.USER32(00000000,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F8C
            • Part of subcall function 00415F56: CharNextA.USER32(00000000,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F92
          • GetDiskFreeSpaceA.KERNEL32(?,00000003,00000000,00000003,?), ref: 00415D27
          • FreeLibrary.KERNEL32(00404D47), ref: 00415D4B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Char$Next$Free$DiskLibrarySpace$AddressLoadPrevProclstrcpy
          • String ID: GetDiskFreeSpaceExA$KERNEL32
          • API String ID: 711836960-2868000099
          • Opcode ID: 2b734f3ef96f366fcefe1de66db3abd59982bfd5cf3215dc2293c1922e1abdad
          • Instruction ID: 29fc5b0ed445cdfd3cc7a7c909c4101dd5096f897ef42a69a587dfe1114c211e
          • Opcode Fuzzy Hash: 2b734f3ef96f366fcefe1de66db3abd59982bfd5cf3215dc2293c1922e1abdad
          • Instruction Fuzzy Hash: C9313D7190011DEBCF10DFA4D8849DEBBFCBB48310F5081A6E555E7200DA34DA45CFA8
          Function 00402C48 Relevance: 12.1, APIs: 8, Instructions: 61memoryfileCOMMON
          Download Yara Rule
          APIs
          • GetFileSize.KERNEL32(?,00000000,?,?,00000000,?,00402413,000000FF,?,?,00000000,000000FF,?,?,?,00000000), ref: 00402C56
          • GetProcessHeap.KERNEL32(00000008,00000001,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402C75
          • RtlAllocateHeap.NTDLL(00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402C78
          • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402C96
          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402CB4
          • HeapFree.KERNEL32(00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402CB7
          • GetProcessHeap.KERNEL32(00000000,00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402CC3
          • HeapFree.KERNEL32(00000000,?,00402413,000000FF,?,?,00000000,000000FF,?), ref: 00402CC6
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Heap$Process$FileFree$AllocateReadSize
          • String ID:
          • API String ID: 3605603088-0
          • Opcode ID: d1a864abd92a2fc277fa1877d9e83827b736a37e0f8767efe967c202b740148e
          • Instruction ID: 13a930ecd475b53c40801f43f0ce58d3ecd5b7b9f4b267c898401392623b420a
          • Opcode Fuzzy Hash: d1a864abd92a2fc277fa1877d9e83827b736a37e0f8767efe967c202b740148e
          • Instruction Fuzzy Hash: 8511A571604208BBEB109BA5DC4DFAB3B6CEB89721F10456AF918DB2D0DA74DD01CB78
          Function 0041DB0C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
          Download Yara Rule
          APIs
          • GetVersion.KERNEL32 ref: 0041DB32
            • Part of subcall function 004208A2: HeapCreate.KERNELBASE(00000000,00001000,00000000,0041DB6A,00000001), ref: 004208B3
            • Part of subcall function 004208A2: HeapDestroy.KERNEL32 ref: 004208F2
          • GetCommandLineA.KERNEL32 ref: 0041DB92
          • GetStartupInfoA.KERNEL32(?), ref: 0041DBBD
          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041DBE0
            • Part of subcall function 0041DC39: ExitProcess.KERNEL32 ref: 0041DC56
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
          • String ID:
          • API String ID: 2057626494-0
          • Opcode ID: d45ae27decf557be928764401a2fb278a939100cdc73b22241ca78d1a3bcdd52
          • Instruction ID: c9d6bd29629164b3df4766cd16f9efd23fa5596332b5691082663a8a73c53751
          • Opcode Fuzzy Hash: d45ae27decf557be928764401a2fb278a939100cdc73b22241ca78d1a3bcdd52
          • Instruction Fuzzy Hash: 372194B0E40715AEEB14AFB6ED4AAAD7BB8EF04708F50042FF4019B291DB3C5940CB59
          Function 00408223 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
          Download Yara Rule
          APIs
          • FindResourceA.KERNEL32(?,?,?), ref: 00408234
          • SizeofResource.KERNEL32(?,00000000), ref: 00408240
          • LoadResource.KERNEL32(?,00000000), ref: 0040824C
          • LockResource.KERNEL32(00000000), ref: 00408253
            • Part of subcall function 004080CB: __EH_prolog.LIBCMT ref: 004080D0
            • Part of subcall function 004080CB: GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 004081B0
            • Part of subcall function 004080CB: CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004081CB
            • Part of subcall function 004080CB: DeleteObject.GDI32(00000000), ref: 004081DE
            • Part of subcall function 004080CB: ReleaseDC.USER32(00000000,?), ref: 004081EC
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Resource$BitmapCreateDeleteFindH_prologLoadLockObjectReleaseSizeofWindow
          • String ID:
          • API String ID: 494826499-0
          • Opcode ID: 379f88c341aef83bfe8769ea37ae027ad2fc484912df5527cfa207fa6b95a24c
          • Instruction ID: 24b06e88c2b0fdbc2ef16e7c7abcf0917d4be9ea22ee52aea8f201fa319047eb
          • Opcode Fuzzy Hash: 379f88c341aef83bfe8769ea37ae027ad2fc484912df5527cfa207fa6b95a24c
          • Instruction Fuzzy Hash: 38E0ED36201129BFEB111F96EC4DCBF7F6DEF592A1B444036F90986120DB724D62DBA4
          Function 004167D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON
          Download Yara Rule
          APIs
          • GetLocaleInfoA.KERNELBASE(?,00001004,?,00000014,?,00000000,00413262,?,00000000), ref: 004167E5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: InfoLocale
          • String ID: b2A
          • API String ID: 2299586839-1488577323
          • Opcode ID: aec99acaf583bba8ed4abfa0fb75f1236a3941540d95127ed180648487ec6b37
          • Instruction ID: 951b48c68e03a0b9ab3c4ec0677a7c2a98c0513c81b2508b87eb9d3c8321bb3e
          • Opcode Fuzzy Hash: aec99acaf583bba8ed4abfa0fb75f1236a3941540d95127ed180648487ec6b37
          • Instruction Fuzzy Hash: FEE086317003096BEB11EFA4DD06ADB37AC9B04748F500025F605E91D1D6B0D94087A4
          Function 00411E38 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
          Download Yara Rule
          APIs
          • GetVersionExA.KERNEL32(?,?), ref: 00411E65
          • GetSystemInfo.KERNELBASE(?), ref: 00411EA5
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: InfoSystemVersion
          • String ID:
          • API String ID: 1934062620-0
          • Opcode ID: f20e4d47d398e0a70c346a34a6de286d159426df4dcbc54f1064df9b7d1e4d92
          • Instruction ID: a8e68314ad49a5145fa63aa1355f767c2a9982ff4646cb70a884731988dfb82b
          • Opcode Fuzzy Hash: f20e4d47d398e0a70c346a34a6de286d159426df4dcbc54f1064df9b7d1e4d92
          • Instruction Fuzzy Hash: 2F21EA74D0131A9BDF10DFD5C885BEEBBB5EB04355F10006BEA05A3390D7784A84CB99
          Function 00409E5F Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 300windowstringtimeCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • SetBkMode.GDI32(?,00000001), ref: 00409ECA
          • GetDlgCtrlID.USER32(?), ref: 00409ED3
          • GetStockObject.GDI32(00000005), ref: 00409EE9
          • SendMessageA.USER32(00000405,00000000,00000000), ref: 00409F2A
          • PostMessageA.USER32(00000000,00008032,00000000,00000000), ref: 00409F81
          • LoadCursorA.USER32(00000000,00000068), ref: 00409F9F
          • lstrlenA.KERNEL32(?), ref: 00409FD8
          • wsprintfA.USER32 ref: 0040A02F
          • SetWindowTextA.USER32(?,?), ref: 0040A040
          • SetTimer.USER32(?,000003E9,000000FA,00000000), ref: 0040A054
          • GetDlgItem.USER32(?,000003E9), ref: 0040A062
          • GetDlgItem.USER32(?,000003EB), ref: 0040A06D
          • GetDlgItem.USER32(?,000003EA), ref: 0040A078
          • SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 0040A089
          • GetDlgItem.USER32(?,00000409), ref: 0040A1BC
          • GetClientRect.USER32(00000000,?), ref: 0040A1CD
          • GetClientRect.USER32(?,?), ref: 0040A1D6
          • GetStockObject.GDI32(00000000), ref: 0040A1ED
          • FillRect.USER32(?,?,00000000), ref: 0040A201
          • GetSysColor.USER32(0000000F), ref: 0040A205
          • GetSysColorBrush.USER32(00000000), ref: 0040A20F
          • CreateSolidBrush.GDI32(?), ref: 0040A21C
          • FillRect.USER32(?,?,00000000), ref: 0040A23C
          • DeleteObject.GDI32 ref: 0040A249
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ItemRect$MessageObject$BrushClientColorFillSendStock$CreateCtrlCursorDeleteLoadModePostSolidTextTimerWindowlstrlenwsprintf
          • String ID: Arial$Cancel
          • API String ID: 136695782-1283040515
          • Opcode ID: 8280102d5cbfa14004d39f1e451a4fb680f694213a366a96e6681358b5bc0242
          • Instruction ID: 1b3a65185d709068ce3dff0b2be56a59f08c4a436219a725eaca4d9b30a9cb05
          • Opcode Fuzzy Hash: 8280102d5cbfa14004d39f1e451a4fb680f694213a366a96e6681358b5bc0242
          • Instruction Fuzzy Hash: ABA17171A00209BBDB11AFA0EC49FEE3B78EB44701F40443AF605E61E1DB799D91DB69
          Function 0040C26B Relevance: 53.0, APIs: 14, Strings: 16, Instructions: 483stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 68 40c26b-40c2ac call 41c340 call 41c310 call 401046 75 40c371-40c38c wsprintfA 68->75 76 40c2b2-40c2b9 68->76 77 40c38f-40c3f7 call 41315d call 415e6e lstrlenA 75->77 76->75 78 40c2bf-40c2c6 76->78 89 40c3f9 77->89 90 40c3fc-40c400 77->90 78->75 80 40c2cc-40c2f8 call 41d330 78->80 86 40c2fa-40c319 call 41bd00 call 41d330 80->86 87 40c31b-40c34e call 41bc80 wsprintfA 80->87 86->87 110 40c350-40c36f wsprintfA 86->110 87->77 89->90 93 40c402-40c470 call 41bdf0 call 414265 call 41bdf0 90->93 94 40c473-40c493 90->94 93->94 96 40c568-40c578 94->96 97 40c499-40c49a 94->97 100 40c57d-40c586 wsprintfA 96->100 101 40c4a0-40c4a1 97->101 102 40c54a-40c566 97->102 105 40c589-40c58e 100->105 106 40c520-40c537 101->106 107 40c4a3-40c4a4 101->107 109 40c53c-40c548 wsprintfA 102->109 111 40c590-40c5a0 call 40c877 105->111 112 40c5a5-40c5ab 105->112 106->109 113 40c4a6-40c4b7 107->113 114 40c509-40c51e 107->114 109->105 110->77 127 40c857-40c859 111->127 118 40c5b1-40c5c7 CoInitialize call 40c86b 112->118 119 40c7db-40c7f7 call 409bdd call 40f9f9 call 41d1a4 call 416429 112->119 120 40c4c3-40c504 wsprintfA * 2 call 414265 113->120 121 40c4b9-40c4be 113->121 114->100 133 40c5c9-40c5db 118->133 134 40c5dd-40c60b call 405355 118->134 148 40c7fc-40c80c call 41416c 119->148 120->105 121->100 132 40c85a-40c868 127->132 136 40c610-40c617 call 408489 133->136 134->136 143 40c669-40c677 136->143 144 40c619-40c620 136->144 149 40c687-40c6c4 call 401d30 SysFreeString 143->149 150 40c679-40c685 SysFreeString 143->150 146 40c622-40c63b call 4158cb 144->146 147 40c63d-40c650 call 415862 144->147 162 40c651-40c65a 146->162 147->162 163 40c818-40c821 call 414251 148->163 164 40c80e 148->164 154 40c6c5-40c6d7 call 40683e 149->154 150->154 165 40c6d9-40c6e0 154->165 166 40c6ec-40c732 call 4117fb call 4100eb 154->166 167 40c662-40c664 162->167 168 40c65c-40c65e 162->168 174 40c823-40c829 163->174 175 40c83c-40c848 call 40f9be 163->175 164->163 165->166 170 40c6e2-40c6e7 165->170 189 40c734-40c736 166->189 190 40c73c-40c745 call 414251 166->190 167->132 168->167 170->166 174->175 177 40c82b-40c831 174->177 175->127 181 40c84a-40c854 call 40d3d5 175->181 177->175 180 40c833-40c837 call 414244 177->180 180->175 181->127 189->190 191 40c738 189->191 194 40c747-40c74b 190->194 195 40c75c-40c762 190->195 191->190 196 40c792-40c7a3 call 40c877 194->196 197 40c74d-40c751 194->197 195->196 198 40c764-40c767 195->198 204 40c7a8-40c7cb SysFreeString 196->204 197->195 200 40c753-40c757 call 414244 197->200 201 40c769-40c76c 198->201 202 40c78b-40c790 198->202 200->195 206 40c784-40c789 201->206 207 40c76e-40c771 201->207 203 40c77c-40c782 call 415862 202->203 203->204 213 40c7d3-40c7d9 CoUninitialize 204->213 214 40c7cd-40c7cf 204->214 206->203 207->204 209 40c773-40c775 207->209 209->204 212 40c777 209->212 212->203 213->127 214->213
          APIs
          • __EH_prolog.LIBCMT ref: 0040C270
          • wsprintfA.USER32 ref: 0040C349
          • wsprintfA.USER32 ref: 0040C36A
          • wsprintfA.USER32 ref: 0040C38A
          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C3E2
          • wsprintfA.USER32 ref: 0040C4CF
          • wsprintfA.USER32 ref: 0040C4EA
          • wsprintfA.USER32 ref: 0040C543
          • wsprintfA.USER32 ref: 0040C584
          • CoInitialize.OLE32(00000000), ref: 0040C5B2
          • SysFreeString.OLEAUT32(00000000), ref: 0040C67A
          • SysFreeString.OLEAUT32(00000000), ref: 0040C6B9
          • SysFreeString.OLEAUT32(00000003), ref: 0040C7BC
          • CoUninitialize.OLE32(?,?,?,?,?,?,?,00000000), ref: 0040C7D3
            • Part of subcall function 0040C877: __EH_prolog.LIBCMT ref: 0040C87C
            • Part of subcall function 0040C877: CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,00000000), ref: 0040C8F3
            • Part of subcall function 0040C877: SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000), ref: 0040C905
            • Part of subcall function 0040C877: wsprintfA.USER32 ref: 0040C938
            • Part of subcall function 0040C877: lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 0040C97C
            • Part of subcall function 0040C877: lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_is8C78,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C9B7
            • Part of subcall function 0040C877: CopyFileA.KERNEL32(?,?,00000000), ref: 0040C9CC
            • Part of subcall function 00409BDD: IsWindow.USER32(0040C7E0), ref: 00409BE3
            • Part of subcall function 00409BDD: ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00409BFC
            • Part of subcall function 00409BDD: ShowWindow.USER32(00000000,?,?,?,?,?,?,?,00000000), ref: 00409C06
            • Part of subcall function 00416429: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,000000FF), ref: 00416476
            • Part of subcall function 00416429: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,000000FF), ref: 00416493
            • Part of subcall function 00416429: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004164AA
            • Part of subcall function 00416429: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004164C0
            • Part of subcall function 00416429: GetExitCodeProcess.KERNELBASE(?,00000001), ref: 004164DF
            • Part of subcall function 00416429: CloseHandle.KERNEL32(?,?,?,?,?,?,000000FF), ref: 004164F0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$FileFreeStringWindow$CopyH_prologProcessShowlstrcat$AttributesCloseCodeCreateExitHandleInitializeMessageMultipleObjectsPeekUninitializeWaitlstrcpylstrlen
          • String ID: %s %s$%s /a "%s"%s$%s /f%s "%s" %s$%s /i "%s" %s$%s /j%s "%s" %s$%s /p "%s" %s$%s /x "%s" %s$%s TRANSFORMS="%s"$%s%s%s;%s$%s="%s"$/p"%s" %s$RunAsLaunchingUser$Startup$TRANSFORMS=$TRANSFORMS="$\
          • API String ID: 2501645437-3984558281
          • Opcode ID: 085fedb6f39d53a7e7107cb0f29b043fb572cfc8b504bf1e51bfdd5cde0dcf09
          • Instruction ID: bc3bcccd818d2f468f0e90b0e0a849def7ca8e6719ef2e5c02b2da99f3a1644d
          • Opcode Fuzzy Hash: 085fedb6f39d53a7e7107cb0f29b043fb572cfc8b504bf1e51bfdd5cde0dcf09
          • Instruction Fuzzy Hash: EC02D471A00219EBCF20DBA4DC81EEE7779BB04304F14067BF905E71D1DB799A858B99
          Function 0040E4B9 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 461filestringlibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 215 40e4b9-40e508 call 41c310 call 401046 call 405355 222 40e516-40e5a2 call 401d30 215->222 223 40e50a-40e510 215->223 228 40e5a8-40e5ab 222->228 229 40e68e-40e694 222->229 223->222 224 40eab7-40eab9 223->224 226 40eaba-40eabe 224->226 230 40e5b1-40e5c0 LoadLibraryA 228->230 231 40e68c 228->231 232 40e6b2-40e6df call 416184 lstrcpyA call 4160af 229->232 233 40e696-40e6ad lstrcpyA call 415f9d 229->233 234 40e5c2-40e5d6 call 40eac1 230->234 235 40e5e3-40e5f1 GetProcAddress 230->235 231->229 245 40e6e4-40e6f7 call 41ce60 232->245 233->232 234->245 246 40e5dc-40e5de 234->246 240 40e5f3-40e604 235->240 241 40e606-40e61a call 40eac1 235->241 240->241 250 40e61e-40e63f call 4160af call 40e3d8 240->250 251 40e683-40e68a FreeLibrary 241->251 252 40e61c 241->252 256 40eaa6-40eab6 call 41bd00 245->256 257 40e6fd-40e740 call 415942 245->257 246->226 261 40e644-40e648 250->261 251->245 252->246 256->224 266 40e743-40e754 call 416211 257->266 264 40e661-40e67e call 416184 call 4160af 261->264 265 40e64a-40e65c call 4160af 261->265 264->251 265->264 273 40e806-40e819 CopyFileA 266->273 274 40e75a-40e771 call 40e3d8 266->274 275 40e8b0 273->275 276 40e81f-40e8ab GetLastError call 415942 wsprintfA lstrcatA call 4157e7 273->276 283 40e773-40e783 call 40e3d8 274->283 284 40e79a-40e7c8 wsprintfA call 416acf 274->284 278 40e8b7-40e8ba 275->278 296 40e7e5-40e7f9 call 40eac1 276->296 278->266 281 40e8c0-40e8ca 278->281 286 40e8d0-40e99b call 41d69c call 41bd10 call 4160af call 415e6e call 4160af CopyFileA 281->286 287 40e99d 281->287 283->284 297 40e785-40e798 lstrcmpA 283->297 298 40e804 284->298 299 40e7ca-40e7e3 MessageBoxA 284->299 290 40e9a3-40e9a9 286->290 287->290 290->256 295 40e9af-40ea52 call 415a16 call 415e6e call 4160af lstrcatA CopyFileA call 415e6e call 4160af call 416211 290->295 295->256 324 40ea54-40eaa4 call 4160af CopyFileA call 4160af CopyFileA 295->324 296->246 308 40e7ff 296->308 297->284 297->298 298->273 299->296 299->298 308->278 324->256
          APIs
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          • LoadLibraryA.KERNELBASE(SHFolder.dll,?,00432C20,?,00000400,?,000000FE,?,00000104,?,?,-000008AC,?,0040C248,-000008AC,00000000), ref: 0040E5B6
          • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0040E5E9
          • FreeLibrary.KERNELBASE(00000000,?,?,?,-000008AC,?,0040C248,-000008AC,00000000,00000000,?,?,?,?,?,00000000), ref: 0040E684
          • lstrcpyA.KERNEL32(?,?,?,00432C20,?,00000400,?,000000FE,?,00000104,?,?,-000008AC,?,0040C248,-000008AC), ref: 0040E6A4
            • Part of subcall function 00415F9D: CharNextA.USER32(?,000000FF,74DE83C0), ref: 00415FD0
            • Part of subcall function 00415F9D: lstrcpyA.KERNEL32(00000000,00000000), ref: 00415FE0
            • Part of subcall function 00415F9D: CharNextA.USER32(00000000), ref: 00415FF2
            • Part of subcall function 00415F9D: CharPrevA.USER32(00000000,00000000), ref: 00416001
            • Part of subcall function 00415F9D: lstrcpyA.KERNEL32(?,?), ref: 0041601A
          • lstrcpyA.KERNEL32(?,?,?,?,00432C20,?,00000400,?,000000FE,?,00000104,?,?,-000008AC,?,0040C248), ref: 0040E6CC
          • lstrcmpA.KERNEL32(?,?,?,?,?,00000000), ref: 0040E790
          • wsprintfA.USER32 ref: 0040E7AF
          • MessageBoxA.USER32(?,?,?,00000034), ref: 0040E7DA
          • CopyFileA.KERNEL32(?,?,00000001), ref: 0040E811
          • GetLastError.KERNEL32(?,00000000), ref: 0040E81F
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • wsprintfA.USER32 ref: 0040E87F
          • lstrcatA.KERNEL32(?,0042E108,?,?,?,?,?,?,?,?,00000000), ref: 0040E894
            • Part of subcall function 004157E7: FormatMessageA.KERNEL32(00001300,00000000,0040E8A9,00000000,0040E8A9,00000000,00000000,00000000), ref: 00415803
            • Part of subcall function 004157E7: wsprintfA.USER32 ref: 00415838
            • Part of subcall function 004157E7: LocalFree.KERNEL32(0040E8A9), ref: 00415850
          • CopyFileA.KERNEL32(?,?,00000000), ref: 0040E999
          • lstrcatA.KERNEL32(?,.ini,?,?,?,?,?,?), ref: 0040E9FE
          • CopyFileA.KERNEL32(?,?,00000000), ref: 0040EA13
          • CopyFileA.KERNEL32(?,?,00000000), ref: 0040EA7C
          • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,00000000), ref: 0040EAA4
          Strings
          • SHGetFolderPathA, xrefs: 0040E5E3
          • C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI, xrefs: 0040EA9F
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 0040E930
          • SHFolder.dll, xrefs: 0040E5B1
          • .ini, xrefs: 0040E9F8
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CopyFile$lstrcpywsprintf$Char$FreeLibraryLoadMessageNextlstrcatlstrcmp$AddressErrorFormatH_prologLastLocalPrevProcString
          • String ID: .ini$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$SHFolder.dll$SHGetFolderPathA
          • API String ID: 2330955297-2620037155
          • Opcode ID: f745688a8aa7ff60dbdb31b2b5dc3f54032bdd27177718923facca0f41c404b0
          • Instruction ID: 17a92a8a5b23ce069b9ba72a6d3bff22b7fede6c86dd555d3dd636e6c0f14cf1
          • Opcode Fuzzy Hash: f745688a8aa7ff60dbdb31b2b5dc3f54032bdd27177718923facca0f41c404b0
          • Instruction Fuzzy Hash: E9F14C7290051EAECF21DBA1DD44ADAB7BCAB48304F5044B7F609E3142EE35AB858F64
          Function 004148F8 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 286stringfileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 329 4148f8-41493f call 41be50 332 414945-41494a 329->332 333 414aeb-414af2 329->333 334 414951-414955 332->334 335 41494c-41494f 332->335 336 414af4-414af9 333->336 337 414b26-414b2b call 41604b 333->337 339 4149af-4149b2 334->339 340 414957 334->340 335->334 335->339 341 414b00-414b06 336->341 342 414afb-414afe 336->342 345 414b30-414b32 337->345 346 4149b4-4149b7 339->346 347 4149b9-4149bf 339->347 348 41495a-414960 340->348 343 414b08-414b0b 341->343 344 414b0d-414b15 341->344 342->337 342->341 343->337 343->344 344->337 349 414b17-414b20 lstrlenA 344->349 350 414b38-414b41 call 414c9c 345->350 351 414c4f-414c7d call 415d59 call 40888c call 4088e5 345->351 346->347 352 414a0e-414a11 346->352 353 4149c1-4149c4 347->353 354 4149c6-414a09 wsprintfA call 416506 347->354 348->348 355 414962-4149aa wsprintfA call 416429 call 401535 call 401569 call 401562 348->355 349->337 349->351 350->351 371 414b47-414b8b GetTempPathA 350->371 387 414c82-414c93 call 4088d0 351->387 356 414a13-414a16 352->356 357 414a1c-414a22 352->357 353->352 353->354 372 414c3c-414c3e 354->372 355->372 356->333 356->357 363 414a24-414a27 357->363 364 414a2d 357->364 363->333 363->364 369 414a30-414a35 364->369 369->369 375 414a37-414a83 lstrcpyA lstrlenA 369->375 371->351 377 414b91-414bc0 GetTempFileNameA CopyFileA 371->377 373 414c95-414c99 372->373 379 414a85-414a88 375->379 380 414a8a-414a90 375->380 377->351 382 414bc6-414c2b CreateFileA wsprintfA call 416506 377->382 379->380 384 414aa2-414ae6 lstrcpyA call 416d3f 379->384 385 414a92-414a95 380->385 386 414a97-414a9b 380->386 396 414c40-414c44 382->396 397 414c2d-414c31 382->397 384->373 385->384 385->386 386->384 387->373 396->351 399 414c46-414c49 CloseHandle 396->399 397->372 398 414c33-414c36 CloseHandle 397->398 398->372 399->351
          APIs
          • wsprintfA.USER32 ref: 0041497A
          • wsprintfA.USER32 ref: 004149F2
          • lstrcpyA.KERNEL32(00000000,00000001,?,00000000), ref: 00414A5F
          • lstrlenA.KERNEL32(00000000,?,00000000), ref: 00414A68
          • lstrcpyA.KERNEL32(00000000,-00000003,?,00000000), ref: 00414ACB
          • lstrlenA.KERNEL32(?,?,00000000), ref: 00414B18
          • GetTempPathA.KERNEL32(00000400,00000000,?,?,00000000), ref: 00414B83
          • GetTempFileNameA.KERNEL32(00000000,_is,00000000,00000000,?,00000000), ref: 00414BA5
          • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00414BB8
          • CreateFileA.KERNEL32(00000000,00000000,00000001,00000000,00000003,04000000,00000000,?,00000000), ref: 00414BD9
          • wsprintfA.USER32 ref: 00414C12
          • CloseHandle.KERNEL32(000000FF,00000000,00000001), ref: 00414C36
          • CloseHandle.KERNEL32(000000FF,00000000,00000001), ref: 00414C49
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Filewsprintf$CloseHandleTemplstrcpylstrlen$CopyCreateNamePath
          • String ID: %s %s$%s /q"%s" %s$%s%s$C:\Users\user\AppData\Local\Temp\_is8C78$_is
          • API String ID: 1809996363-3337142823
          • Opcode ID: 26514a59b3374dbfcc1903cabbaf9560f1052697bc4ab9e4782ca262433ba770
          • Instruction ID: f568581ce1c47e58d60e53c49d6fcc62cfbb4bd191fb232744128ad6103b9d46
          • Opcode Fuzzy Hash: 26514a59b3374dbfcc1903cabbaf9560f1052697bc4ab9e4782ca262433ba770
          • Instruction Fuzzy Hash: 8EB10471A0021DAFDF30CF64DC59BEB7BB9AF04304F4444A6E209A6291D7389E95CB9C
          Function 00404D96 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 303stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 400 404d96-404e01 call 401046 call 41be50 call 401b31 call 401d30 lstrlenA 409 404e07-404e44 call 41be50 call 401d30 lstrlenA 400->409 410 404e8a-404e8c 400->410 409->410 416 404e46-404e50 call 4051cf 409->416 412 4051ca-4051ce 410->412 416->410 419 404e52-404e88 call 41be50 call 401d30 lstrlenA 416->419 419->410 424 404e91-404e9f 419->424 425 404ea1-404ea7 424->425 426 404ec6-404f1a call 401d30 lstrlenA 424->426 425->426 428 404ea9-404eba lstrcmpiA 425->428 431 404f1c-404f29 call 41cdc7 426->431 432 404f2f-404f81 call 401d30 lstrcmpA 426->432 428->426 429 404ebc 428->429 429->426 431->432 437 404fa1-404fb1 lstrcmpA 432->437 438 404f83-404f89 432->438 439 404f98-404f9f 437->439 441 404fb3 437->441 438->439 440 404f8b-404f91 438->440 442 404fba-40500e call 401d30 lstrcmpA 439->442 440->439 443 404f93-404f96 440->443 441->442 446 405010-405014 442->446 447 405016 442->447 443->442 448 40501a-405092 call 401d30 * 2 call 41be50 call 401d30 call 41beb0 446->448 447->448 459 405094-4050f1 call 401d30 call 41b948 ExpandEnvironmentStringsA lstrcpyA 448->459 460 405108-40510f 448->460 459->460 472 4050f3-405103 call 414265 459->472 462 405111-405132 call 405355 460->462 463 405138-4051a1 call 41be50 call 401d30 * 2 lstrlenA 460->463 462->463 477 4051a3-4051a6 463->477 478 4051c7-4051c9 463->478 472->460 479 4051a8-4051af 477->479 480 4051bf 477->480 478->412 479->480 481 4051b1-4051b8 479->481 482 4051c1 480->482 481->480 483 4051ba-4051bd 481->483 482->478 483->482
          APIs
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrlenA.KERNEL32(000004AC,00432C20,000004AC,00000400,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,C:\Users\user\AppData\Local\Temp\_is8C78,00000000,?), ref: 00404DF9
          • lstrlenA.KERNEL32(000008AC,00432C20,000008AC,00000400), ref: 00404E40
          • lstrlenA.KERNEL32(?,00432C20,?,00000002), ref: 00404E84
          • lstrcmpiA.KERNEL32(?,0042E1EC), ref: 00404EB2
          • lstrlenA.KERNEL32(00000000,00432C20,00000000,00000104), ref: 00404F12
          • lstrcmpA.KERNEL32(00000000,0042E1E8,0042E1E8,00000000,00000104), ref: 00404F7D
          • lstrcmpA.KERNEL32(00000000,0042E1EC,0042E1EC,00000000,00000104), ref: 00405006
            • Part of subcall function 004051CF: __EH_prolog.LIBCMT ref: 004051D4
            • Part of subcall function 004051CF: lstrcpyA.KERNEL32(00000000,?,?,74DF0440,00000000,00432C20), ref: 00405247
            • Part of subcall function 004051CF: lstrcpyA.KERNEL32(00000000,?), ref: 0040526D
            • Part of subcall function 004051CF: lstrcpyA.KERNEL32(000000AC,00000000), ref: 0040528A
            • Part of subcall function 004051CF: lstrlenA.KERNEL32(-000000AC,00432C20), ref: 004052C5
          • lstrcmpA.KERNEL32(00000000,0042E1E4), ref: 00404FAD
          • ExpandEnvironmentStringsA.KERNEL32(000010B4,00000000,00000400,00432C20,000010B4,00000400,00432C20,0000006D,00000104,00432C20,00000009,00000104), ref: 004050D4
          • lstrcpyA.KERNEL32(000010B4,?), ref: 004050E4
          • lstrlenA.KERNEL32(00002D0D,DotNetVersion,00432C20,00002D0D,00000104,00432C20,0000290C,00000400,00432C20,0000006D,00000104,00432C20,00000009,00000104), ref: 00405198
            • Part of subcall function 00401D30: lstrcpynA.KERNEL32(?,?,?,00000001,?,?,?,00000000,00000000,?,?,00000000), ref: 00401F8E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrlen$lstrcpy$lstrcmp$H_prolog$EnvironmentExpandStringslstrcmpilstrcpyn
          • String ID: ,C$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$DotNetVersion$B
          • API String ID: 2956953118-3599262987
          • Opcode ID: 93540d096f1be147aa835e8903b5e7dc8add11d1ac124f7ae9758b9082371574
          • Instruction ID: f10af8d9a918f50e1dc59af9780eee31a40c37e08c8819f23041955420c6977f
          • Opcode Fuzzy Hash: 93540d096f1be147aa835e8903b5e7dc8add11d1ac124f7ae9758b9082371574
          • Instruction Fuzzy Hash: 96B1D471604609AEEB21EB61DC85FD7B7BCEB14304F40487EF246A21A0D7786A46CB69
          Function 0040A2DF Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 484 40a2df-40a2f0 call 40ad84 487 40a2f6-40a304 call 40ae69 484->487 488 40a43c-40a440 484->488 487->488 491 40a30a-40a31a call 40add4 487->491 493 40a31f-40a322 491->493 493->488 494 40a328-40a339 493->494 495 40a342-40a352 call 40a2cb 494->495 496 40a33b-40a33d 494->496 495->488 499 40a358-40a377 GlobalAlloc GlobalLock 495->499 496->488 500 40a381-40a38c call 40aef2 499->500 501 40a379-40a37c 499->501 504 40a3b7-40a3f1 LoadIconA DialogBoxParamA 500->504 505 40a38e-40a3b2 GlobalHandle GlobalUnlock GlobalHandle GlobalFree 500->505 501->488 507 40a3f3-40a3f4 DestroyIcon 504->507 508 40a3fa-40a3fd 504->508 506 40a43a 505->506 506->488 507->508 509 40a403-40a406 508->509 510 40a3ff-40a401 508->510 511 40a40b-40a412 509->511 512 40a408 509->512 510->511 513 40a433-40a435 511->513 514 40a414-40a42d GlobalHandle GlobalUnlock GlobalHandle GlobalFree 511->514 512->511 513->506 514->513
          APIs
            • Part of subcall function 0040AE69: __EH_prolog.LIBCMT ref: 0040AE6E
            • Part of subcall function 0040ADD4: __EH_prolog.LIBCMT ref: 0040ADD9
          • GlobalAlloc.KERNEL32(00000042,00000001,00435330,00000000,?,?,00000000,?,0040A2B7,00000000,00000000,00000000,?,?,?,?), ref: 0040A363
          • GlobalLock.KERNEL32(00000000), ref: 0040A36A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: GlobalH_prolog$AllocLock
          • String ID: 8SC
          • API String ID: 861400310-2876928903
          • Opcode ID: 8769769e2860cf11c02abe3ac6148ccf41e7e09f0cc58fdaf9052b13b095788d
          • Instruction ID: cd3bd431144aa6a112f5b6b8f3b3addeaeb22d402279254ce6027bb30fc5e95a
          • Opcode Fuzzy Hash: 8769769e2860cf11c02abe3ac6148ccf41e7e09f0cc58fdaf9052b13b095788d
          • Instruction Fuzzy Hash: 2F316176600715AFDB209F65EC4995B3BA9EF08391B501436FD04E32E1D7798C22CB6E
          Function 00408300 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 515 408300-40830c 516 408312-408313 515->516 517 4083af-4083b9 call 41b948 515->517 519 408315-408318 516->519 520 40837e-40838d GetWindowLongA 516->520 526 4083c2 517->526 527 4083bb-4083c0 517->527 522 40831a-40831d 519->522 523 40833e-408379 GetWindowLongA BeginPaint call 40826b EndPaint 519->523 524 408393-408397 520->524 525 40843f 520->525 528 408336-408339 522->528 529 40831f-408331 DefWindowProcA 522->529 523->525 531 4083a3-4083aa call 406d48 524->531 532 408399-4083a0 DeleteObject 524->532 533 408441-408444 525->533 534 4083c4-40843a SetWindowLongA GetClientRect ClientToScreen call 41d1e0 * 2 SetWindowPos call 408223 526->534 527->534 528->533 529->533 531->525 532->531 534->525
          APIs
          • DefWindowProcA.USER32(?,?,?,?), ref: 0040832B
          • GetWindowLongA.USER32(?,000000EB), ref: 00408344
          • BeginPaint.USER32(?,?), ref: 00408354
          • EndPaint.USER32(?,?), ref: 00408373
          • GetWindowLongA.USER32(?,000000EB), ref: 00408383
          • DeleteObject.GDI32(00000000), ref: 0040839A
          • SetWindowLongA.USER32(?,000000EB,00000000), ref: 004083CA
          • GetClientRect.USER32(?,?), ref: 004083DA
          • ClientToScreen.USER32(?,?), ref: 004083E7
          • __ftol.LIBCMT ref: 00408407
          • __ftol.LIBCMT ref: 00408416
          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000256), ref: 00408427
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$Long$ClientPaint__ftol$BeginDeleteObjectProcRectScreen
          • String ID: GIF
          • API String ID: 3526196457-881873598
          • Opcode ID: df1bc78e7f7e915b6fe41a5aab05374d6712ec8fd5aba6c78473ec8c2fe9cb6f
          • Instruction ID: c28d54bae0194d5a7a9282b9378118f598638911a6af2509b50b1bdbc0b55bfc
          • Opcode Fuzzy Hash: df1bc78e7f7e915b6fe41a5aab05374d6712ec8fd5aba6c78473ec8c2fe9cb6f
          • Instruction Fuzzy Hash: 3631A032A00115BBCF219FA0DD08EAE3B75FF48720F504229F961A61E0DB399D129B58
          Function 00415A7C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 145COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetFileVersionInfoSizeA.VERSION(0001040E,00000001,?,?,?,?), ref: 00415AAD
          • GetFileVersionInfoA.VERSION(0001040E,00000000,00000000,00000000,?,?,0001040E,00000001,?,?,?,?), ref: 00415AD9
          • VerQueryValueA.VERSION(00000000,0042EC0C,0001040E,00000000,00000000,00000000,00000000,?,?,0001040E,00000001,?,?,?,?), ref: 00415B0C
          • wsprintfA.USER32 ref: 00415B36
          • VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,0001040E,00000000,0042EC0C,0001040E,00000000,00000000,00000000,00000000,?,?,0001040E,00000001), ref: 00415B5E
          • wsprintfA.USER32 ref: 00415BC4
          • wsprintfA.USER32 ref: 00415BDE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$FileInfoQueryValueVersion$Size
          • String ID: ,C$%s,%u$%u.%u.%u.%u$\VarFileInfo\Translation
          • API String ID: 1875041341-2086375906
          • Opcode ID: ec8d2eba6d56035c8fd35052cb2f682c9bb85d9409c5505744050f1ee44a6a00
          • Instruction ID: 256724860bc959a3f71816a7bb7a1e650f07c9884dce5010ac75bb3188e0e502
          • Opcode Fuzzy Hash: ec8d2eba6d56035c8fd35052cb2f682c9bb85d9409c5505744050f1ee44a6a00
          • Instruction Fuzzy Hash: 3141BE7190021CBFDB10AF55DC81DEE7B7CEF48358F40407BF918A6152E639AE958BA8
          Function 004072E5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 40libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 594 4072e5-4072f7 LoadLibraryA 595 4072fd-40734f GetProcAddress * 4 594->595 596 40737e-407380 594->596 597 407351-407358 595->597 598 40736b-407377 FreeLibrary 595->598 597->598 599 40735a-407361 597->599 598->596 599->598 600 407363-407365 599->600 600->598 601 407367-40736a 600->601
          APIs
          • LoadLibraryA.KERNELBASE(CABINET,004073B4,?,00000000,0040C1B2,00000000,?,?,?,?,?,00000000), ref: 004072EA
          • GetProcAddress.KERNEL32(00000000,FDICreate), ref: 0040730A
          • GetProcAddress.KERNEL32(FDIIsCabinet), ref: 0040731C
          • GetProcAddress.KERNEL32(FDICopy), ref: 0040732E
          • GetProcAddress.KERNEL32(FDIDestroy), ref: 00407340
          • FreeLibrary.KERNEL32(00000000,0040C1B2,00000000,?,?,?,?,?,00000000), ref: 00407371
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$Library$FreeLoad
          • String ID: CABINET$FDICopy$FDICreate$FDIDestroy$FDIIsCabinet
          • API String ID: 2449869053-2243815904
          • Opcode ID: 92b51e029ca6cc96f07250e0aae2ccd37d9a816788e869f468c3c9a715f8700d
          • Instruction ID: 2fb15183edd2a19634527676082b2f474d3e451882f4471532c0866c996b3cad
          • Opcode Fuzzy Hash: 92b51e029ca6cc96f07250e0aae2ccd37d9a816788e869f468c3c9a715f8700d
          • Instruction Fuzzy Hash: FE014F70A04214EBF7299F75FC89B623AB4F700703F605177A809A12B8DBB84A85DF5D
          Function 0040BC87 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 386stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 602 40bc87-40bcf8 call 41c340 call 41c310 call 401046 call 40105f call 41322d call 40bac5 615 40bcfe-40bd06 602->615 616 40c11f-40c121 602->616 618 40bd17-40bd20 call 40d62e 615->618 619 40bd08-40bd11 call 4148ba 615->619 617 40c152-40c160 616->617 623 40bd25-40bd27 618->623 619->618 624 40be26-40be29 619->624 625 40be20 623->625 626 40bd2d-40bd36 call 413213 623->626 628 40be33-40be35 624->628 629 40be2b-40be31 624->629 625->616 625->624 626->624 633 40bd3c-40bd4c call 4130b0 626->633 632 40be36 628->632 631 40be39-40be41 629->631 634 40be43-40be55 call 41bd00 631->634 635 40be56-40be77 call 40dcb2 631->635 632->631 644 40bd9a-40bda0 633->644 645 40bd4e-40bd4f 633->645 634->635 639 40be7c-40be7e 635->639 642 40be84-40be8c 639->642 643 40bde5-40bded call 40f9f9 639->643 646 40be96-40bec0 call 40d9eb 642->646 647 40be8e-40be91 642->647 643->616 648 40bda2-40bdb9 call 41bd00 644->648 649 40bdba-40bdc8 644->649 650 40bdf2-40be00 call 416211 645->650 651 40bd55-40bd5b 645->651 669 40bec2-40beca 646->669 670 40bf1e-40bf25 646->670 647->646 654 40be93 647->654 648->649 657 40bdcd-40bdd9 call 40dcb2 649->657 650->632 668 40be02-40be1b call 415862 650->668 658 40bd75-40bd83 call 4148ba 651->658 659 40bd5d-40bd74 call 41bd00 651->659 654->646 657->650 680 40bddb 657->680 673 40bd85 658->673 674 40bd8a-40bd98 658->674 659->658 668->616 678 40bee3-40bf07 call 40dcb2 669->678 679 40becc-40bee2 call 41bd00 669->679 675 40bf44-40bf48 670->675 676 40bf27-40bf2a 670->676 673->674 674->657 684 40bf92-40bf96 675->684 685 40bf4a-40bf4d 675->685 681 40bf31-40bf3f call 40d84e 676->681 682 40bf2c-40bf2f 676->682 678->643 698 40bf0d-40bf13 678->698 679->678 680->643 681->675 682->675 682->681 688 40bf98-40bf9b 684->688 689 40bfc9-40bfcd 684->689 685->684 691 40bf4f-40bf7d call 401d30 call 4148ba 685->691 688->689 694 40bf9d-40bfc4 call 414258 lstrcatA call 414265 688->694 695 40bfd3-40bfd6 689->695 696 40c147-40c150 call 41322d 689->696 714 40bf90 691->714 715 40bf7f-40bf83 691->715 694->689 701 40bfe1-40c010 call 407381 call 4073fb 695->701 702 40bfd8-40bfdb 695->702 696->617 698->670 699 40bf15-40bf19 698->699 699->670 706 40bf1b 699->706 719 40c012-40c01a call 40f9f9 701->719 720 40c01f-40c029 701->720 702->696 702->701 706->670 714->684 717 40bf85-40bf89 715->717 718 40bf8b-40bf8e 715->718 717->714 717->718 718->684 728 40c110-40c11a call 4073e5 719->728 722 40c02b-40c05a call 40e197 720->722 723 40c08e-40c092 720->723 722->728 734 40c060-40c070 lstrcmpA 722->734 726 40c094-40c0c5 call 40e197 723->726 727 40c0f9-40c10e call 40dbdd 723->727 726->728 738 40c0c7-40c0d7 lstrcmpA 726->738 727->728 736 40c123-40c127 727->736 728->616 734->723 737 40c072-40c08c call 40e233 734->737 741 40c132-40c146 call 4073e5 736->741 742 40c129-40c12c 736->742 737->719 737->723 738->727 739 40c0d9-40c0f3 call 40e233 738->739 739->719 739->727 741->696 742->741
          APIs
          • __EH_prolog.LIBCMT ref: 0040BC8C
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrcatA.KERNEL32(000010B4, ISSCHEDULEREBOOT=1,00000001,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?,?,00000000,00000000,?), ref: 0040BFB1
          • lstrcmpA.KERNEL32(00000000,00432C20,ISScript10.Msi,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\_is8C78,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?), ref: 0040C06C
          • lstrcmpA.KERNEL32(00000000,00432C20,000008AC,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\_is8C78,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?), ref: 0040C0D3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcmp$lstrcat
          • String ID: ISSCHEDULEREBOOT=1$C:\Users\user\AppData\Local\Temp\_is8C78$ISSCHEDULEREBOOT=1$ISScript10.Msi$Y$instmsi30.exe
          • API String ID: 1767750232-2968674158
          • Opcode ID: e2cddcc59c3728fd5e68c2b08e25d7a91800263b285eb8aadc3bee2c13b4309b
          • Instruction ID: f6a89a3bc8ef52a3cd8c924adc9c34eea6ff7e75d9d5663bcbd9f9f840d7ecc1
          • Opcode Fuzzy Hash: e2cddcc59c3728fd5e68c2b08e25d7a91800263b285eb8aadc3bee2c13b4309b
          • Instruction Fuzzy Hash: D6E17D71A0021A9ADF20DBA5CC81BEFB7B9EF44304F10457BA515B22C1DB789A84CF99
          Function 0041363A Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 403stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 748 41363a-413670 call 41c340 call 41c310 call 411df5 call 411e38 757 413676-41367c 748->757 758 413a8b 748->758 757->758 760 413682-41369e call 404ae1 call 404b24 757->760 759 413a8d-413a99 call 411e2d 758->759 765 413a9b-413aa9 759->765 768 413a80-413a86 call 404b19 760->768 769 4136a4-4136aa 760->769 768->758 769->768 770 4136b0-4136d1 call 413cd7 769->770 774 4136d3-4136d8 770->774 775 4136da 770->775 776 4136e0-41370d lstrcpyA 774->776 775->776 777 41372b-413745 call 40a279 776->777 778 41370f-413724 call 40a279 776->778 783 41374b-41374d 777->783 781 413729 778->781 781->783 783->768 784 413753-41375c call 413341 783->784 784->768 787 413762-413768 784->787 788 413827 787->788 789 41376e-413774 787->789 791 41382a-413849 call 4167d1 IsValidCodePage 788->791 789->788 790 41377a-4137a8 call 4143e0 789->790 796 413803-413815 call 401087 790->796 797 4137aa-4137bb call 4143e0 790->797 798 41384b-413878 call 416a3d call 415862 791->798 799 41387d-41389a call 41be50 791->799 796->788 811 413817-413825 call 4144f5 796->811 797->796 812 4137bd-4137c6 call 413cd7 797->812 819 413919-413932 call 404b19 call 411e2d 798->819 809 4138a0-4138a7 799->809 810 41399a-4139a4 799->810 809->810 814 4138ad-4138f4 call 41be50 call 41d69c call 41bd10 call 413cf4 809->814 816 4139a6-4139e4 call 405355 call 41b948 810->816 817 4139f9-413a37 call 409b3c call 415942 lstrlenA 810->817 811->791 829 4137c8-4137d5 call 413ffa 812->829 830 4137dc-4137fa call 4160af call 416211 812->830 863 4138f6-413917 call 4160af call 413f88 814->863 864 413958-413961 call 413c66 814->864 848 4139e6-4139eb call 409b10 816->848 849 4139ed 816->849 845 413a39-413a4e call 41d330 817->845 846 413a6f-413a7f call 415862 817->846 819->765 842 4137da 829->842 850 4137ff-413801 830->850 842->850 845->846 860 413a50-413a5a lstrlenA 845->860 846->768 852 4139ef-4139f3 848->852 849->852 850->788 850->796 852->817 860->846 862 413a5c-413a6d call 41d330 860->862 862->846 872 413aaa-413b00 call 416acf wsprintfA call 413cb4 call 409e19 862->872 863->819 880 413937-413956 call 414265 863->880 873 413963-41396c call 413c2d 864->873 874 413985-413999 call 41bd00 864->874 892 413b02-413b10 call 404b19 872->892 893 413b15-413b2a call 413c8f call 414229 872->893 873->874 883 41396e-413983 call 413ba6 873->883 874->810 880->810 883->810 892->759 893->768 900 413b30-413b3e call 409e19 893->900 900->892 903 413b40-413b60 call 40b132 call 409e19 900->903 908 413b62-413b68 903->908 909 413b95-413ba1 call 40b187 903->909 908->909 910 413b6a-413b74 call 40c163 908->910 909->892 915 413b87-413b90 call 409ba3 910->915 916 413b76-413b82 call 40b187 910->916 915->909 916->768
          APIs
          • __EH_prolog.LIBCMT ref: 0041363F
            • Part of subcall function 00411E38: GetVersionExA.KERNEL32(?,?), ref: 00411E65
            • Part of subcall function 00411E38: GetSystemInfo.KERNELBASE(?), ref: 00411EA5
          • lstrcpyA.KERNEL32(?,?,00000452,?,0000044F,?,?,?,00000000,00413262,?,00000000), ref: 004136E7
          • IsValidCodePage.KERNEL32(?,00000BBA,00000064,?,?,00000000,?,?,?,0000044F,?,?,?,00000000,00413262), ref: 00413841
            • Part of subcall function 0040A279: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78,?,?,?,0040971E,00000000,00000BBA,00000064,?,?,00000000,?,?,?,00000000,004089A0), ref: 0040A28B
            • Part of subcall function 0040A279: lstrcpyA.KERNEL32(0404,0804,?,?,0040971E,00000000,00000BBA,00000064,?,?,00000000,?,?,?,00000000,004089A0,00408C05), ref: 0040A295
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
            • Part of subcall function 00416211: GetFileAttributesA.KERNELBASE(?,00416290,00404BCA,00000000,00404BCA,?), ref: 00416215
            • Part of subcall function 00415862: wsprintfA.USER32 ref: 00415898
            • Part of subcall function 00415862: wvsprintfA.USER32(?,?,?), ref: 004158B3
          • wsprintfA.USER32 ref: 00413AD6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$wsprintf$AttributesCodeFileH_prologInfoPageSystemValidVersionlstrcatlstrcpynlstrlenwvsprintf
          • String ID: /LangTransform$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\Desktop
          • API String ID: 3496098149-3166154231
          • Opcode ID: df5a27297e30d6db70a32f7d2f8b503fa0ba85ba72160fade70c736f097d5e56
          • Instruction ID: 2b1494c4ab2eec5d2534514264a3252fd286477d52be534ed34c29f76248626a
          • Opcode Fuzzy Hash: df5a27297e30d6db70a32f7d2f8b503fa0ba85ba72160fade70c736f097d5e56
          • Instruction Fuzzy Hash: 71E175B1A00219AADF10EF65DC41AEF77BCAF04349F10446FF546A2291DB789F84CB69
          Function 00413D08 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 109COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 920 413d08-413d31 call 41c340 call 413ffa 925 413e41-413e4d 920->925 926 413d37-413daa call 4160af call 401ae9 call 401b31 call 405355 920->926 935 413e1d-413e26 926->935 936 413dac 926->936 937 413e27-413e40 call 401fac call 4028a3 935->937 938 413db2-413de8 wsprintfA call 401d30 936->938 937->925 944 413dea-413e09 wsprintfA call 413ffa 938->944 945 413e4e-413e55 938->945 948 413e0e-413e10 944->948 945->937 949 413e12-413e1b 948->949 950 413e57-413e5e 948->950 949->935 949->938 950->937
          APIs
          • __EH_prolog.LIBCMT ref: 00413D0D
            • Part of subcall function 00413FFA: __EH_prolog.LIBCMT ref: 00413FFF
            • Part of subcall function 00413FFA: LoadCursorA.USER32(00000000,00007F02), ref: 00414036
            • Part of subcall function 00413FFA: SetCursor.USER32(00000000), ref: 00414043
            • Part of subcall function 00413FFA: wsprintfA.USER32 ref: 004140D3
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          • wsprintfA.USER32 ref: 00413DC6
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • wsprintfA.USER32 ref: 00413DF7
            • Part of subcall function 00413FFA: SetCursor.USER32(?,?,?,00000000), ref: 0041412A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$Cursorwsprintf$Loadlstrcatlstrcmplstrcpynlstrlen
          • String ID: %s%d$0x0%s.ini$C:\Users\user\AppData\Local\Temp\_is8C78$Languages$count$key
          • API String ID: 518287624-2929430981
          • Opcode ID: 91bf608226f6018bdc8523ca51542ae6e250f60a52bfebd83636cdf24a61f662
          • Instruction ID: d25e7ffd41ee072c863aeaa81c924f131db9849a4048e32247f78dcf12e31996
          • Opcode Fuzzy Hash: 91bf608226f6018bdc8523ca51542ae6e250f60a52bfebd83636cdf24a61f662
          • Instruction Fuzzy Hash: 2C315F71A40219AADF10DF95DD82BEEBB78AF18704F50046BB505B31C1D7B85B898A58
          Function 0041501B Relevance: 15.2, APIs: 10, Instructions: 163fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 951 41501b-41502f 952 415031-415034 951->952 953 41506a 951->953 952->953 954 415036-415059 CreateFileA 952->954 955 41506c-415070 953->955 956 415073-415083 call 41556e 954->956 957 41505b-415064 GetLastError 954->957 956->953 960 415085-41509b CreateFileA 956->960 957->953 961 4150b7-4150cd 960->961 962 41509d-4150b5 GetLastError CloseHandle 960->962 963 4150d2-4150e9 call 41b948 961->963 964 4150cf 961->964 962->953 967 4150eb 963->967 968 4150ef-4150fc 963->968 964->963 967->968 969 415106-41511d 968->969 970 4150fe-415102 968->970 971 415120-415124 ReadFile 969->971 970->969 972 415196-4151b2 CloseHandle FlushFileBuffers CloseHandle 971->972 973 415126-415129 971->973 974 4151b4-4151b7 972->974 975 4151c6-4151d2 call 406d48 972->975 976 415141-41515d WriteFile 973->976 977 41512b-41512e 973->977 974->975 978 4151b9-4151c5 call 40141d 974->978 975->955 981 41516b-415171 976->981 982 41515f-415166 976->982 977->976 979 415130-41513e call 4013bf 977->979 978->975 979->976 981->972 983 415173-415175 981->983 982->981 983->972 987 415177-41517e 983->987 990 415180-415183 987->990 991 415186-415194 987->991 990->991 991->971
          APIs
          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,00000138,?,00415011,?,00000000,?,00000000,?), ref: 00415051
          • GetLastError.KERNEL32(?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041505B
          • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,?,00000000,00000000,?,00415011,?,00000000,?), ref: 00415093
          • GetLastError.KERNEL32(?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041509D
          • CloseHandle.KERNEL32(00000000,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 004150AF
          • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 00415120
          • WriteFile.KERNELBASE(?,00000000,?,?,00000000,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041514F
          • CloseHandle.KERNELBASE(00000000,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041519F
          • FlushFileBuffers.KERNEL32(?,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 004151A4
          • CloseHandle.KERNEL32(?,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 004151AD
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$CloseHandle$CreateErrorLast$BuffersFlushReadWrite
          • String ID:
          • API String ID: 753791736-0
          • Opcode ID: 7540b6d33471617d66b6b52478e7555a6cfaea1fa6407777706c9cc1ae2dbeac
          • Instruction ID: 4053a2d107b5f0e0d3c3a0a11e79c3450f555b0e39367a68587d0e66d339f155
          • Opcode Fuzzy Hash: 7540b6d33471617d66b6b52478e7555a6cfaea1fa6407777706c9cc1ae2dbeac
          • Instruction Fuzzy Hash: 63514571D00209FFDF219FA0CC84AEEBF79EF48354F14446AE500A62A0D7365D91DBA9
          Function 0040D62E Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 172COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 992 40d62e-40d672 call 415a7c 994 40d677-40d688 call 41631f 992->994 997 40d844 994->997 998 40d68e-40d6a9 call 401046 call 4130b0 call 4148ba 994->998 999 40d846 997->999 1007 40d6b2-40d6c0 call 41489d 998->1007 1008 40d6ab-40d6b0 998->1008 1001 40d847-40d84b 999->1001 1009 40d6c7-40d6d2 call 416f8d 1007->1009 1013 40d6c2 1007->1013 1008->1009 1015 40d776-40d77a 1009->1015 1016 40d6d8-40d6db 1009->1016 1013->1009 1019 40d790-40d7c0 call 401d30 1015->1019 1020 40d77c-40d780 1015->1020 1017 40d6e1-40d6e8 call 41664e 1016->1017 1018 40d76f-40d771 1016->1018 1027 40d702-40d730 GetTempPathA 1017->1027 1028 40d6ea-40d6fd call 415862 1017->1028 1018->1001 1030 40d7c2-40d7c9 1019->1030 1031 40d83f-40d842 1019->1031 1020->1019 1023 40d782-40d78b call 414864 1020->1023 1023->999 1033 40d732-40d742 call 40d33c 1027->1033 1034 40d744-40d754 GetWindowsDirectoryA 1027->1034 1028->999 1030->1031 1035 40d7cb-40d83c call 415942 wsprintfA call 415718 1030->1035 1031->1001 1033->1034 1043 40d768-40d76a 1033->1043 1034->1018 1039 40d756-40d766 call 40d33c 1034->1039 1035->1031 1039->1018 1039->1043 1043->999
          APIs
            • Part of subcall function 00415A7C: GetFileVersionInfoSizeA.VERSION(0001040E,00000001,?,?,?,?), ref: 00415AAD
            • Part of subcall function 00415A7C: GetFileVersionInfoA.VERSION(0001040E,00000000,00000000,00000000,?,?,0001040E,00000001,?,?,?,?), ref: 00415AD9
            • Part of subcall function 00415A7C: VerQueryValueA.VERSION(00000000,0042EC0C,0001040E,00000000,00000000,00000000,00000000,?,?,0001040E,00000001,?,?,?,?), ref: 00415B0C
            • Part of subcall function 00415A7C: wsprintfA.USER32 ref: 00415B36
            • Part of subcall function 00415A7C: VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,0001040E,00000000,0042EC0C,0001040E,00000000,00000000,00000000,00000000,?,?,0001040E,00000001), ref: 00415B5E
          • GetTempPathA.KERNEL32(00000400,00000000,?,?,00000000,00000000), ref: 0040D728
          • GetWindowsDirectoryA.KERNEL32(00000000,00000400,?,?,00000000,00000000), ref: 0040D74C
            • Part of subcall function 0040D33C: lstrcatA.KERNEL32(?,0042EC0C,?,?,?,00000400), ref: 0040D3A6
          • wsprintfA.USER32 ref: 0040D82A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FileInfoQueryValueVersionwsprintf$DirectoryPathSizeTempWindowslstrcat
          • String ID: Msi.DLL$SupportOS$SupportOSMsi12$SupportOSMsi30$Y
          • API String ID: 1913156139-835925834
          • Opcode ID: 1edf7878e1ab73f865484315f5ef4d47c7803c0c17629651ead117228687d04e
          • Instruction ID: ffa1db5f944951145752e2af7c54dd59241da677e7fd9e8815979e65128be23b
          • Opcode Fuzzy Hash: 1edf7878e1ab73f865484315f5ef4d47c7803c0c17629651ead117228687d04e
          • Instruction Fuzzy Hash: EC51DB72F042546ADF20A6B5CC41BEB76ADAF48304F0404BBE605F61D1DB7CDD498A5D
          Function 00401814 Relevance: 13.6, APIs: 9, Instructions: 84windowregistrystringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,?,00000028,00000000), ref: 0040182F
          • LoadIconA.USER32(00409A1D,?), ref: 00401859
          • LoadCursorA.USER32(00000000,00007F00), ref: 00401868
          • GetStockObject.GDI32(00000004), ref: 00401873
          • RegisterClassA.USER32(00000003), ref: 0040188C
          • CreateWindowExA.USER32(00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00409A1D,?), ref: 004018B2
          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004018CD
          • TranslateMessage.USER32(?), ref: 004018D7
          • DispatchMessageA.USER32(?), ref: 004018E1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$Load$ClassCreateCursorDispatchIconObjectRegisterStockTranslateWindowlstrcpy
          • String ID:
          • API String ID: 287182888-0
          • Opcode ID: 79e32a0b03fb9aa940e8aaeac185e8feba30adb3842c68d23498d547982e3dc8
          • Instruction ID: 8c8f4d7181da596241aceb4a7e693af3f9165e955825e654131a3811e35b4798
          • Opcode Fuzzy Hash: 79e32a0b03fb9aa940e8aaeac185e8feba30adb3842c68d23498d547982e3dc8
          • Instruction Fuzzy Hash: 51210CB2A00219ABDB20DF91DD48EDF7BBCEF49790F504036FA05E2150D7749A06CBA8
          Function 00401FE8 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 300fileCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00401FED
          • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000), ref: 0040201C
            • Part of subcall function 00403300: CloseHandle.KERNEL32(00000000,?,0040243E,00000001,000000FF,?,?,00000000,000000FF,?,?,?,00000000), ref: 0040330B
          • WriteFile.KERNELBASE(?,00429478,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00000000,],00000000,00000000,?,00000000), ref: 00402197
            • Part of subcall function 0040484B: __EH_prolog.LIBCMT ref: 00404850
          • WriteFile.KERNELBASE(?,00429478,00000000,?,00000000,00000001,00000001,00000001,00000001,00000001,00000000,00000000), ref: 004022F2
          • WriteFile.KERNELBASE(?,00429478,00000000,?,00000000,0042E108,00000000,?,?), ref: 00402345
          • CloseHandle.KERNELBASE(000000FF,00000001,?,00000000,?,00000000), ref: 0040239F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$Write$CloseH_prologHandle$Create
          • String ID: ]
          • API String ID: 3589048906-3462329250
          • Opcode ID: 050f1465743b0c508a81d5e82d6663457f4408144b7076d2cc8acfda97ae1913
          • Instruction ID: e8047b4429106d455b7806433deb0c01ffebd4565cbde36201b945f4f3146d71
          • Opcode Fuzzy Hash: 050f1465743b0c508a81d5e82d6663457f4408144b7076d2cc8acfda97ae1913
          • Instruction Fuzzy Hash: 2BC19EB0D00249EEDF01EBA4C985AEEBB78AF14304F5040AEF455B72D2DB785B45CB69
          Function 00413FFA Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00413FFF
          • LoadCursorA.USER32(00000000,00007F02), ref: 00414036
          • SetCursor.USER32(00000000), ref: 00414043
          • wsprintfA.USER32 ref: 004140D3
          • SetCursor.USER32(?,?,?,00000000), ref: 0041412A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Cursor$H_prologLoadwsprintf
          • String ID: %s: %s$C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 778846815-57566482
          • Opcode ID: 8206778723b1b62ede963a0ea5c98150b76f000b2c5a3286f6177c9270f0a5b4
          • Instruction ID: 7e8748a7b4401dd802071fbb6803f56d6f5855eb4143eec754a3944afbeaa9b9
          • Opcode Fuzzy Hash: 8206778723b1b62ede963a0ea5c98150b76f000b2c5a3286f6177c9270f0a5b4
          • Instruction Fuzzy Hash: 2741B671A00209AADF10EF60DC45BEE77B8BB44304F10447BF615A61D1EB789E88CF98
          Function 00424F91 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNELBASE(00000001,80000000,?,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 00425144
          • GetLastError.KERNEL32 ref: 00425150
          • GetFileType.KERNELBASE(00000000), ref: 00425165
          • CloseHandle.KERNEL32(00000000), ref: 00425170
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$CloseCreateErrorHandleLastType
          • String ID: @$H
          • API String ID: 1809617866-104103126
          • Opcode ID: be4a81f695f271a53a1f0450c15133b1ed7a87ca27f129f935b49c9916289c8b
          • Instruction ID: cbfa7a5e8ffe03aa175bef9cdf5a3f311002db619cef951524af3910d8a1859a
          • Opcode Fuzzy Hash: be4a81f695f271a53a1f0450c15133b1ed7a87ca27f129f935b49c9916289c8b
          • Instruction Fuzzy Hash: 07814831F04A35AAEF204E68AC447BF7B60AF01324F94415BE9119B3D1C77D8D45879E
          Function 00414265 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0041426A
          • wsprintfA.USER32 ref: 00414358
            • Part of subcall function 0040FB20: __EH_prolog.LIBCMT ref: 0040FB25
            • Part of subcall function 0040FB20: SetLastError.KERNEL32(?,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FB8B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$ErrorLastwsprintf
          • String ID: %s$ %s"%s"$ %s%s
          • API String ID: 3467476366-1501842002
          • Opcode ID: a88944aa9a4e9589e7a65b9dcd9142193b55c58044ba3f0194ee48fe09f7cf77
          • Instruction ID: bdaaf7bb3745ad98bef76571a3cf62e7a31d36c4a33941dd1bcc5685dceb8e60
          • Opcode Fuzzy Hash: a88944aa9a4e9589e7a65b9dcd9142193b55c58044ba3f0194ee48fe09f7cf77
          • Instruction Fuzzy Hash: 18411232A0025DAFDB24DB64CC51AEEBB69EB44310F4001BFF952A7281D7385E89CB18
          Function 004143E0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 95COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          • wsprintfA.USER32 ref: 0041443D
          • CharNextA.USER32(?), ref: 00414450
          • CharNextA.USER32(00000000), ref: 00414453
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
            • Part of subcall function 00413FFA: __EH_prolog.LIBCMT ref: 00413FFF
            • Part of subcall function 00413FFA: LoadCursorA.USER32(00000000,00007F02), ref: 00414036
            • Part of subcall function 00413FFA: SetCursor.USER32(00000000), ref: 00414043
            • Part of subcall function 00413FFA: wsprintfA.USER32 ref: 004140D3
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
            • Part of subcall function 00416211: GetFileAttributesA.KERNELBASE(?,00416290,00404BCA,00000000,00404BCA,?), ref: 00416215
            • Part of subcall function 004160AF: lstrcpyA.KERNEL32(?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160E1
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$CharCursorNextwsprintf$AttributesFileLoadlstrcatlstrcmplstrcpylstrcpynlstrlen
          • String ID: %#x$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\Desktop$b2A
          • API String ID: 4126524183-2731317918
          • Opcode ID: 3e143eca001faa6479d88221271c6ef427c374228befa393080b1def5325d364
          • Instruction ID: 11fc2942dd39d2a20a59e54ffb67c128428a79429a4ab8195294d63c95a6efea
          • Opcode Fuzzy Hash: 3e143eca001faa6479d88221271c6ef427c374228befa393080b1def5325d364
          • Instruction Fuzzy Hash: 2E3175B16001197ADF21DB65CC46FEF776C9B48304F10407BBA05F6191DA78AEC68AA8
          Function 004153CF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004153E7
          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 00415401
          • UnmapViewOfFile.KERNEL32(?,00000000,74DF34C0,?,00000000), ref: 00415498
          • CloseHandle.KERNELBASE(?,?,00000000), ref: 004154A3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$View$CloseCreateHandleMappingUnmap
          • String ID: .debug$.rdata
          • API String ID: 289744089-4039274918
          • Opcode ID: f2afb3cf8412a3c4033881e505f1bf68ccb66f4ea207dc8041c17a3f23f4960a
          • Instruction ID: 2faa17d0b3f6acb8cbe8072b38c97ffcad8939cf7dfbdebec1b1f55f0803dbcd
          • Opcode Fuzzy Hash: f2afb3cf8412a3c4033881e505f1bf68ccb66f4ea207dc8041c17a3f23f4960a
          • Instruction Fuzzy Hash: A5218171600508FFDB10DF58CC84FEEBB69EB84359F54882AE10697241C674ACC0CA69
          Function 004152E0 Relevance: 9.1, APIs: 6, Instructions: 94fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 0041530A
          • GetLastError.KERNEL32(?,00000000), ref: 00415317
          • ReadFile.KERNELBASE(00000000,?,00000040,00416DFA,00000000,?,00000000), ref: 00415337
          • ReadFile.KERNELBASE(00000000,?,00000018,00416DFA,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0041535A
          • ReadFile.KERNEL32(00000000,?,00000028,00416DFA,00000000,00000000,?,00000000,00000001,?,00000000), ref: 00415390
          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,?,00000000), ref: 004153C1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$Read$CloseCreateErrorHandleLast
          • String ID:
          • API String ID: 2896028077-0
          • Opcode ID: 2de126913c9aeb7e24df1d4ad6143c3a9fecb1f6dbc6f5a42101ad5b528a6836
          • Instruction ID: bf5389512e7fd43bdd8aa53d4e7b6cf0a3e0fbd265521a04919bf61829824730
          • Opcode Fuzzy Hash: 2de126913c9aeb7e24df1d4ad6143c3a9fecb1f6dbc6f5a42101ad5b528a6836
          • Instruction Fuzzy Hash: 22314D71D0061CFBDB20DBA5CC85EEFBBBCEB88750F10445AB921A7181D6B49A80CB64
          Function 00416429 Relevance: 9.1, APIs: 6, Instructions: 87processstringwindowCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,000000FF), ref: 00416476
          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,000000FF), ref: 00416493
          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004164AA
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004164C0
          • GetExitCodeProcess.KERNELBASE(?,00000001), ref: 004164DF
          • CloseHandle.KERNEL32(?,?,?,?,?,?,000000FF), ref: 004164F0
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Process$CloseCodeCreateExitHandleMessageMultipleObjectsPeekWaitlstrcpy
          • String ID:
          • API String ID: 324600049-0
          • Opcode ID: 768e1bbdf3b721ecf0d36f569ddceb51d74f8214c5a2a9c2da56fd111486bc0c
          • Instruction ID: b246772a383b7bcf24a27023f850cfaa7d99911bb8fbd829d66d9b588cf6e7e1
          • Opcode Fuzzy Hash: 768e1bbdf3b721ecf0d36f569ddceb51d74f8214c5a2a9c2da56fd111486bc0c
          • Instruction Fuzzy Hash: 44213671D01229BADB20DBAADD08DEFBB7CEF45760F604126F508A2151D3349A45CBA9
          Function 00416184 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(?,00000000,00000000,?,?), ref: 0041619B
          • lstrcpyA.KERNEL32(00000000,?,?,?), ref: 004161AD
          • lstrcatA.KERNEL32(00000000,0042EC0C,?,?), ref: 004161B9
          • lstrlenA.KERNEL32(00000000,?,?), ref: 004161C2
          • CreateDirectoryA.KERNELBASE(00000000,00000000,?,?), ref: 004161D7
          • GetLastError.KERNEL32(?,?), ref: 004161E1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrlen$CreateDirectoryErrorLastlstrcatlstrcpy
          • String ID:
          • API String ID: 4043630017-0
          • Opcode ID: 7fe51da91f8cf24f995f35b211de79bb491e0f27a82fa65241ecbc9b6b0aeae9
          • Instruction ID: c27f80109057ef02e83cdf4dbf9d5c11d94ace95d8825f7bad64a0dc54e6b5bd
          • Opcode Fuzzy Hash: 7fe51da91f8cf24f995f35b211de79bb491e0f27a82fa65241ecbc9b6b0aeae9
          • Instruction Fuzzy Hash: BD014932209310BBE7216B51EC08BAF7B88DF83361F11046EF24181152CB798C4686AE
          Function 004088E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004088EA
            • Part of subcall function 00409A43: RegOpenKeyExA.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,00000000,?,?,?,00408905,?,00000000,00000000), ref: 00409A5A
            • Part of subcall function 00409A43: RegQueryValueExA.ADVAPI32(00000000,SetupLogFileName,00000000,00000000,004338E4,00000000,?,?,?,00408905,?), ref: 00409A80
            • Part of subcall function 00409A43: RegCloseKey.ADVAPI32(00000000,?,?,?,00408905,?), ref: 00409A94
            • Part of subcall function 00412E18: __EH_prolog.LIBCMT ref: 00412E1D
            • Part of subcall function 00412E18: GetModuleFileNameA.KERNEL32(00000000), ref: 00412F23
          • lstrlenA.KERNEL32(?,?,?,00000000,00000000), ref: 00408A26
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
            • Part of subcall function 00414265: __EH_prolog.LIBCMT ref: 0041426A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrlen$CloseFileModuleNameOpenQueryValuelstrcatlstrcpyn
          • String ID: /f1$KEY$PASSWORD
          • API String ID: 3634418926-3130367788
          • Opcode ID: 2d8eed58c60d623ff6893f2adb21f39ec3f764d09f8dbbda8c435f39b22d7d21
          • Instruction ID: 05069148a39b3188259594b222f690a5c1ca1116a01bb013c369124e92a58643
          • Opcode Fuzzy Hash: 2d8eed58c60d623ff6893f2adb21f39ec3f764d09f8dbbda8c435f39b22d7d21
          • Instruction Fuzzy Hash: DB51DF30A00608EBDB20EF65D941AEEB7B4AF44344F10417FA586A76E2DB385A85CF58
          Function 00409A43 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExA.KERNELBASE(80000001,Software\InstallShield\ISWI\7.0\SetupExeLog,00000000,00000001,00000000,?,?,?,00408905,?,00000000,00000000), ref: 00409A5A
          • RegQueryValueExA.ADVAPI32(00000000,SetupLogFileName,00000000,00000000,004338E4,00000000,?,?,?,00408905,?), ref: 00409A80
          • RegCloseKey.ADVAPI32(00000000,?,?,?,00408905,?), ref: 00409A94
          Strings
          • SetupLogFileName, xrefs: 00409A78
          • Software\InstallShield\ISWI\7.0\SetupExeLog, xrefs: 00409A50
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseOpenQueryValue
          • String ID: SetupLogFileName$Software\InstallShield\ISWI\7.0\SetupExeLog
          • API String ID: 3677997916-622478307
          • Opcode ID: 70ca3ff003dc8fb7370ca4e8b66675158f1f4158cf1c22ce35aa72d229fd7a10
          • Instruction ID: 117d354fa023cb0a3fe3639ff2a13d5db72b950efb59a4a7dee09c2449169d7a
          • Opcode Fuzzy Hash: 70ca3ff003dc8fb7370ca4e8b66675158f1f4158cf1c22ce35aa72d229fd7a10
          • Instruction Fuzzy Hash: 64F03070740249BFEB209B91DC46FDA7BACAB00B08FA00066B904B11D1D3F56E449A1C
          Function 0040DCB2 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 132stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040D9EB: __EH_prolog.LIBCMT ref: 0040D9F0
          • lstrcpyA.KERNEL32(00000001,?,00000000,00000000,00000000,?,00000400,00000000,00000000,?,00000104,?,dotnetfx.exe,00000000), ref: 0040DDEC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcpy
          • String ID: /URL$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\Desktop$dotnetfx.exe
          • API String ID: 3221978047-2884665157
          • Opcode ID: 6bb0fb2c13a16ec04dd543b987faa7808c244287ce8ef06be084b65d4a2b97b5
          • Instruction ID: 05732c6bc0c76052300ae6d950517e43cf54b02802e46d5491730c28d25ef410
          • Opcode Fuzzy Hash: 6bb0fb2c13a16ec04dd543b987faa7808c244287ce8ef06be084b65d4a2b97b5
          • Instruction Fuzzy Hash: B0416072900209BBDF219F91DD41EEFBB79EF84704F10447BB645B7180DA399E868B68
          Function 00416DA4 Relevance: 7.6, APIs: 5, Instructions: 127fileCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00416DA9
          • GetModuleFileNameA.KERNEL32(?,00000104,?,?,00000000), ref: 00416DE2
            • Part of subcall function 00414D56: __EH_prolog.LIBCMT ref: 00414D5B
            • Part of subcall function 00414D56: lstrcpyA.KERNEL32(?,?,?,00000104,?,?,00416DFA,?,?,00000000), ref: 00414DA2
            • Part of subcall function 00414D56: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00416DFA,?,?,00000000), ref: 00414DC8
            • Part of subcall function 00414D56: GetLastError.KERNEL32(?,?,00416DFA,?,?,00000000), ref: 00414DD9
          • GetTempPathA.KERNEL32(00000104,?,?,00000000), ref: 00416E4D
          • GetTempFileNameA.KERNELBASE(?,0042F548,00000000,?,?,00000000), ref: 00416E67
          • DeleteFileA.KERNELBASE(?,?,?,00432C20,?,?,?,?,?,?,?,?,?,00000000), ref: 00416F14
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$H_prologNameTemp$CreateDeleteErrorLastModulePathlstrcpy
          • String ID:
          • API String ID: 4180295325-0
          • Opcode ID: 5e24840842818456be476a3538a54bd39976c2f8fc7810f9c47d3bbca7c4ef81
          • Instruction ID: 5bf2ecd8da5cc0165acaa55d751d16fd6cb8b21d48a57ee7539fc100a74ae452
          • Opcode Fuzzy Hash: 5e24840842818456be476a3538a54bd39976c2f8fc7810f9c47d3bbca7c4ef81
          • Instruction Fuzzy Hash: C341847290125CBFDF11DBA4DD55ADEBB78AB05304F0045EAE209B3191DB395B89CF18
          Function 004080CB Relevance: 7.6, APIs: 5, Instructions: 115windowCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004080D0
          • GetWindowDC.USER32(00000000,?,?,00000000,00000000), ref: 004081B0
          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004081CB
          • DeleteObject.GDI32(00000000), ref: 004081DE
          • ReleaseDC.USER32(00000000,?), ref: 004081EC
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: BitmapCreateDeleteH_prologObjectReleaseWindow
          • String ID:
          • API String ID: 2483735875-0
          • Opcode ID: db08675c406b149eca0314adeb2c3833fe97c1b765059fce9879b9c9f1709528
          • Instruction ID: 97effbd713145b632f08af2f1ae4acf66c00515c09a6ee7aa1c610b34ce4a0d3
          • Opcode Fuzzy Hash: db08675c406b149eca0314adeb2c3833fe97c1b765059fce9879b9c9f1709528
          • Instruction Fuzzy Hash: BB418BB1E00209DFDB14DFA4DD81AEEBBB9FF08304F10416EE515A7291DB349A45CB18
          Function 00414D56 Relevance: 7.6, APIs: 5, Instructions: 87filestringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00414D5B
          • lstrcpyA.KERNEL32(?,?,?,00000104,?,?,00416DFA,?,?,00000000), ref: 00414DA2
            • Part of subcall function 004152E0: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 0041530A
            • Part of subcall function 004152E0: GetLastError.KERNEL32(?,00000000), ref: 00415317
          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00416DFA,?,?,00000000), ref: 00414DC8
          • GetLastError.KERNEL32(?,?,00416DFA,?,?,00000000), ref: 00414DD9
          • ReadFile.KERNELBASE(?,?,0000002E,?,00000000,?,?,00000000,00000000,00416DFA,?,?,00000000), ref: 00414E39
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$CreateErrorLast$H_prologReadlstrcpy
          • String ID:
          • API String ID: 4136833577-0
          • Opcode ID: a2b979c12fb2496fad3b649c509f359525a656c7fd9984d987e15e3412e315b9
          • Instruction ID: 88555992c6a47075417d6c59aeb11395342d6231e20030ca7fb2a7255c6b6696
          • Opcode Fuzzy Hash: a2b979c12fb2496fad3b649c509f359525a656c7fd9984d987e15e3412e315b9
          • Instruction Fuzzy Hash: 9D318170600704ABD7209F26C805FDBBBE9EFC4B04F40491FF5A996251D7B599C1CBA8
          Function 004018FA Relevance: 7.5, APIs: 5, Instructions: 46windowtimeCOMMON
          Download Yara Rule
          APIs
          • DefWindowProcA.USER32(?,?,?,?), ref: 00401919
          • PostMessageA.USER32(?,00000002,00000000,00000000), ref: 0040194C
          • KillTimer.USER32(?,000005DC), ref: 00401963
          • PostQuitMessage.USER32(00000000), ref: 0040196B
          • SetTimer.USER32(?,000005DC,00000BB8,00000000), ref: 0040198C
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: MessagePostTimer$KillProcQuitWindow
          • String ID:
          • API String ID: 707289242-0
          • Opcode ID: f9241905b30c5546549bc9d691d3e028a5d1a94d387306c215a55baf8759bbdd
          • Instruction ID: 1db7ab41f2656a4ca599abe84ace2e3080e4ae0d8337b0db4ad001ce691fae5f
          • Opcode Fuzzy Hash: f9241905b30c5546549bc9d691d3e028a5d1a94d387306c215a55baf8759bbdd
          • Instruction Fuzzy Hash: 57114C70240309FFDF219F58ED19BA93BA0BB08711F50A436FA05A92F0CBB49961DB1D
          Function 004023B8 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 334COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004023BD
            • Part of subcall function 00402BDB: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,?,004023E4,000000FF,?,?,?,00000000), ref: 00402C15
            • Part of subcall function 00402BDB: CloseHandle.KERNEL32(00000000), ref: 00402C2D
          • CloseHandle.KERNELBASE(000000FF,00000001,00000001,00000001,00000001,00000001,?,00000000,?,00000000,00000000,00000000,00000000,0042E108,FFFFFFFF,00000000), ref: 00402781
            • Part of subcall function 00402D44: __EH_prolog.LIBCMT ref: 00402D49
            • Part of subcall function 00403241: __EH_prolog.LIBCMT ref: 00403246
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$CloseHandle$CreateFile
          • String ID: $=
          • API String ID: 1399107376-1616333665
          • Opcode ID: f73459655140e21ba7607c691c844c33c1935a377338210d48284eeb8672beb9
          • Instruction ID: c3ad17e2632d7bee339a329721da4102861ffcb5eb11586945b83b0b3349a857
          • Opcode Fuzzy Hash: f73459655140e21ba7607c691c844c33c1935a377338210d48284eeb8672beb9
          • Instruction Fuzzy Hash: 66C18B71C0414DAADF11EBE5C985AEEBF7CAF15308F0041AEE451B32C2DB781A49CB69
          Function 00404B24 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00413164: lstrlenA.KERNEL32(?,00000000,00000000,00404B5A,00000000,00000001,?,?,00000000), ref: 0041316D
            • Part of subcall function 00413164: lstrcpyA.KERNEL32(00000000,?), ref: 00413189
            • Part of subcall function 00413164: lstrcpyA.KERNEL32(C:\Users\user\Desktop,?), ref: 00413191
            • Part of subcall function 00404CD5: GetTempPathA.KERNEL32(00000000,00000001,00000000,00000000,?,00404B7C,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 00404CF4
            • Part of subcall function 00404CD5: SetErrorMode.KERNELBASE(00008003), ref: 00404D03
            • Part of subcall function 00404CD5: GetWindowsDirectoryA.KERNEL32(00000001,?), ref: 00404D1B
            • Part of subcall function 00404CD5: lstrcpyA.KERNEL32(00000001,00432C20), ref: 00404D38
          • GetTempFileNameA.KERNELBASE(?,_is,00000000,?,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 00404BB8
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$Temp$DirectoryErrorFileModeNamePathWindowslstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$_is
          • API String ID: 369925637-258178718
          • Opcode ID: ce5eae08fa7dc5056a10f19653e0b076e00a51bc0b43eed89c02735517f645b9
          • Instruction ID: dd349eab3ac5c5e756ed0f92eb3801dd7f445bfb9e150e9a3f5337a82ced9dde
          • Opcode Fuzzy Hash: ce5eae08fa7dc5056a10f19653e0b076e00a51bc0b43eed89c02735517f645b9
          • Instruction Fuzzy Hash: 6541CFB57442046AEF147B725C82BAE61AD5B84709F00047FFA06F62C2EE7DDE86466C
          Function 0041FE9D Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 0041FF17
          • GetLastError.KERNEL32 ref: 0041FF21
          • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 0041FFE7
          • GetLastError.KERNEL32 ref: 0041FFF1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorFileLastRead
          • String ID:
          • API String ID: 1948546556-0
          • Opcode ID: ef656bfb8fb7db3aa292c30f0cf71e07a65771aa5e48395bb9d230e5a230eb14
          • Instruction ID: 2a0b7545f91f2618a65c17e49611f06f4b63b601226c827f98655f9a378090b6
          • Opcode Fuzzy Hash: ef656bfb8fb7db3aa292c30f0cf71e07a65771aa5e48395bb9d230e5a230eb14
          • Instruction Fuzzy Hash: 7451E7347043959FEF218F58E8807EA7BF1AF02304F9444ABE8559B253D7789987CB1A
          Function 00404CD5 Relevance: 6.1, APIs: 4, Instructions: 59stringCOMMON
          Download Yara Rule
          APIs
          • GetTempPathA.KERNEL32(00000000,00000001,00000000,00000000,?,00404B7C,?,00000400,00000000,00000000,00000001,?,?,00000000), ref: 00404CF4
          • SetErrorMode.KERNELBASE(00008003), ref: 00404D03
          • GetWindowsDirectoryA.KERNEL32(00000001,?), ref: 00404D1B
          • lstrcpyA.KERNEL32(00000001,00432C20), ref: 00404D38
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: DirectoryErrorModePathTempWindowslstrcpy
          • String ID:
          • API String ID: 3576100887-0
          • Opcode ID: 43fe59fb3e82b3b1bb5bd4411dd433f10b0c2bc1c679a85b843c203b491107eb
          • Instruction ID: 6ea7eb102d136940164d86ddb326bfa321cf4d883db62d718690d10730d68f73
          • Opcode Fuzzy Hash: 43fe59fb3e82b3b1bb5bd4411dd433f10b0c2bc1c679a85b843c203b491107eb
          • Instruction Fuzzy Hash: AF0192B170020176EB3066731D49FAB799C9FD1B95F00087FBB05E1291E668CC018279
          Function 0041416F Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(00000000), ref: 0041417B
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • lstrlenA.KERNEL32(?), ref: 004141B0
          • wsprintfA.USER32 ref: 0041420C
          • SetWindowTextA.USER32(00000000,?), ref: 0041421F
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Windowwsprintf$LoadStringTextlstrlen
          • String ID:
          • API String ID: 1776808806-0
          • Opcode ID: a365812c494f6eb49333ad455260c038dc82efec70521a9ca48781e47b826052
          • Instruction ID: a21aec6b6cc8316cd6e6837025ecfbcc88bb4476fda46bc2e9b5bd727fd5ea1c
          • Opcode Fuzzy Hash: a365812c494f6eb49333ad455260c038dc82efec70521a9ca48781e47b826052
          • Instruction Fuzzy Hash: 27117071A0010DABDF64EF61EC0AADA776CEB04314F4080B7FA05D5091EF38DAD98B98
          Function 00409DAF Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
          Download Yara Rule
          APIs
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409DD9
          • IsDialogMessageA.USER32(?,?,?,?,?,?,?,00409D6E,?,?,?,?,00000000,75C0FB50), ref: 00409DED
          • TranslateMessage.USER32(?), ref: 00409DFB
          • DispatchMessageA.USER32(?), ref: 00409E05
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$DialogDispatchPeekTranslate
          • String ID:
          • API String ID: 1266772231-0
          • Opcode ID: af66ad28c62897ef312d3f2dbe9a6d5d7982a7bcb9088a5ed1792c437ceeea70
          • Instruction ID: 64589d62a8d81ce0b5ff859f3b902b01833b319c9d4d7c41b4c67045134c114e
          • Opcode Fuzzy Hash: af66ad28c62897ef312d3f2dbe9a6d5d7982a7bcb9088a5ed1792c437ceeea70
          • Instruction Fuzzy Hash: 65F0EC7190421AABCF21DBA5FC48DEB76ACBF44751B404432F801E21E1E738AD42CBE8
          Function 00416285 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00416211: GetFileAttributesA.KERNELBASE(?,00416290,00404BCA,00000000,00404BCA,?), ref: 00416215
          • SetErrorMode.KERNELBASE(00008001,00000000,00404BCA,?,00404BCA,00000000,00404BCA,?), ref: 004162B2
          • SetFileAttributesA.KERNELBASE(00404BCA,00000080), ref: 004162BA
          • DeleteFileA.KERNELBASE(00404BCA), ref: 004162C1
          • SetErrorMode.KERNELBASE(00000000), ref: 004162D0
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$AttributesErrorMode$Delete
          • String ID:
          • API String ID: 3807840792-0
          • Opcode ID: 4a81ac9eacbfb9ec60b4622aafa19e8b902da9f05b45c3f96e365fb193a46c68
          • Instruction ID: d2b41fb43d5c44d9f01863b275ad7284efd205633d05339334c96f7787cb0b9d
          • Opcode Fuzzy Hash: 4a81ac9eacbfb9ec60b4622aafa19e8b902da9f05b45c3f96e365fb193a46c68
          • Instruction Fuzzy Hash: 4AF0E53230522539E2203A616C41FDB625CAF91758F02006BF601E51D0CAB8DCC286BD
          Function 00403B11 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00403379,00000000,?,?,00000000,?,?,00402BEE), ref: 00403B31
          • GetFileSize.KERNEL32(00000000,00000000,?,00403379,00000000,?,?,00000000,?,?,00402BEE,?,004023E4,000000FF,?,?), ref: 00403B3C
          • CloseHandle.KERNEL32(00000000,?,00403379,00000000,?,?,00000000,?,?,00402BEE,?,004023E4,000000FF,?,?,?), ref: 00403B4C
          • CloseHandle.KERNELBASE(00000000,?,00403379,00000000,?,?,00000000,?,?,00402BEE,?,004023E4,000000FF,?,?,?), ref: 00403B62
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseFileHandle$CreateSize
          • String ID:
          • API String ID: 4148174661-0
          • Opcode ID: 7a43a26dfef87b7a6846dec6acc702d4a4bfa6060929ae0b44f7f4178cfcf895
          • Instruction ID: 5bfdea2ddc0eabd6ee00184aaf4cd5ae33451e99be2c4925a2e76c3783d2fb37
          • Opcode Fuzzy Hash: 7a43a26dfef87b7a6846dec6acc702d4a4bfa6060929ae0b44f7f4178cfcf895
          • Instruction Fuzzy Hash: 6AF0B430741210B6D6302F345C48F963B68AB01765F500675F560BA1D1C778AD43857D
          Function 0040A279 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78,?,?,?,0040971E,00000000,00000BBA,00000064,?,?,00000000,?,?,?,00000000,004089A0), ref: 0040A28B
          • lstrcpyA.KERNEL32(0404,0804,?,?,0040971E,00000000,00000BBA,00000064,?,?,00000000,?,?,?,00000000,004089A0,00408C05), ref: 0040A295
          Strings
          • 0404,0804, xrefs: 0040A290
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 0040A286
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy
          • String ID: 0404,0804$C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 3722407311-1136819542
          • Opcode ID: dd5f0fb268cea1de27d0148ebdfc9455c0465f2d982d683800cbae54de22ad2e
          • Instruction ID: 7299237acfdc891073b74e06ae79b318a976226740cfe3602577c828a2bfdc44
          • Opcode Fuzzy Hash: dd5f0fb268cea1de27d0148ebdfc9455c0465f2d982d683800cbae54de22ad2e
          • Instruction Fuzzy Hash: 3AF0F832500218BBCF126E81DC02EDA3F25AB08354F14406AFD08241A1D2779971ABAA
          Function 004162DA Relevance: 6.0, APIs: 4, Instructions: 24fileCOMMON
          Download Yara Rule
          APIs
          • SetErrorMode.KERNELBASE(00008001,00404BCA,004162A2,00404BCA,?,00404BCA,00000000,00404BCA,?), ref: 004162E6
          • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 004162FE
          • SetErrorMode.KERNEL32(00000000), ref: 0041630B
          • CloseHandle.KERNELBASE(00000000), ref: 00416313
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorMode$CloseCreateFileHandle
          • String ID:
          • API String ID: 1343785229-0
          • Opcode ID: e150b3757e55d765aab8804bbccae1db9e4fa1e35b15ba9a0ecb9842ef5df14b
          • Instruction ID: 5be2ba387fc4bde75ba3ebc4c1f18db673ce1ae62cb7d56b9b2f2ad5db8cf80a
          • Opcode Fuzzy Hash: e150b3757e55d765aab8804bbccae1db9e4fa1e35b15ba9a0ecb9842ef5df14b
          • Instruction Fuzzy Hash: 64E0EC32B94214BAF67017706C4AF863A54AB08B20F614E52F765B90E0CAA568819A6D
          Function 00409BA3 Relevance: 6.0, APIs: 4, Instructions: 15timeCOMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(004156A5), ref: 00409BA9
          • KillTimer.USER32(000003E9,?), ref: 00409BBF
          • KiUserCallbackDispatcher.NTDLL ref: 00409BD1
          • DestroyWindow.USER32 ref: 00409BD9
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$CallbackDestroyDispatcherKillTimerUser
          • String ID:
          • API String ID: 2023473011-0
          • Opcode ID: a43f2768c44ff2865ca0c71090aeb95c112cea160a85b82650227d8e1a36e7c8
          • Instruction ID: 9ed6a31af3ebda8ea9978b89d128482d8b7d5d8c3a99fbbda0f5e89981fb874c
          • Opcode Fuzzy Hash: a43f2768c44ff2865ca0c71090aeb95c112cea160a85b82650227d8e1a36e7c8
          • Instruction Fuzzy Hash: 60D09E756011159FCF656F21FC08A873F65FF487617451036E908911B0C7217C11DF9C
          Function 0041604B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(?,?,0KA,?), ref: 00416082
          • GetDriveTypeA.KERNELBASE(?), ref: 00416094
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: DriveTypelstrlen
          • String ID: 0KA
          • API String ID: 1700768220-3380403018
          • Opcode ID: d94529fd3a9d00ade09245ae7801dd2abb21846d0a154e407ef9dac0ab9a5d1c
          • Instruction ID: c125f127b9783af4ed03635df3e66a3fea6e6d567159dbfd22b64d5763129ac1
          • Opcode Fuzzy Hash: d94529fd3a9d00ade09245ae7801dd2abb21846d0a154e407ef9dac0ab9a5d1c
          • Instruction Fuzzy Hash: 31F0E976A001086BDF30D764CC89BDB7BBCAB59300F1108A6E345D1040D7B8D9C98915
          Function 00413CB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$Text
          • String ID: :A
          • API String ID: 848690642-3225631715
          • Opcode ID: 4a050e70a72a3dedb8d1144e1b6fd9d20a12007bac28765cf3cfff4629b877e5
          • Instruction ID: 99c78c7c01fea75dca439414102ad2295f0ae9f3c4e138ea2417ba44b8d02e16
          • Opcode Fuzzy Hash: 4a050e70a72a3dedb8d1144e1b6fd9d20a12007bac28765cf3cfff4629b877e5
          • Instruction Fuzzy Hash: 25D0C936200111EBDB229F10ED0C9C6BBA9EF58341B104439B98991075C7335A52DB98
          Function 00415E6E Relevance: 5.0, APIs: 4, Instructions: 49stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,00000000,?,?,00000000), ref: 00415E94
          • CharNextA.USER32(00000000,?,00000000), ref: 00415EAD
          • lstrcpyA.KERNEL32(?,?,?,00000000), ref: 00415ECA
          • lstrcpyA.KERNEL32(?,00000000,?,00000000), ref: 00415ED0
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$CharNext
          • String ID:
          • API String ID: 3801418090-0
          • Opcode ID: db11e233760c391821831927e77d616c05bb9045a160866543e8781842cde734
          • Instruction ID: ca067a1b9738bef002f3beb96ef01809d96413181683eb51124180b1188b8f5a
          • Opcode Fuzzy Hash: db11e233760c391821831927e77d616c05bb9045a160866543e8781842cde734
          • Instruction Fuzzy Hash: 6F01D676A00719EEDB219B64EC40FEB3B6C9BC5355F140067A705D2180DA74DE81CBA8
          Function 0041D256 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(00000000,?,0041D241,00000000,00000000,00000000,004141ED), ref: 0041D26B
          • TerminateProcess.KERNEL32(00000000), ref: 0041D272
          • ExitProcess.KERNEL32 ref: 0041D2F3
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: 24fe41fc83821d7314cd469b2d809135c616e6a12036f13e6f5c1c0178eb27dd
          • Instruction ID: 8355172f84b27c0f8fc803c24c50c7f6c6106b2071c709affda7e4eed00bb23d
          • Opcode Fuzzy Hash: 24fe41fc83821d7314cd469b2d809135c616e6a12036f13e6f5c1c0178eb27dd
          • Instruction Fuzzy Hash: A0012BB1B083519AD7305F6AFC85AA97B94FB40314B10006FF96052290CB78DCC1CA1D
          Function 00415DA6 Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,00000000), ref: 00415DDC
          • CloseHandle.KERNEL32(00000000), ref: 00415DEC
          • DeleteFileA.KERNELBASE(?), ref: 00415DF9
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$CloseCreateDeleteHandlelstrcatlstrcpynlstrlen
          • String ID:
          • API String ID: 4178870998-0
          • Opcode ID: a83af7fbdd38fd88511bc998b11ca2e28533124cd1426be130a4fcc60144df67
          • Instruction ID: a68485ceb9b0fd8b88032e6e8fb5ca643609b576f938724cd306a9d58039b16c
          • Opcode Fuzzy Hash: a83af7fbdd38fd88511bc998b11ca2e28533124cd1426be130a4fcc60144df67
          • Instruction Fuzzy Hash: 75F065B2A00108BADF2067B0AC09FE737BDF704318F404AA5B705F20D0DA74E9868B6C
          Function 0041624B Relevance: 4.5, APIs: 3, Instructions: 22COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0041622E: GetFileAttributesA.KERNELBASE(?,00404BE9,?,?), ref: 00416232
          • SetErrorMode.KERNELBASE(00008001,?,?,00000400,0040172A,?,?,?,00000400,?,?,?), ref: 00416267
          • RemoveDirectoryA.KERNELBASE(?), ref: 0041626D
          • SetErrorMode.KERNELBASE(00000000), ref: 0041627C
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorMode$AttributesDirectoryFileRemove
          • String ID:
          • API String ID: 2449359760-0
          • Opcode ID: 31505039d1d544c0be1bf51a20da3c5da74feaa23b563ffb27d20381b4c96211
          • Instruction ID: 210a3a28b398c19c72ac319bc262f82ca89fe32b8cf9e938efc49d9e186b76f3
          • Opcode Fuzzy Hash: 31505039d1d544c0be1bf51a20da3c5da74feaa23b563ffb27d20381b4c96211
          • Instruction Fuzzy Hash: E1E0CD3130411165EB30277BAC05FCB3F549BD0761F014477B508D51A0CA71CC92C664
          Function 00409D11 Relevance: 4.5, APIs: 3, Instructions: 20windowCOMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(004053E3), ref: 00409D17
            • Part of subcall function 00409DAF: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409DD9
            • Part of subcall function 00409DAF: IsDialogMessageA.USER32(?,?,?,?,?,?,?,00409D6E,?,?,?,?,00000000,75C0FB50), ref: 00409DED
            • Part of subcall function 00409DAF: TranslateMessage.USER32(?), ref: 00409DFB
            • Part of subcall function 00409DAF: DispatchMessageA.USER32(?), ref: 00409E05
          • GetDlgItem.USER32(000003EA), ref: 00409D34
          • SendMessageA.USER32(00000000,00000402,?,00000000), ref: 00409D46
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$DialogDispatchItemPeekSendTranslateWindow
          • String ID:
          • API String ID: 1886797991-0
          • Opcode ID: 389496876a56deca05d398e9aabc52f83c63dc9f36ac50389a365bac3f3514af
          • Instruction ID: 397da7ff55335854a4f49fa49f3074bfd7a943def9f3464b505b52fafe1730a2
          • Opcode Fuzzy Hash: 389496876a56deca05d398e9aabc52f83c63dc9f36ac50389a365bac3f3514af
          • Instruction Fuzzy Hash: BEE0EC71740210ABDA21AB64FC09B8A3BA8FF88711F454074FA08A51F1C775AC12DB5C
          Function 00409BDD Relevance: 4.5, APIs: 3, Instructions: 14COMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(0040C7E0), ref: 00409BE3
          • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00409BFC
          • ShowWindow.USER32(00000000,?,?,?,?,?,?,?,00000000), ref: 00409C06
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$Show
          • String ID:
          • API String ID: 990937876-0
          • Opcode ID: 0f6af2821302793d8aa3baf5cd98b95671026598a9dcfce8bd19478d259fb9bd
          • Instruction ID: 55c91ec64b53efa6287610cc9e806370f4da36c8ca9434bc95447b33ddb5a37a
          • Opcode Fuzzy Hash: 0f6af2821302793d8aa3baf5cd98b95671026598a9dcfce8bd19478d259fb9bd
          • Instruction Fuzzy Hash: 41D0C931715125EAEA256F20FD09B863EA9FB84750F061036A508A10F0C7617C119B9C
          Function 00402798 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-410699589
          • Opcode ID: c56819eb801ec6e0288dde62390c13b2174e294e68937f871c5083c56ab1478b
          • Instruction ID: 8d378c70644f59dc9012044d434f33c4a9d5bfc8c0cbe601dd14b3f9c3b337a4
          • Opcode Fuzzy Hash: c56819eb801ec6e0288dde62390c13b2174e294e68937f871c5083c56ab1478b
          • Instruction Fuzzy Hash: 0331417690015CAACB05EBA5DD959DEBBBCAF18304F4041AFF405B3291EB7C9B48CB64
          Function 0040C163 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040C168
            • Part of subcall function 0040BC87: __EH_prolog.LIBCMT ref: 0040BC8C
            • Part of subcall function 00407381: lstrcpyA.KERNEL32(?,?,?,00000000,0040BFF8,00000000,C:\Users\user\AppData\Local\Temp\_is8C78,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?), ref: 0040739A
            • Part of subcall function 00407381: lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78,?,?,00000000,0040C1B2,00000000,?,?,?,?,?,00000000), ref: 004073A9
            • Part of subcall function 004073FB: __EH_prolog.LIBCMT ref: 00407400
            • Part of subcall function 004073E5: FreeLibrary.KERNELBASE(6E350000,0040C141,00000000,?,00000000,00000000,C:\Users\user\AppData\Local\Temp\_is8C78,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?), ref: 004073F4
          Strings
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 0040C1CC
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrcpy$FreeLibrary
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 453652589-1593701051
          • Opcode ID: 5255881286fa0249510eb775fbcf04b589b73dcdcdcb32cb10c224ac043997f8
          • Instruction ID: 416a23529a1f11e1ef7d9eb4ccb018c94c77abf0e755f1029d77aec8ec7f334d
          • Opcode Fuzzy Hash: 5255881286fa0249510eb775fbcf04b589b73dcdcdcb32cb10c224ac043997f8
          • Instruction Fuzzy Hash: FD217FB1E0011DDADB60E7A1CC81BEFB6B8AB44314F1042BF9515B25C1DF385A85CAD9
          Function 00412E18 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00412E1D
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 0040FE20: __EH_prolog.LIBCMT ref: 0040FE25
            • Part of subcall function 0040FE20: GetLastError.KERNEL32(?,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE4E
            • Part of subcall function 0040FE20: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE7C
          • GetModuleFileNameA.KERNEL32(00000000), ref: 00412F23
            • Part of subcall function 00414D56: __EH_prolog.LIBCMT ref: 00414D5B
            • Part of subcall function 00414D56: lstrcpyA.KERNEL32(?,?,?,00000104,?,?,00416DFA,?,?,00000000), ref: 00414DA2
            • Part of subcall function 00414D56: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00416DFA,?,?,00000000), ref: 00414DC8
            • Part of subcall function 00414D56: GetLastError.KERNEL32(?,?,00416DFA,?,?,00000000), ref: 00414DD9
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$ErrorLast$File$CreateModuleNamelstrcpy
          • String ID:
          • API String ID: 3951192609-0
          • Opcode ID: 8da611ae150e823e3e21708e3a6ef02e322eaf35d25e85336d7680e7d2b8c5a8
          • Instruction ID: 03521a6087333c951fe1c5906887ffb3708e6b699332e3562eb6420876b49b51
          • Opcode Fuzzy Hash: 8da611ae150e823e3e21708e3a6ef02e322eaf35d25e85336d7680e7d2b8c5a8
          • Instruction Fuzzy Hash: CA510EF5901748AEC721DF7AC885AD7FBECFB08304F40892EA2AED3201D77466448B64
          Function 0040FB20 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040FB25
          • SetLastError.KERNEL32(?,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FB8B
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorH_prologLast
          • String ID:
          • API String ID: 1057991267-0
          • Opcode ID: 7d8780745d69f98d245f49ecf4d0e7c34f07ae73bb249f15e73e746a5163c662
          • Instruction ID: 76596d5fe84b3cf467c5882a31b9e4f587595788211e4bc540bb42e4ac1eb6bb
          • Opcode Fuzzy Hash: 7d8780745d69f98d245f49ecf4d0e7c34f07ae73bb249f15e73e746a5163c662
          • Instruction Fuzzy Hash: 38015E71610214EFDB259F54C814BDEBBB0EB04754F10813FB8156A291D7B9DD94CB88
          Function 00402BDB Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00403414: GetFileAttributesA.KERNELBASE(?,00402BE3,?,004023E4,000000FF,?,?,?,00000000), ref: 00403421
          • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000001,00000000,?,?,004023E4,000000FF,?,?,?,00000000), ref: 00402C15
          • CloseHandle.KERNEL32(00000000), ref: 00402C2D
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$AttributesCloseCreateHandle
          • String ID:
          • API String ID: 4216088276-0
          • Opcode ID: bfcb017092212453a6b14071cff55d305d38883d6dd0a7234e597dd8221be324
          • Instruction ID: a99f6eaea3a7c9b7b86cade573afdcbb4a325d5db4211a58286460eb01896927
          • Opcode Fuzzy Hash: bfcb017092212453a6b14071cff55d305d38883d6dd0a7234e597dd8221be324
          • Instruction Fuzzy Hash: EB018630608700AAEA385E285D4AB5B77956B61720F240B6AF8E0BB3D1C6B99C42C71D
          Function 004073FB Relevance: 3.0, APIs: 2, Instructions: 33stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00407400
          • lstrcpyA.KERNEL32(00000000,00433480,?,?,?,00000000), ref: 00407431
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcpy
          • String ID:
          • API String ID: 3221978047-0
          • Opcode ID: 27c07be9cd5f595b8cf707550d056c2e6de798261ab8e0f3fc9fe6c4010fae28
          • Instruction ID: 1ee7c0323b941f183359ab85a6a08198237b495375df3080cd2762b38feaf57d
          • Opcode Fuzzy Hash: 27c07be9cd5f595b8cf707550d056c2e6de798261ab8e0f3fc9fe6c4010fae28
          • Instruction Fuzzy Hash: E6F03130A14105DBCB15EF75DC82BAD7B70AB10344F10953AA412B62E0D738EE05CA5E
          Function 004208A2 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
          Download Yara Rule
          APIs
          • HeapCreate.KERNELBASE(00000000,00001000,00000000,0041DB6A,00000001), ref: 004208B3
            • Part of subcall function 0042075A: GetVersionExA.KERNEL32 ref: 00420779
          • HeapDestroy.KERNEL32 ref: 004208F2
            • Part of subcall function 004208FF: HeapAlloc.KERNEL32(00000000,00000140,004208DB,000003F8), ref: 0042090C
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Heap$AllocCreateDestroyVersion
          • String ID:
          • API String ID: 2507506473-0
          • Opcode ID: 51512293142271819ebbd5d6b359693aacbf4bbd31ce03f380d2be4e113781a5
          • Instruction ID: 10e9280ca2d105d80c91b2f53a2e1d39e8b4c68bfae6baea53d52721d1e6d0b9
          • Opcode Fuzzy Hash: 51512293142271819ebbd5d6b359693aacbf4bbd31ce03f380d2be4e113781a5
          • Instruction Fuzzy Hash: 5CF06531744312B9EF2137717C4976B75D4DB40745FE0483BF804C81A2EAB884C09599
          Function 00406D53 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00406D6A
          • GetLastError.KERNEL32(00000000), ref: 00406D75
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorFileLastRead
          • String ID:
          • API String ID: 1948546556-0
          • Opcode ID: 856d42ed3f5715fe0e1568f33e2883930dc2f83dc37f786173aff59d995cbc5d
          • Instruction ID: d25fd05ed29d4ad366966937b69678ce2e8c3df54098d07fedf5649070ba3143
          • Opcode Fuzzy Hash: 856d42ed3f5715fe0e1568f33e2883930dc2f83dc37f786173aff59d995cbc5d
          • Instruction Fuzzy Hash: 66E01A71600209BBCF109FA1DC05F9E7BA8AB00359F104665BA15E50E0D375DA51AB58
          Function 00415942 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415987: __EH_prolog.LIBCMT ref: 0041598C
            • Part of subcall function 00415987: lstrlenA.KERNEL32(?,?,?,00432C20,?,0000012C,?,?), ref: 004159E4
          • LoadStringA.USER32(?,?,?), ref: 0041597F
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologLoadStringlstrlenwsprintf
          • String ID:
          • API String ID: 1702443186-0
          • Opcode ID: ad92670fe1fa6116c4a1aa42fd58e853bd6adf9573e721ab7f871aeddc04bcba
          • Instruction ID: 289731a7a5f2b23f5606053850396b3413ea51f0a6cd67871df9a773b44e99c3
          • Opcode Fuzzy Hash: ad92670fe1fa6116c4a1aa42fd58e853bd6adf9573e721ab7f871aeddc04bcba
          • Instruction Fuzzy Hash: 0EE0E57650020EFFCF01AFA0DC09CDE7B79BB08319F904021FA15A1061E636DA759F95
          Function 00409E19 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
          Download Yara Rule
          APIs
          • GetTickCount.KERNEL32 ref: 00409E33
          • GetTickCount.KERNEL32 ref: 00409E44
            • Part of subcall function 00409DAF: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409DD9
            • Part of subcall function 00409DAF: IsDialogMessageA.USER32(?,?,?,?,?,?,?,00409D6E,?,?,?,?,00000000,75C0FB50), ref: 00409DED
            • Part of subcall function 00409DAF: TranslateMessage.USER32(?), ref: 00409DFB
            • Part of subcall function 00409DAF: DispatchMessageA.USER32(?), ref: 00409E05
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$CountTick$DialogDispatchPeekTranslate
          • String ID:
          • API String ID: 2347478412-0
          • Opcode ID: 489dfa4d07e7241c76ee9a204e6e97a7db1d752046244ad217c204688f484875
          • Instruction ID: 050411ee300b504b195ecd6f179a1566d1fb891414c72c83261421c19ba0a4f3
          • Opcode Fuzzy Hash: 489dfa4d07e7241c76ee9a204e6e97a7db1d752046244ad217c204688f484875
          • Instruction Fuzzy Hash: 37E04F31508615CBCB60F755EC4476AB3D4ABA1721F169437D005B21E2C7BCAC869FED
          Function 0041556E Relevance: 3.0, APIs: 2, Instructions: 21COMMON
          Download Yara Rule
          APIs
          • SetFilePointer.KERNELBASE(00415081,00415081,00415081,00415081,00000080,6CCE74B0,00415081,00000000,?,00000000,00000000,?,00415011,?,00000000,?), ref: 00415582
          • GetLastError.KERNEL32(?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041558A
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorFileLastPointer
          • String ID:
          • API String ID: 2976181284-0
          • Opcode ID: 143eb4e18064033f28b8c2e590be0ef37060b04d7a8fd42ca5389f3ef29732e0
          • Instruction ID: 67e689a8622aca136457e2061e3395f1adad4e12d3abfdedeac553d16c4d3a44
          • Opcode Fuzzy Hash: 143eb4e18064033f28b8c2e590be0ef37060b04d7a8fd42ca5389f3ef29732e0
          • Instruction Fuzzy Hash: 4BE01A32605601AFCA208E259C088CB7EA3DBD43A0F05092AF955C22A1DA71C89696A5
          Function 00407090 Relevance: 2.6, APIs: 2, Instructions: 95COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00406E30: CreateFileA.KERNELBASE(00000000,00000000,?,00000000,00000000,00000001,00000000,?,?,?,?,00407417,00000000,00000000,?,00000000), ref: 00406E73
          • CloseHandle.KERNELBASE(00000000,FFFFD8EB,00000000,00407417), ref: 004070E8
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseCreateFileHandle
          • String ID:
          • API String ID: 3498533004-0
          • Opcode ID: 0348a3ebb73ddc6b0aef4ad64cabca53af01214e26d14602e0e1a62871f1d2d3
          • Instruction ID: be3689da5a3df1e379539372b29a1021d9efe794626f17ac27ea76b8029ecb00
          • Opcode Fuzzy Hash: 0348a3ebb73ddc6b0aef4ad64cabca53af01214e26d14602e0e1a62871f1d2d3
          • Instruction Fuzzy Hash: 0321C9B280411CBAD720ABA5BC85DEF776CDB45358F100177FA05F21C1E638AE558AFA
          Function 0041FCAE Relevance: 2.6, APIs: 2, Instructions: 52COMMON
          Download Yara Rule
          APIs
          • CloseHandle.KERNELBASE(00000000,00000100,004251F4,0041FC86,004251F4,004251F4,00000100,00000000,004251F4,00000000), ref: 0041FCE8
          • GetLastError.KERNEL32 ref: 0041FCF2
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseErrorHandleLast
          • String ID:
          • API String ID: 918212764-0
          • Opcode ID: 78473bde1638215264d9d64f547ec3cde691fac9354f71a9a239a57977818916
          • Instruction ID: 9a6676376776baafccfe3ed6d7e66db45825b0f920fac0c32d45189317220745
          • Opcode Fuzzy Hash: 78473bde1638215264d9d64f547ec3cde691fac9354f71a9a239a57977818916
          • Instruction Fuzzy Hash: 5401BC3221192556E6207239BC09AEB6654AF81725B66062FFC12C72D2EE18988781AE
          Function 0041CF6E Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0041D055
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CriticalSection$AllocateEnterHeapInitialize
          • String ID:
          • API String ID: 1616793339-0
          • Opcode ID: ff645242554b137137081468eb10e8fb27e1b2eff0e5b38489c33811021f1699
          • Instruction ID: d5df1cbf4ec4ba980c4a6580c689a837e14bb9af02eb27311b88ce3694df410a
          • Opcode Fuzzy Hash: ff645242554b137137081468eb10e8fb27e1b2eff0e5b38489c33811021f1699
          • Instruction Fuzzy Hash: 06219772A40215EBDB10DF69DD42BDABBA4EB04764F24411BF810EB2D1D77C9D828A6C
          Function 0041D06A Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074), ref: 0041D13E
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CriticalSection$EnterFreeHeapInitialize
          • String ID:
          • API String ID: 641406236-0
          • Opcode ID: 7e1130abc88cd0e0535ba9a22f07fe38cbfac2d05d8312a9508827adb0fd6ec0
          • Instruction ID: 254e6f75be06a5a4313487cad1d69166096aabed759ebee386ad02762cc1b973
          • Opcode Fuzzy Hash: 7e1130abc88cd0e0535ba9a22f07fe38cbfac2d05d8312a9508827adb0fd6ec0
          • Instruction Fuzzy Hash: DE21C5B2D01214FADF219F95DC06BDEBBB8EB04724F24011BF411A21D1D77D9980C66D
          Function 004116C1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • SysAllocStringLen.OLEAUT32(00000000,?), ref: 004116E0
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AllocString
          • String ID:
          • API String ID: 2525500382-0
          • Opcode ID: 81fa3be68d5579c2ba8c217906279872f4ed9b2a76a3efa04c62d956b81b52f1
          • Instruction ID: 6d4c10a9928fc55d7c79a506d19a2ac6e154141a05ea1ec88bbc85a277b80999
          • Opcode Fuzzy Hash: 81fa3be68d5579c2ba8c217906279872f4ed9b2a76a3efa04c62d956b81b52f1
          • Instruction Fuzzy Hash: 1511E335600745ABCB20DF16C080A9BBBE9EF85754F15C02BE96DCB3A0D775E881CB94
          Function 00413241 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00413246
            • Part of subcall function 0041363A: __EH_prolog.LIBCMT ref: 0041363F
            • Part of subcall function 0041363A: lstrcpyA.KERNEL32(?,?,00000452,?,0000044F,?,?,?,00000000,00413262,?,00000000), ref: 004136E7
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrcpy
          • String ID:
          • API String ID: 2120869262-0
          • Opcode ID: b2a41d4c5f67825231ed33659eae49bf0ea5766d221396e8bdd91a9266840b8f
          • Instruction ID: 7d780d8b2cb5fc2d4a21a511adf2f4b24771b91408c4ab5114a05c485b8b4177
          • Opcode Fuzzy Hash: b2a41d4c5f67825231ed33659eae49bf0ea5766d221396e8bdd91a9266840b8f
          • Instruction Fuzzy Hash: 5711E030E00205AACB24FFB2D9526EEB7649F10359F1041AFE513A62D1EB7C5F81868C
          Function 0041525C Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNELBASE(?,00000000,00000138,00000000,00000000,00000000), ref: 00415297
            • Part of subcall function 0041556E: SetFilePointer.KERNELBASE(00415081,00415081,00415081,00415081,00000080,6CCE74B0,00415081,00000000,?,00000000,00000000,?,00415011,?,00000000,?), ref: 00415582
            • Part of subcall function 0041556E: GetLastError.KERNEL32(?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 0041558A
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$ErrorLastPointerRead
          • String ID:
          • API String ID: 64821003-0
          • Opcode ID: e6ec88394f420ceca5615dc9716fdbdc6a783564f6f630ab424734c286454a48
          • Instruction ID: eb0a03d3fad6f205c4eff738c927393e6125b17a61ea02d86a8be89270bf661e
          • Opcode Fuzzy Hash: e6ec88394f420ceca5615dc9716fdbdc6a783564f6f630ab424734c286454a48
          • Instruction Fuzzy Hash: CB017572300504FBEB109B55CC85FEFBB6EEF91755F240066B90595191D7B89DC0CAA8
          Function 00406E30 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNELBASE(00000000,00000000,?,00000000,00000000,00000001,00000000,?,?,?,?,00407417,00000000,00000000,?,00000000), ref: 00406E73
            • Part of subcall function 00406DFD: SetFilePointer.KERNEL32(00000000,00000000,00000000,00406E91,00000000,00406E91,00000000,00000000,00000002,?,?,?,?,00407417,00000000,00000000), ref: 00406E0C
            • Part of subcall function 00406DFD: GetLastError.KERNEL32(00000000,?,?,?,?,00407417,00000000,00000000), ref: 00406E1B
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$CreateErrorLastPointer
          • String ID:
          • API String ID: 2723331319-0
          • Opcode ID: 10b762276bc517ab09f568a41be1f6f5f05ba3f454ba3fdfdfdd0a4635708a86
          • Instruction ID: 88b85964b55504d933f6bbbee43cc60fb1f5457948f290c317cf968e68f95631
          • Opcode Fuzzy Hash: 10b762276bc517ab09f568a41be1f6f5f05ba3f454ba3fdfdfdd0a4635708a86
          • Instruction Fuzzy Hash: 8D015676D00128BACF129F95CC04CDFBFBDEF88260F0081A6F915A2290D6349B14DBE0
          Function 00402E37 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00402E3C
            • Part of subcall function 004038EE: __EH_prolog.LIBCMT ref: 004038F3
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 52ffc953a355710e3834317888a428355d96f0287b32872f1fc9133aee83dcd1
          • Instruction ID: 4c4f454f5d0ab14a8fa1cb54182d17878f321dc935385dfbcd267ea6f2eab8c3
          • Opcode Fuzzy Hash: 52ffc953a355710e3834317888a428355d96f0287b32872f1fc9133aee83dcd1
          • Instruction Fuzzy Hash: 0C01927280118CAACB05EFE9C611BDDBBB85F15308F1040AEE451B32C2DB785F09CB69
          Function 0041690E Relevance: 1.5, APIs: 1, Instructions: 36windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00415987: __EH_prolog.LIBCMT ref: 0041598C
            • Part of subcall function 00415987: lstrlenA.KERNEL32(?,?,?,00432C20,?,0000012C,?,?), ref: 004159E4
          • SendDlgItemMessageA.USER32(?,?,0000000C,00000000,00000000), ref: 0041696D
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologItemMessageSendlstrlen
          • String ID:
          • API String ID: 326290046-0
          • Opcode ID: 0a0cff3e2d029bf80a498a57be839decf22b623c7f9c220629357df0c7081d9c
          • Instruction ID: aff797f8e19171a704e40412d8dd8f646ba83131809e1cc26a0064c71d42613b
          • Opcode Fuzzy Hash: 0a0cff3e2d029bf80a498a57be839decf22b623c7f9c220629357df0c7081d9c
          • Instruction Fuzzy Hash: 9AF0B4B250020DBFEF219F50DC42FCA7B68EB14314F1000A6FB44A50D1E6F19AE48E44
          Function 00409B3C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004082D0: RegisterClassA.USER32(00000000), ref: 004082F7
          • CreateDialogParamA.USER32(000003E8,000003E9,00000000,00409E5F,?), ref: 00409B7B
            • Part of subcall function 00409C0A: GetWindowRect.USER32(?,?), ref: 00409C23
            • Part of subcall function 00409C0A: GetWindowRect.USER32(00000000,?), ref: 00409C2C
            • Part of subcall function 00409C0A: GetSystemMetrics.USER32(00000001), ref: 00409C36
            • Part of subcall function 00409C0A: GetSystemMetrics.USER32(00000000), ref: 00409C3A
            • Part of subcall function 00409C0A: SetRect.USER32(?,00000000,00000000,00000000), ref: 00409C43
            • Part of subcall function 00409C0A: FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00409C7A
            • Part of subcall function 00409C0A: IsWindow.USER32(00000000), ref: 00409C83
            • Part of subcall function 00409C0A: GetWindowRect.USER32(00000000,?), ref: 00409C99
            • Part of subcall function 00409C0A: IntersectRect.USER32(?,?,?), ref: 00409CA7
            • Part of subcall function 00409C0A: SubtractRect.USER32(?,?,?), ref: 00409CC3
            • Part of subcall function 00409C0A: SetWindowPos.USER32(00000000,?,000003E8,0000001E,00000000,00000000,00000005,0000001E,?,00000000), ref: 00409D03
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: RectWindow$MetricsSystem$ClassCreateDialogFindIntersectParamRegisterSubtract
          • String ID:
          • API String ID: 1980248331-0
          • Opcode ID: ceb0921d0f904edb90ef4eec65e65522cd866acc48ce9e6b4504213c7ac91f9e
          • Instruction ID: 9b1752947d2264d616634cb8f5bab14c96ec692b2fd0e1b5a75d19e6f904eee5
          • Opcode Fuzzy Hash: ceb0921d0f904edb90ef4eec65e65522cd866acc48ce9e6b4504213c7ac91f9e
          • Instruction Fuzzy Hash: C1F01731104749AFDB10DF25F844BAB77E8BB84721F04543EF414A51E2D7B8AE90CBA8
          Function 00416975 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • SendDlgItemMessageA.USER32(00000658,000003E4,0000000C,00000000,00000000), ref: 004169BE
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ItemLoadMessageSendStringwsprintf
          • String ID:
          • API String ID: 382885213-0
          • Opcode ID: 1613d52a98b5ccfc0e4e754aa5a9e25567500957e9f6cb0cdabd388a95e6ca9b
          • Instruction ID: 19178cc856e1733074c75589476b20dc235cc914e4c2104ef110d66d65445f8c
          • Opcode Fuzzy Hash: 1613d52a98b5ccfc0e4e754aa5a9e25567500957e9f6cb0cdabd388a95e6ca9b
          • Instruction Fuzzy Hash: 3FF092F2A00218BBEF209F54DD46FCA7B78FB54710F0000B1FB44A50D0D6F09A98CA85
          Function 00403414 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesA.KERNELBASE(?,00402BE3,?,004023E4,000000FF,?,?,?,00000000), ref: 00403421
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: 5a350d2d97f97a795925eabe79d04bf87846ef66ab5885e9f716995b59afafdb
          • Instruction ID: a3852174fbbff5a70eaa44c341c9e38cb2fb26c7aed6c42a7acbb0aa418fc908
          • Opcode Fuzzy Hash: 5a350d2d97f97a795925eabe79d04bf87846ef66ab5885e9f716995b59afafdb
          • Instruction Fuzzy Hash: 6AD0127030214057DF214E3969497933B4C5B5032EFE04AB6F454FE2D6D738ED435118
          Function 00416211 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesA.KERNELBASE(?,00416290,00404BCA,00000000,00404BCA,?), ref: 00416215
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: a6cfdcb65165f38c812fa3194c5d9bfe65eeb96744056a40dbcfa6b800ce15d5
          • Instruction ID: fc0900129b6bd03d47e10af88d5c714dabe811430947736017e93d866c97f884
          • Opcode Fuzzy Hash: a6cfdcb65165f38c812fa3194c5d9bfe65eeb96744056a40dbcfa6b800ce15d5
          • Instruction Fuzzy Hash: 1EC08C30600102AAD62022246D096A63B01AB903B5F614FAEF069C00F8C334DCD36028
          Function 0041622E Relevance: 1.5, APIs: 1, Instructions: 11COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesA.KERNELBASE(?,00404BE9,?,?), ref: 00416232
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: c3b702f190f517ddcf16f934c2a8d624054c388fa3a7870f69ef745dd1ff0602
          • Instruction ID: 299d2968d36e63d7d93abc59762134736636c319828b32a458cd14832be64e8e
          • Opcode Fuzzy Hash: c3b702f190f517ddcf16f934c2a8d624054c388fa3a7870f69ef745dd1ff0602
          • Instruction Fuzzy Hash: DEC08C30110110EAD2302628CE896D632025B50360FA24FA2FC65C00F0C378DCD3A028
          Function 004073E5 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
          Download Yara Rule
          APIs
          • FreeLibrary.KERNELBASE(6E350000,0040C141,00000000,?,00000000,00000000,C:\Users\user\AppData\Local\Temp\_is8C78,00000001,000008AC,000008AC,?,00000000,?,?,000000AC,?), ref: 004073F4
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID:
          • API String ID: 3664257935-0
          • Opcode ID: d80aaa5703bf49191eacde441beffdf5ee903df37fc129984b10bcd2ece341f0
          • Instruction ID: a109309ac5164ceb2c2a4cb9bfe7fda01abdf202f25ec726f75b8935a8174783
          • Opcode Fuzzy Hash: d80aaa5703bf49191eacde441beffdf5ee903df37fc129984b10bcd2ece341f0
          • Instruction Fuzzy Hash: 6DB09230B0410257EE109F31AC89A063768B61038230844356806E6295EE38E901EA19
          Function 00413CA1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule
          APIs
          • SetWindowTextA.USER32(?,00000000), ref: 00413CAB
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: TextWindow
          • String ID:
          • API String ID: 530164218-0
          • Opcode ID: 631fa8844ba3489576a4ad331e2161fc3face5f1be2244331db655ac7f9c8a79
          • Instruction ID: 5473d401d94031b14efefa647a86ff929977070b61e4411dfda46e4a942f6c0b
          • Opcode Fuzzy Hash: 631fa8844ba3489576a4ad331e2161fc3face5f1be2244331db655ac7f9c8a79
          • Instruction Fuzzy Hash: 69B01132000000BBCE028B00CE0C80ABBAAABA8300F00C03AA20808232C2330823EB08
          Function 00414F09 Relevance: 1.3, APIs: 1, Instructions: 7stringCOMMON
          Download Yara Rule
          APIs
          • lstrcmpiA.KERNEL32(?,00414E4F), ref: 00414F15
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcmpi
          • String ID:
          • API String ID: 1586166983-0
          • Opcode ID: aba6af889e049dfc8c57ca33b50b66fce6f8dacb90b484e68477cd9f01e40ec9
          • Instruction ID: acad8d70cd014d5324f948ce8f0fb8a00b3dff5cce9e5d9f5f9a0acabfa2adac
          • Opcode Fuzzy Hash: aba6af889e049dfc8c57ca33b50b66fce6f8dacb90b484e68477cd9f01e40ec9
          • Instruction Fuzzy Hash: 02B092312A50049ACB112B30ED098D03A2AA712206BE006B0A102C40B1C6230417AB04

          Non-executed Functions

          Function 00417252 Relevance: 91.1, APIs: 26, Strings: 26, Instructions: 118libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(wininet.dll,00000000,0040629D,?,00000000,?,004064C5,?,00000000,00000000,00000006,ftp://,00000000), ref: 00417267
          • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 00417287
          • GetProcAddress.KERNEL32(InternetOpenUrlA), ref: 00417299
          • GetProcAddress.KERNEL32(InternetConnectA), ref: 004172AB
          • GetProcAddress.KERNEL32(InternetCrackUrlA), ref: 004172BD
          • GetProcAddress.KERNEL32(InternetCreateUrlA), ref: 004172CF
          • GetProcAddress.KERNEL32(InternetCloseHandle), ref: 004172E1
          • GetProcAddress.KERNEL32(InternetReadFile), ref: 004172F3
          • GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417305
          • GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 00417317
          • GetProcAddress.KERNEL32(InternetGetLastResponseInfoA), ref: 00417329
          • GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041733B
          • GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0041734D
          • GetProcAddress.KERNEL32(InternetAutodial), ref: 0041735F
          • GetProcAddress.KERNEL32(InternetErrorDlg), ref: 00417371
          • GetProcAddress.KERNEL32(HttpOpenRequestA), ref: 00417383
          • GetProcAddress.KERNEL32(HttpSendRequestA), ref: 00417395
          • GetProcAddress.KERNEL32(HttpSendRequestExA), ref: 004173A7
          • GetProcAddress.KERNEL32(HttpEndRequestA), ref: 004173B9
          • GetProcAddress.KERNEL32(InternetQueryOptionA), ref: 004173CB
          • GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 004173DD
          • GetProcAddress.KERNEL32(InternetCanonicalizeUrlA), ref: 004173EF
          • GetProcAddress.KERNEL32(InternetGetCookieA), ref: 00417401
          • GetProcAddress.KERNEL32(InternetSetCookieA), ref: 00417413
          • GetProcAddress.KERNEL32(InternetSetStatusCallbackA), ref: 00417425
          • GetProcAddress.KERNEL32(InternetSetStatusCallback), ref: 0041743B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$LibraryLoad
          • String ID: FtpFindFirstFileA$HttpEndRequestA$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestExA$InternetAutodial$InternetCanonicalizeUrlA$InternetCloseHandle$InternetConnectA$InternetCrackUrlA$InternetCreateUrlA$InternetErrorDlg$InternetGetConnectedState$InternetGetCookieA$InternetGetLastResponseInfoA$InternetOpenA$InternetOpenUrlA$InternetQueryDataAvailable$InternetQueryOptionA$InternetReadFile$InternetSetCookieA$InternetSetOptionA$InternetSetStatusCallback$InternetSetStatusCallbackA$wininet.dll
          • API String ID: 2238633743-3702687842
          • Opcode ID: 3aa13912228e81074370091126e5c7fe62950fc3b3dcb59971a7efc834055142
          • Instruction ID: 9155b0c4d7da7b6fe1024d283f420cf692e7438dd8f61010cb36c6a8c872fc79
          • Opcode Fuzzy Hash: 3aa13912228e81074370091126e5c7fe62950fc3b3dcb59971a7efc834055142
          • Instruction Fuzzy Hash: B4419770A41B28AEDB125F73FE869AA3F71E7007583E07837A4049A170DE794859DF8C
          Function 00408489 Relevance: 65.1, APIs: 31, Strings: 6, Instructions: 320registrystringmemoryCOMMON
          Download Yara Rule
          APIs
          • CoCreateInstance.OLE32(00000000,00000000,00000004,00000000,00000000,00000104,00003214,00000000), ref: 004084AD
          • wsprintfA.USER32 ref: 004084CD
          • StringFromCLSID.OLE32(00000000,00000000,00000104,00003214,00000000), ref: 004084EA
          • SysAllocString.OLEAUT32(00000000), ref: 004084F3
          • CoTaskMemFree.OLE32(00000000), ref: 004084FF
          • lstrlenW.KERNEL32(00000000), ref: 00408517
            • Part of subcall function 0040882D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000002,74DEE0B0,00000000,00000000,74DEE0B0,00408536,?,00000000,00000002,00000000), ref: 00408848
          • wsprintfA.USER32 ref: 00408543
          • RegOpenKeyExA.ADVAPI32(80000000,?,00000000,00020019,00000000,?,?,00000000), ref: 0040856E
          • RegOpenKeyExA.ADVAPI32(00000000,LocalServer32,00000000,00020019,00000000,?,?,00000000), ref: 004085AE
          • RegQueryValueExA.ADVAPI32(00000000,00432C20,00000000,00000000,?,00000104,?,?,00000000), ref: 00408606
          • CoCreateGuid.OLE32(?,?,?,00000000), ref: 00408610
          • lstrcatA.KERNEL32(?, /ForceROT,?,?,00000000), ref: 00408622
          • StringFromCLSID.OLE32(?,PB,?,?,00000000), ref: 00408630
          • SysAllocString.OLEAUT32(PB), ref: 00408639
          • CoTaskMemFree.OLE32(?,?,?,00000000), ref: 00408645
          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00408657
          • lstrcatA.KERNEL32(?,00000000,?,?,00000002,00000000,?,?,00000000), ref: 0040867E
          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,?,00000002,00000000), ref: 004086AB
          • SysFreeString.OLEAUT32(?), ref: 004086B8
          • lstrlenW.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 004086E9
          • wsprintfA.USER32 ref: 00408715
          • WaitForInputIdle.USER32(?,00004E20), ref: 00408733
          • CloseHandle.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 00408742
          • CloseHandle.KERNEL32(?,?,?,00000002,00000000,?,?,00000000), ref: 00408747
          • Sleep.KERNEL32(000000C8,?,?,00000002,00000000,?,?,00000000), ref: 00408762
          • CreateItemMoniker.OLE32(0042E3A8,?,?), ref: 00408777
          • GetRunningObjectTable.OLE32(00000000,?), ref: 0040878B
          • SysFreeString.OLEAUT32(?), ref: 004087ED
          • RegCloseKey.ADVAPI32(?,?,?,00000002,00000000,?,?,00000000), ref: 00408801
          • RegCloseKey.ADVAPI32(?,?,?,00000002,00000000,?,?,00000000), ref: 0040880E
          • SysFreeString.OLEAUT32(00000000), ref: 00408818
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$Free$CloseCreate$lstrlenwsprintf$AllocFromHandleOpenTasklstrcat$ByteCharGuidIdleInputInstanceItemMonikerMultiObjectProcessQueryRunningSleepTableValueWaitWide
          • String ID: /ForceROT$CLSID\%s$CoCreateInstance failed with error 0x%lx, try a second approach.$Forcing item moniker %s into ROT...$LocalServer32$PB
          • API String ID: 3461069662-2679311893
          • Opcode ID: ccfb95c962d4405aa7879e2c1556281b21caf4f2f65003f21928cfd825e4c87f
          • Instruction ID: 1439a9157a52c9429986603f6cf94a3a28018cb3faa801d7b4bad715c8d7f9c3
          • Opcode Fuzzy Hash: ccfb95c962d4405aa7879e2c1556281b21caf4f2f65003f21928cfd825e4c87f
          • Instruction Fuzzy Hash: 83C12872A00219AFCF10EFA0DD849DE7B79EB44344F50847AF905A72A0DB359E55CFA8
          Function 004263C6 Relevance: 26.7, Strings: 21, Instructions: 417COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID:
          • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
          • API String ID: 0-1157002505
          • Opcode ID: c820c2c7a38d40371a7fbb7008562ade0d6fda94c5d024e5403ec477f82e834f
          • Instruction ID: 1a06dcf7fefe9453a01b588398b0c32cf5f2b3ab9cb997aca7704c39749d4a42
          • Opcode Fuzzy Hash: c820c2c7a38d40371a7fbb7008562ade0d6fda94c5d024e5403ec477f82e834f
          • Instruction Fuzzy Hash: 73E11130F41238DEEB248F58F4157FABBB1AB40308FAA406BD440A7281D77D8992CB5D
          Function 0041664E Relevance: 18.1, APIs: 12, Instructions: 119threadmemoryCOMMON
          Download Yara Rule
          APIs
          • GetCurrentThread.KERNEL32 ref: 00416673
          • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 0041667A
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 0041668A
          • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 00416699
          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 004166A0
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 004166A6
          • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,0040D6E6,?,?,?,?,?,?,?,?,?,0040D6E6), ref: 004166C2
          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 004166C8
          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,0040D6E6,0040D6E6,?,?,?,?,?,?,?,?,?,0040D6E6), ref: 004166ED
          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0041670A
          • EqualSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 0041673B
          • FreeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0040D6E6,?,?,00000000,00000000), ref: 0041675A
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
          • String ID:
          • API String ID: 884311744-0
          • Opcode ID: f790baaf48331e6d9635694423fe6fc73106a54ccaca46c19d434970a5474af5
          • Instruction ID: 65c3bf80c05af08abe5a74e9180fb3c8093158de301264ee6f49f378e3a0464b
          • Opcode Fuzzy Hash: f790baaf48331e6d9635694423fe6fc73106a54ccaca46c19d434970a5474af5
          • Instruction Fuzzy Hash: 97318372E0114DAFEB119BA49C84AEFBBBDEF04344F51006AE510E2291D6349E85DB69
          Function 00407797 Relevance: 16.6, APIs: 7, Strings: 2, Instructions: 891libraryfileloaderCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040779C
          • MultiByteToWideChar.KERNEL32(00000001,00000000,00000001,000000FF,00000000,00000000,6CCE6DE0,0042E2B8,00000000), ref: 004077C8
          • MultiByteToWideChar.KERNEL32(00000001,00000000,00000001,000000FF,00000000,00000000), ref: 004077E4
          • StgIsStorageFile.OLE32(?,?), ref: 004077FD
          • StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 0040781A
            • Part of subcall function 0041D153: RaiseException.KERNEL32(0041B642,00000000,?,00429EFC,?,invalid string position,0041B642,00000000,0042C388,?,invalid string position), ref: 0041D181
          • LoadLibraryA.KERNEL32(crypt32.dll,?,?,?,?,?,?,?), ref: 00407E4B
          • GetProcAddress.KERNEL32(00000000,CertCompareCertificate), ref: 00407E5B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ByteCharMultiStorageWide$AddressExceptionFileH_prologLibraryLoadOpenProcRaise
          • String ID: CertCompareCertificate$crypt32.dll
          • API String ID: 23035369-3596784711
          • Opcode ID: b9ecb7509d0155a94c04ee3f968b06c1f1358c457427b1115b35891a8ce6abef
          • Instruction ID: b2d5a0e12f1d97c7845727619afa43dd0235f3e1ea2b800abcbc78d019efbb36
          • Opcode Fuzzy Hash: b9ecb7509d0155a94c04ee3f968b06c1f1358c457427b1115b35891a8ce6abef
          • Instruction Fuzzy Hash: 406271B1D04249AFDB10DBA5CC84FAFBBB9AF45304F24846EF105B6291C778AD85CB64
          Function 0041744C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113memoryfileCOMMON
          Download Yara Rule
          APIs
          • SearchPathA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,6CCE6DE0,74DF2F30), ref: 0041746F
          • GetModuleFileNameA.KERNEL32(?,00000104), ref: 0041748F
          • FindFirstFileA.KERNEL32(?,?), ref: 004174AB
          • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 004174E3
          • VirtualProtect.KERNEL32(00000000,00000001,00000004,004064C5), ref: 00417535
          • VirtualProtect.KERNEL32(00000000,00000001,004064C5,004064C5), ref: 00417548
          • FindClose.KERNEL32(00000000), ref: 0041756B
          • FindClose.KERNEL32(00000000), ref: 0041757B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FindVirtual$CloseFileProtect$FirstModuleNamePathQuerySearch
          • String ID: RPAWINET.DLL
          • API String ID: 1763775632-274221676
          • Opcode ID: 61aa059eff800c82dd1b49b66d2b31faa2d98984bdb34f06e78495d63a904cdc
          • Instruction ID: 568dc90692af70f7a1d49d536ed697cb4d1943b4dfc9e2eeecca9304ce2ee05b
          • Opcode Fuzzy Hash: 61aa059eff800c82dd1b49b66d2b31faa2d98984bdb34f06e78495d63a904cdc
          • Instruction Fuzzy Hash: DC314D71E00219BFEB21DBA4CC85FEFB7BDAB05344F504466E514B6180E774AE858BA8
          Function 00416579 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44shutdownCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00416620: GetVersionExA.KERNEL32(?), ref: 0041663A
          • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,004132E4), ref: 00416588
          • OpenProcessToken.ADVAPI32(00000000,00000028,2A,?,?,?,?,?,?,004132E4), ref: 00416595
          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004165AC
          • AdjustTokenPrivileges.ADVAPI32(2A,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,004132E4), ref: 004165D7
          • ExitWindowsEx.USER32(00000002,0000FFFF), ref: 004165E5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueVersionWindows
          • String ID: SeShutdownPrivilege$2A
          • API String ID: 337752880-210800940
          • Opcode ID: f4668809aeac5786230f88bee20d9f1456514f2fb1832ebab24289f90c618a3b
          • Instruction ID: 48bbf91556d83321c23cfa47b76f02355d5ed91f8818038ca75ffe723c23c37e
          • Opcode Fuzzy Hash: f4668809aeac5786230f88bee20d9f1456514f2fb1832ebab24289f90c618a3b
          • Instruction Fuzzy Hash: 58012175E0112ABBDB109FA5DC0DAEFBFBCEF09354F404065B505E2280DB749A05CBA4
          Function 00416774 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
          Download Yara Rule
          APIs
          • GetLocaleInfoA.KERNEL32(7hA,00001004,?,00000014,?,?,?,?,?,?,?,?,?,?,?,00416837), ref: 0041679B
          • TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004167B6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Info$CharsetLocaleTranslate
          • String ID: 7hA
          • API String ID: 641124110-1922742958
          • Opcode ID: 26527bdc7bf036bdd4a435088ed278106481846e26204147d1fd5971f3e7f0cb
          • Instruction ID: c8f621347b638680e10a731d7b61f38026c641bc38866c7755684f5099ba1e65
          • Opcode Fuzzy Hash: 26527bdc7bf036bdd4a435088ed278106481846e26204147d1fd5971f3e7f0cb
          • Instruction Fuzzy Hash: C6F0963060020A9ADB20EB64ED459EB33BC9714744F90013AF620D62D0E774ED49CB18
          Function 00421C3A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(Function_00021BF4), ref: 00421C3F
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 82deddd50fd4207538ac50f967b697d550d1f45f82d073e74b7631d034dd2997
          • Instruction ID: 9d787ac4c9ece1503031dd2d17f0cd1e462cf76522ee12d894ef7044c52b314f
          • Opcode Fuzzy Hash: 82deddd50fd4207538ac50f967b697d550d1f45f82d073e74b7631d034dd2997
          • Instruction Fuzzy Hash: 0FA001B46416128AA6205B62A84D5A83A70A654612BD491A6A40281274EBA454929F59
          Function 00421C4C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32 ref: 00421C51
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 0a8179524d03c8515046822fb430a18e2a9d9d2d1633a7ed81c94f3788e8c849
          • Instruction ID: 64cf5a08e056e3534a9669978171d4b5055e031174d039144e9115e0b54a865c
          • Opcode Fuzzy Hash: 0a8179524d03c8515046822fb430a18e2a9d9d2d1633a7ed81c94f3788e8c849
          • Instruction Fuzzy Hash:
          Function 00421150 Relevance: .3, Instructions: 259COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
          • Instruction ID: 51e8f614f0686a00b9b78a20dca7ac914a066c202ded6632788cd6cced91b7f8
          • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
          • Instruction Fuzzy Hash: 72B1AE35A0021ADFDB15CF04D5D0AA9BBA1FF69318F64C1AED80A5B352C735EE42CB94
          Function 004181A9 Relevance: 75.6, APIs: 33, Strings: 10, Instructions: 327registryfilestringCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyA.ADVAPI32(80000002,?,00417A0F), ref: 00418215
          • lstrlenA.KERNEL32(?,?,00000000), ref: 00418234
          • lstrlenA.KERNEL32(?,?,?,00000000), ref: 00418253
          • RegQueryValueExA.ADVAPI32(?,CurrentUser,00000000,00000000,?,?,00000000), ref: 0041826D
          • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00418283
          • RegQueryValueExA.ADVAPI32(?,DirRoot,00000000,00000000,?,?,?,00000000), ref: 004182A5
            • Part of subcall function 00409A9C: RegCloseKey.ADVAPI32(00000000,74DE83C0,00418735,?,?,?,?,?,00000000), ref: 00409AA6
          • GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,00000000), ref: 00418301
          • lstrcatA.KERNEL32(?,\nsreg.dat,?,00000000), ref: 00418319
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 00418332
          • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00418349
          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000,?,00000000), ref: 0041835E
          • RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Netscape\Netscape Navigator\biff,00417A0F), ref: 00418379
          • UnmapViewOfFile.KERNEL32(?,?,00000000), ref: 0041838B
          • CloseHandle.KERNEL32(?,?,00000000), ref: 0041839F
          • CloseHandle.KERNEL32(000000FF,?,00000000), ref: 004183AE
          • RegCloseKey.ADVAPI32(00417A0F,?,00000000), ref: 004184B3
          • RegCloseKey.ADVAPI32(00417A0F,?,?,?,?,?,00000000), ref: 00418502
          • lstrcatA.KERNEL32(?,\prefs.js,?,?,?,?,?,00000000), ref: 00418514
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000), ref: 00418531
          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,00000000), ref: 00418540
          • ReadFile.KERNEL32(00000000,00000000,00417A0F,00000064,00000000,?,?,?,?,?,00000000), ref: 00418560
          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00418572
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$Close$CreateHandleOpen$QueryValueViewlstrcatlstrlen$DirectoryMappingReadSizeUnmapWindows
          • String ID: %20$CurrentUser$DirRoot$ProfileLocation$ProfileManager$SOFTWARE\Netscape\Netscape Navigator\Users\$SOFTWARE\Netscape\Netscape Navigator\biff$\nsreg.dat$\prefs.js$d
          • API String ID: 2967564050-4254169305
          • Opcode ID: a9cb4f6e99f33aad7bec608740a09d9c98fcd4bda6c1f87ab1885a365af2806f
          • Instruction ID: cf382dd0b93036f111b192c23d2d42d91fd43dc874e0323847e365be2cdfdee9
          • Opcode Fuzzy Hash: a9cb4f6e99f33aad7bec608740a09d9c98fcd4bda6c1f87ab1885a365af2806f
          • Instruction Fuzzy Hash: 77C14BB1E00119FFDF219BA0DC84AEFBB78EB04304F6445BAE515A2190EB355E85CF68
          Function 0040B60D Relevance: 65.0, APIs: 11, Strings: 26, Instructions: 284stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrcpyA.KERNEL32(?,00000000,DotNetCoreSetupUILang,1033,00000000,00000010,dotnetfx.exe,dotnetfx.exe,?,00000000,?,00000001,00000000,00000000,00000000), ref: 0040B715
          • lstrcatA.KERNEL32(?,dotnetfx.exe), ref: 0040B723
          • lstrlenA.KERNEL32(?,?,?), ref: 0040B75E
          • lstrcatA.KERNEL32(?, /q:a /c:"install /q",dotnetfx.exe,dotnetfx.exe,?,00000000,?,00000001,00000000,00000000,00000000), ref: 0040B7CD
          • wsprintfA.USER32 ref: 0040B7EE
          • lstrcatA.KERNEL32(?,?), ref: 0040B802
          • lstrcatA.KERNEL32(?, /q:a,dotnetfx.exe,dotnetfx.exe,?,00000000,?,00000001,00000000,00000000,00000000), ref: 0040B82C
            • Part of subcall function 0040B192: lstrlenA.KERNEL32(00000000,00000000,00432C20,00000000,00000104,00000208,00432C20,00000000), ref: 0040B1F2
            • Part of subcall function 0040B192: lstrlenA.KERNEL32(00000000), ref: 0040B1FC
            • Part of subcall function 0040B192: lstrlenA.KERNEL32(00000001), ref: 0040B211
            • Part of subcall function 0040B192: lstrlenA.KERNEL32(00000000), ref: 0040B218
            • Part of subcall function 0040B192: lstrlenA.KERNEL32(?), ref: 0040B21F
            • Part of subcall function 0040B192: lstrcatA.KERNEL32(00000000,0042E804), ref: 0040B24C
            • Part of subcall function 0040B192: lstrcatA.KERNEL32(00000000,00000001), ref: 0040B252
            • Part of subcall function 0040B192: lstrcatA.KERNEL32(00000000,?), ref: 0040B25D
            • Part of subcall function 0040B192: lstrcatA.KERNEL32(00000000,00000000), ref: 0040B267
            • Part of subcall function 0040B192: lstrcatA.KERNEL32(00000000,00000000), ref: 0040B272
          • wsprintfA.USER32 ref: 0040B93B
          • GetDlgItem.USER32(?,00000002), ref: 0040B966
          • EnableWindow.USER32(00000000,00000000), ref: 0040B976
          • EnableWindow.USER32(00000000,00000001), ref: 0040B992
            • Part of subcall function 0040B477: __EH_prolog.LIBCMT ref: 0040B47C
            • Part of subcall function 0040B477: lstrcpyA.KERNEL32(?,00000000,0000002C,?,00000000,?,00000001,?,dotnetfx.exe,00000000), ref: 0040B4F8
            • Part of subcall function 0040B477: lstrcatA.KERNEL32(?,langpack.exe), ref: 0040B50A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcat$lstrlen$EnableH_prologWindowlstrcpywsprintf$Item
          • String ID: ,C$ /c:"$ /coreui:$ /l%d$ /langcmd:"/c:\"$ /langs:$ /q:a$ /q:a /c:"install /q"$ /ver:$"/q:a /C:\"$/jscmd:$/jsharpver:$1033$DotNetCoreSetupUILang$DotNetFxCmd$DotNetLangPackCmd$DotNetLangPacks$DotNetVersion$J#CmdLine$J#Version$Microsoft(R) .NET Framework$\" /q:a" $\""$dotnetfx.exe$dotnetredist.exe$vjredist.exe
          • API String ID: 3261783531-811785889
          • Opcode ID: 349322e80cc775b58d76b89f22f2f52cb1027f5fb30ca36fa2fb623168209481
          • Instruction ID: b06e01f69895e26b7c002b6ae6c563b02316d22c97a58a46e06fa0e448a18d5f
          • Opcode Fuzzy Hash: 349322e80cc775b58d76b89f22f2f52cb1027f5fb30ca36fa2fb623168209481
          • Instruction Fuzzy Hash: 87A16D72A41258BBDB20DBA1DC45EDEBB78EB48340F5044BAF604B7190D7789B44CB98
          Function 00417AAD Relevance: 63.4, APIs: 24, Strings: 12, Instructions: 363stringfileregistryCOMMON
          Download Yara Rule
          APIs
          • RegQueryValueA.ADVAPI32(80000000,.htm,?,00000000), ref: 00417AD9
          • lstrcatA.KERNEL32(?,\shell\open\command,?,00000000), ref: 00417AF3
          • RegQueryValueA.ADVAPI32(80000000,?,?,00000000), ref: 00417B0F
          • lstrlenA.KERNEL32(?,?,00000000), ref: 00417B24
          • CharLowerBuffA.USER32(?,00000000,?,00000000), ref: 00417B32
          • lstrcpynA.KERNEL32(?,00000022,-0000000D,?,00000000), ref: 00417B72
          • lstrcpynA.KERNEL32(?,00000022,-0000000C,?,00000000), ref: 00417BF1
          • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000), ref: 00417C11
          • lstrcatA.KERNEL32(?,\mozver.dat,?,00000000), ref: 00417C23
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 00417C3E
          • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00417C57
          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 00417C6C
          • GetFileSize.KERNEL32(000000FF,00000000,?,00000000), ref: 00417C7D
          • lstrcpyA.KERNEL32(00000000,-00000008,?,?,?,?,?,?,?,?,00000000), ref: 00417CF0
          • lstrcpyA.KERNEL32(00000000,-00000005,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00417D35
          • lstrcatA.KERNEL32(00000000,netscp6.exe,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00417D47
          • GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00417D90
          • GetShortPathNameA.KERNEL32(00000000,00000000,00000104), ref: 00417DA1
          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00417DB1
          • UnmapViewOfFile.KERNEL32(00000000,?,?,00000000), ref: 00417E3C
          • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00417E51
          • CloseHandle.KERNEL32(000000FF,?,?,00000000), ref: 00417E5C
          • lstrcpynA.KERNEL32(?,00000022,-0000000D,?,00000000), ref: 00417EA3
          • wsprintfA.USER32 ref: 00417EEC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$lstrcatlstrcpyn$CloseCreateHandleNamePathQueryShortValueViewlstrcpy$BuffCharDirectoryLowerMappingSizeUnmapWindowslstrcmpilstrlenwsprintf
          • String ID: "$%d.%d.%d.%d$.htm$Browser$PackageName$Path$Version$\mozver.dat$\shell\open\command$iexplore.exe$netscape.exe$netscp6.exe
          • API String ID: 3971218484-2975499952
          • Opcode ID: 39788a35fc09c779b72ed6947492b39233eb6d1fb8c23a99424d844b4786c0ee
          • Instruction ID: 699b174557378d210ba38a83fbabc3d51f028fa1c6a64687e9cc4ef729f86b18
          • Opcode Fuzzy Hash: 39788a35fc09c779b72ed6947492b39233eb6d1fb8c23a99424d844b4786c0ee
          • Instruction Fuzzy Hash: 81D1B37190421DABDF21DBA0DC48BEFBBB9EF44700F5044AAE105E7190DB389E89CB58
          Function 00408C05 Relevance: 51.0, APIs: 21, Strings: 8, Instructions: 201stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00408C0A
          • lstrcmpiA.KERNEL32(?,auto), ref: 00408C37
          • CharNextA.USER32 ref: 00408CA6
          • CharNextA.USER32(?,00000001,00000001,00000000), ref: 00408CD1
          • CharNextA.USER32(?,0042E610,00000000), ref: 00408CE3
          • lstrcmpA.KERNEL32(00000000,%IS_E%), ref: 00408CF1
          • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\_is8C78,00000000), ref: 00408D02
          • CharNextA.USER32(C:\Users\user\AppData\Local\Temp\_is8C78), ref: 00408E1F
          • CharNextA.USER32(C:\Users\user\AppData\Local\Temp\_is8C78,00000000), ref: 00408E2F
          • lstrcpyA.KERNEL32(?,00000000), ref: 0040912D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNext$lstrcpy$H_prologlstrcmplstrcmpi
          • String ID: %IS_E%$/auto$/f1$/f2$C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$Software\Microsoft\Windows\CurrentVersion$auto
          • API String ID: 1952162310-766023143
          • Opcode ID: 165986d05e7c452218febe6eacd8ecac6a8d5a600d99a267303be8829716babe
          • Instruction ID: b6181f0a57100de697fd3b92fc7c4907f4ca768ae186d5da444762ffe60bca31
          • Opcode Fuzzy Hash: 165986d05e7c452218febe6eacd8ecac6a8d5a600d99a267303be8829716babe
          • Instruction Fuzzy Hash: 0E61BE71604218FBDB209F61DC84AEF7B68EB48714F50813BF919A61D1CB789D428FA9
          Function 0041857D Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 242fileregistrystringCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 004185DA
          • RegQueryValueExA.ADVAPI32(?,AppData,00000000,00000000,?,?,?,00000000), ref: 00418601
          • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000), ref: 00418613
          • lstrcatA.KERNEL32(?,\Mozilla\registry.dat,?,00000000), ref: 00418625
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 00418642
          • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 00418663
          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,00000000,?,00000000), ref: 00418683
          • GetFileSize.KERNEL32(000000FF,00000000,?,00000000), ref: 004186A5
          • lstrcpyA.KERNEL32(?,-0000000F,?,?,00000000), ref: 004186D6
          • lstrcpyA.KERNEL32(?,-0000000A,?,?,?,?,?,00000000), ref: 00418742
          • lstrcatA.KERNEL32(?,\prefs.js,?,?,?,?,?,00000000), ref: 00418750
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,00000000), ref: 00418771
          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 00418797
          • UnmapViewOfFile.KERNEL32(00417A16,?,?,?,?,?,00000000), ref: 004187A8
          • GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,?,00000000), ref: 004187C0
          • ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 004187DF
          • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 004187FF
          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 0041880D
          • UnmapViewOfFile.KERNEL32(00417A16,?,?,?,?,?,00000000), ref: 0041881E
            • Part of subcall function 00403300: CloseHandle.KERNEL32(00000000,?,0040243E,00000001,000000FF,?,?,00000000,000000FF,?,?,?,00000000), ref: 0040330B
          • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041882F
          • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 0041883D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$Close$Handle$CreateView$SizeUnmaplstrcatlstrcpy$DirectoryMappingOpenQueryReadValueWindows
          • String ID: AppData$CurrentProfile$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$\Mozilla\registry.dat$\prefs.js$directory
          • API String ID: 3964888264-14205173
          • Opcode ID: 2d16e260f65d571225817499d1658805d328b74bbd4988f68a97e8da285acd8e
          • Instruction ID: c702ee0debcd4a78ff255aa29b747d1cbd0b5acdc0ecde31f8c8c1ea4891c3e3
          • Opcode Fuzzy Hash: 2d16e260f65d571225817499d1658805d328b74bbd4988f68a97e8da285acd8e
          • Instruction Fuzzy Hash: 6F813A71D00219FFDF209FA0DC85AEEBB78EB04754F6445BAE515B2290DB344E85CBA8
          Function 00405C5B Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 338COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00405C60
          • wsprintfA.USER32 ref: 00405CFE
          • GetLastError.KERNEL32(00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00405DBD
          • GetLastError.KERNEL32 ref: 00405DC3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$H_prologwsprintf
          • String ID: 4[@$Referer: %s$dwplayer$ftp://$http://$nU@
          • API String ID: 3576247870-689368037
          • Opcode ID: bbd7fbaff8d360325b85dda75b1ef94dcb09d5eccddc9e16ea27a2ed4aa4fbf2
          • Instruction ID: df0e45bcbc547e53c2f50eedeaf485343a53a5c26e2028e5534da0ade6d2870f
          • Opcode Fuzzy Hash: bbd7fbaff8d360325b85dda75b1ef94dcb09d5eccddc9e16ea27a2ed4aa4fbf2
          • Instruction Fuzzy Hash: 71D1C171D00659AFDB10DBA4C8849EEBBB4EF04314F1481BEE409B7291DB389E45CFA9
          Function 00401087 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 152filememoryCOMMON
          Download Yara Rule
          APIs
          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000,00000000,00413262,?,00000000), ref: 004010A5
          • GetFileSize.KERNEL32(00000000,b2A,?,00000000,00000000,00413262,?,00000000), ref: 004010BF
          • GlobalAlloc.KERNEL32(00000042,0000000A,?,00000000,00000000,00413262,?,00000000), ref: 004010CD
          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00413262,?,00000000), ref: 004010DB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$AllocCloseCreateGlobalHandleSize
          • String ID: b2A$b2A
          • API String ID: 2025735303-634148797
          • Opcode ID: af08bea203e4f2c547773fa6cb8d1b773c247ee8099a5bf2fc8416852afdfbbb
          • Instruction ID: 0b31d4f13b798be60e13def810eb024f65a93c1ff1eb9977ba24107e9f764c07
          • Opcode Fuzzy Hash: af08bea203e4f2c547773fa6cb8d1b773c247ee8099a5bf2fc8416852afdfbbb
          • Instruction Fuzzy Hash: 5C51A371600204FBEB309F64DC48F5A7BA4FB08721F10867AF656EA2E0C7789981CB5D
          Function 004091C1 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 125registrystringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00409AB1: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,?,00000104,00000104,?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104), ref: 00409ACB
            • Part of subcall function 00409AB1: RegCloseKey.ADVAPI32(?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104,?,00000000,?,00000104,?,00000000), ref: 00409ADC
          • RegDeleteValueA.ADVAPI32(?,ISSetup,80000002,Software\Microsoft\Windows\CurrentVersion\Run,000F003F), ref: 004091F0
          • RegCloseKey.ADVAPI32(?), ref: 004091FE
          • CharNextA.USER32 ref: 00409226
          • lstrcmpA.KERNEL32(00000000,%IS_V%), ref: 00409235
          • lstrcpyA.KERNEL32(?,?), ref: 0040924C
          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion), ref: 004092A5
          • RegDeleteValueA.ADVAPI32(?,?), ref: 004092B1
          • RegCloseKey.ADVAPI32(?), ref: 004092BF
          • lstrcpyA.KERNEL32(?,?), ref: 004092D8
          • RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 00409305
          • lstrcpyA.KERNEL32(004338E4,?,/verbose,?,00000001), ref: 00409334
          • RegCloseKey.ADVAPI32(00000001,/verbose,?,00000001), ref: 0040933E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Close$Valuelstrcpy$Delete$CharNextOpenQuerylstrcmp
          • String ID: %IS_V%$/verbose$ISSetup$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\Run$verbose
          • API String ID: 153511641-2584127249
          • Opcode ID: dee50f94d7e07e25a8863f148d1472dda4ff6ddc442b23f665ec4319cce25f90
          • Instruction ID: 446d0695cdbb2907c4853fe0ed34eb188e9ea5fb458292b46d8b64b9c894f7c9
          • Opcode Fuzzy Hash: dee50f94d7e07e25a8863f148d1472dda4ff6ddc442b23f665ec4319cce25f90
          • Instruction Fuzzy Hash: 2E415871A40229BBDB209F91DC45BEEBB74BB44304F50487AFA15B21D2D7785E81CE58
          Function 00413341 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 152librarystringloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(msi.dll), ref: 00413374
          • GetProcAddress.KERNEL32(00000000,MsiGetProductInfoA), ref: 00413383
          • lstrcmpiA.KERNEL32(?,?), ref: 004133BD
          • MessageBoxA.USER32(00000000,?,?,00000024), ref: 00413486
          • FreeLibrary.KERNEL32(b2A2), ref: 00413509
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Library$AddressFreeLoadMessageProclstrcmpi
          • String ID: 2$InstalledProductName$LATERVERSIONINSTALLED$MsiGetProductInfoA$ONUPGRADE$PackageCode$VersionString$b2A2$msi.dll
          • API String ID: 4182792734-3526808965
          • Opcode ID: 3228d26d1f8d64ba94d8f8505e5385d3e7ab1350c5b661af54d4e509096af32f
          • Instruction ID: 8f85e86dfa1c50d9ff9d6d9d765d6c1e9a9ad617e9fb603517e42cb7d376512d
          • Opcode Fuzzy Hash: 3228d26d1f8d64ba94d8f8505e5385d3e7ab1350c5b661af54d4e509096af32f
          • Instruction Fuzzy Hash: B05183B190421CABDB21DF90DC85FDFB7BCAB04715F50406BF505D2141EA799B89CBA8
          Function 0040A920 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 139stringCOMMON
          Download Yara Rule
          APIs
          • GetDlgItem.USER32(?,000003EE), ref: 0040A93A
          • GetWindowTextLengthA.USER32(00000000), ref: 0040A950
          • GetWindowTextA.USER32(00000000,?,0000007F), ref: 0040A965
          • GetDlgItem.USER32(?,000003EF), ref: 0040A96F
          • GetWindowTextLengthA.USER32(00000000), ref: 0040A97F
          • GetWindowTextA.USER32(00000000,?,0000007F), ref: 0040A990
          • GetDC.USER32(?), ref: 0040A995
          • lstrlenA.KERNEL32(?,?,?,00000001), ref: 0040A9AC
          • ReleaseDC.USER32(?,00000000), ref: 0040A9D6
          • GetWindowRect.USER32(00000000,?), ref: 0040AA02
          • GetWindowPlacement.USER32(00004E20,?,?,?,00000001), ref: 0040AA61
          • MoveWindow.USER32(00004E20,0040A80D,?,00435110,?,00000001,?,?,00000001), ref: 0040AA7C
          • GetWindowPlacement.USER32(00000000,0000002C,?,?,00000001), ref: 0040AA8C
          • MoveWindow.USER32(00000000,0040A80D,?,00435110,?,00000001,?,?,00000001), ref: 0040AAA5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$Text$ItemLengthMovePlacement$RectReleaselstrlen
          • String ID: ,$PB
          • API String ID: 164573090-3103267959
          • Opcode ID: d6506519626bdaf6b8e44622467ddc968529f73fca8aef2b64a1956e87a880e7
          • Instruction ID: 1cef9582cc85671964f798823d6ff7b56a8069edf782411afa20703d6ecbfd77
          • Opcode Fuzzy Hash: d6506519626bdaf6b8e44622467ddc968529f73fca8aef2b64a1956e87a880e7
          • Instruction Fuzzy Hash: A4414A72E00229BBDF119F99CD84AEEBBB9FF48304F10416AE904B7290D7759E51CB94
          Function 0040F145 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 164COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040F14A
          • VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 0040F18A
          • VariantClear.OLEAUT32(?), ref: 0040F34E
          Strings
          • Software\Microsoft\Active Setup\Installed Components\%s, xrefs: 0040F308
          • {9B29D757-088E-E8C9-2535-AA319B92C00A}, xrefs: 0040F1D9
          • {021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}, xrefs: 0040F2C0
          • {F1B13231-13BE-1231-5401-486BA763DEB6}, xrefs: 0040F22B
          • {7E76A8D6-33D1-0032-16C3-4593092861D0}, xrefs: 0040F291
          • {F279058C-50B2-4BE4-60C9-369CACF06821}, xrefs: 0040F1ED
          • LWC, xrefs: 0040F2D2
          • {1C370964-514B-321C-7237-2B4FD86D8568}, xrefs: 0040F2C7, 0040F2D7
          • {E7E2C871-090A-C372-F9AE-C3C6A988D260}, xrefs: 0040F258
          • {6741C120-01BA-87F9-8734-5FB9DA8A4445}, xrefs: 0040F1FC
          • {78705f0d-e8db-4b2d-8193-982bdda15ecd}, xrefs: 0040F1E3
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Variant$ChangeClearH_prologType
          • String ID: LWC$Software\Microsoft\Active Setup\Installed Components\%s${021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}${1C370964-514B-321C-7237-2B4FD86D8568}${6741C120-01BA-87F9-8734-5FB9DA8A4445}${78705f0d-e8db-4b2d-8193-982bdda15ecd}${7E76A8D6-33D1-0032-16C3-4593092861D0}${9B29D757-088E-E8C9-2535-AA319B92C00A}${E7E2C871-090A-C372-F9AE-C3C6A988D260}${F1B13231-13BE-1231-5401-486BA763DEB6}${F279058C-50B2-4BE4-60C9-369CACF06821}
          • API String ID: 2549134154-2395172153
          • Opcode ID: 0f9b7f1cf5986999776c5a1fe85d38a1b25c39c7a3dda7239f5e406c459b3b80
          • Instruction ID: eb04efbe609baa518eeb590a1ebdadb2b45a747aa87eff6a5ffb522eb79d280e
          • Opcode Fuzzy Hash: 0f9b7f1cf5986999776c5a1fe85d38a1b25c39c7a3dda7239f5e406c459b3b80
          • Instruction Fuzzy Hash: A851B074A00148EADB24DB95C955BEEBBB8EB14304F6080BFE505B76C2D7385F09CB69
          Function 0040AB33 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160windowstringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00416C33: __EH_prolog.LIBCMT ref: 00416C38
            • Part of subcall function 00416C33: wsprintfA.USER32 ref: 00416C5C
            • Part of subcall function 00416C33: CharNextA.USER32(?), ref: 00416C6B
            • Part of subcall function 00416C33: CharNextA.USER32(00000000), ref: 00416C6E
            • Part of subcall function 00416C33: lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00416CAB
            • Part of subcall function 00416C33: wsprintfA.USER32 ref: 00416CB9
          • lstrcmpiA.KERNEL32(?,?), ref: 0040ABD7
          • VerLanguageNameA.KERNEL32(00000000,?,0000007F), ref: 0040ABFC
          • lstrcmpiA.KERNEL32(?,?), ref: 0040AC0F
          • lstrcpyA.KERNEL32(?,?), ref: 0040AC34
          • SendMessageA.USER32(00000000,00000143,00000000,?), ref: 0040AC4C
          • SendMessageA.USER32(00000000,00000151,00000000,00000000), ref: 0040AC69
          • lstrcpyA.KERNEL32(?,Slovenian), ref: 0040ACA1
          • lstrcpyA.KERNEL32(?,?), ref: 0040ACC2
          • SendMessageA.USER32(00000000,00000143,00000000,?), ref: 0040ACD9
          • SendMessageA.USER32(00000000,00000151,00000000,00000000), ref: 0040ACF2
          • SendMessageA.USER32(00000000,0000014C,00000000,?), ref: 0040AD1C
          • SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0040AD30
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: MessageSend$lstrcpy$CharNextlstrcmpiwsprintf$H_prologLanguageNamelstrcat
          • String ID: Basque$Slovenian
          • API String ID: 3996275985-3822051040
          • Opcode ID: da3780b7e88168c59eb6ed3bd06d1f889694be2a95c169b114bba254e5a02755
          • Instruction ID: faab48095d9b8819e2987f92470efb4ca47d8aab130acac2371c979d8107e3d1
          • Opcode Fuzzy Hash: da3780b7e88168c59eb6ed3bd06d1f889694be2a95c169b114bba254e5a02755
          • Instruction Fuzzy Hash: 49517C71A0021CAFEB21CB64DC45BEE77B9FB04354F0005BAF918E61E0D3789E958B59
          Function 004144F5 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 117registrystringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,SetupBitmapCls,?,?,00000000,?,?,?,?,?,?,?,?,?,00413822,?), ref: 0041450A
          • LoadCursorA.USER32(00000000,00007F00), ref: 0041453B
          • GetClassInfoA.USER32(?,SetupBitmapCls,?), ref: 0041455B
          • RegisterClassA.USER32(00000003), ref: 00414569
          • GetObjectA.GDI32(00000000,00000018,?), ref: 004145B3
          • GetSystemMetrics.USER32(00000000), ref: 004145C0
          • GetSystemMetrics.USER32(00000001), ref: 004145CF
          • CreateWindowExA.USER32(00000080,SetupBitmapCls,SetupBitmapWin,86000000,?,?,?,?,00000000,00000000,?,00000000), ref: 00414608
          • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00413822), ref: 00414614
          • SetWindowLongA.USER32(00000000,00000000,00000000), ref: 00414622
          • ShowWindow.USER32(00000000,00000005,?,00000000,?,?,?,?,?,?,?,?,?,00413822), ref: 00414631
          • UpdateWindow.USER32(?), ref: 0041463D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$ClassMetricsSystem$CreateCursorErrorInfoLastLoadLongObjectRegisterShowUpdatelstrcpy
          • String ID: SetupBitmapCls$SetupBitmapWin
          • API String ID: 2500980582-250169166
          • Opcode ID: 16290c4baf43e8e696500572d0d4e8395893680214400e19306bf431f9a8961c
          • Instruction ID: 3dd223b22f9b9f37c4a2605f8311b7d0923d9b39cb28ffa8cfe6a25005a8e53f
          • Opcode Fuzzy Hash: 16290c4baf43e8e696500572d0d4e8395893680214400e19306bf431f9a8961c
          • Instruction Fuzzy Hash: 654123B1A00605AFDB11DFA4DC89ADABBF8FF4C710F50853AF609E6290D774A9418B58
          Function 00417FC8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137registrystringCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Netscape\Netscape Navigator\Proxy Information,00417A00), ref: 0041801F
          • RegQueryValueExA.ADVAPI32(00417A00,Proxy Type,00000000,00000000,?,?), ref: 0041808B
          • RegQueryValueExA.ADVAPI32(00417A00,0000003D,00000000,00000000,?,00000004), ref: 004180CB
          • lstrcatA.KERNEL32(00000000,0042F8F0), ref: 004180E6
          • lstrcatA.KERNEL32(00000000,?), ref: 004180F6
          • RegQueryValueExA.ADVAPI32(00417A00,786F7250,00000000,00000000,?,00000100), ref: 00418111
          • lstrcatA.KERNEL32(00000000,0042F888), ref: 00418123
          • lstrlenA.KERNEL32(00000000,0042EB18,?), ref: 00418134
          • wsprintfA.USER32 ref: 00418142
          • lstrcatA.KERNEL32(00000000,0042E804), ref: 00418157
          • RegCloseKey.ADVAPI32(00417A00), ref: 0041819E
          Strings
          • Proxy Type, xrefs: 0041803D
          • SOFTWARE\Netscape\Netscape Navigator\Proxy Information, xrefs: 00418015
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcat$QueryValue$CloseOpenlstrlenwsprintf
          • String ID: Proxy Type$SOFTWARE\Netscape\Netscape Navigator\Proxy Information
          • API String ID: 405122679-2702298965
          • Opcode ID: 1d34149bc2659b14390acd87cd32a5b3ba5b355e6c7a2f989bf0ddbf363d94d5
          • Instruction ID: 8c01e3a70bfd202f39242187d95c854534dc6aab0374ba0a554202d4e5512887
          • Opcode Fuzzy Hash: 1d34149bc2659b14390acd87cd32a5b3ba5b355e6c7a2f989bf0ddbf363d94d5
          • Instruction Fuzzy Hash: E651FCB2E0022DBBDF11DB94DC44BDEBBB9AF08304F5044B6E604B6251D7755A89CF98
          Function 00409C0A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 107COMMON
          Download Yara Rule
          APIs
          • GetWindowRect.USER32(?,?), ref: 00409C23
          • GetWindowRect.USER32(00000000,?), ref: 00409C2C
          • GetSystemMetrics.USER32(00000001), ref: 00409C36
          • GetSystemMetrics.USER32(00000000), ref: 00409C3A
          • SetRect.USER32(?,00000000,00000000,00000000), ref: 00409C43
          • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 00409C7A
          • IsWindow.USER32(00000000), ref: 00409C83
          • GetWindowRect.USER32(00000000,?), ref: 00409C99
          • IntersectRect.USER32(?,?,?), ref: 00409CA7
          • SubtractRect.USER32(?,?,?), ref: 00409CC3
          • SetWindowPos.USER32(00000000,?,000003E8,0000001E,00000000,00000000,00000005,0000001E,?,00000000), ref: 00409D03
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: RectWindow$MetricsSystem$FindIntersectSubtract
          • String ID: Fb2A$Shell_TrayWnd
          • API String ID: 301737298-403960952
          • Opcode ID: e21c73c506a8e8e6020802b3247b20ebde90ff4f283c19f25f640cf9ea205fe7
          • Instruction ID: d26c8aca5ef5d379c704521c282512dc034716f0b35f0108aed9b1809ba74e15
          • Opcode Fuzzy Hash: e21c73c506a8e8e6020802b3247b20ebde90ff4f283c19f25f640cf9ea205fe7
          • Instruction Fuzzy Hash: 8831BCB2E00209AFDB10DFE8DD88EEFBBBDEB48314F114026E911B7254D674A9058B64
          Function 00413574 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 66stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,00432C20,00000000,?,?), ref: 0041358E
            • Part of subcall function 00413517: lstrlenA.KERNEL32(?,?,?,?,?,?,004135A7,?,REINSTALL,?,?), ref: 00413528
            • Part of subcall function 00413517: lstrlenA.KERNEL32(?,?,?,?,?,?,004135A7,?,REINSTALL,?,?), ref: 00413530
          • lstrcatA.KERNEL32(?, REINSTALL=ALL,?,REINSTALL,?,?), ref: 004135BD
          • lstrcatA.KERNEL32(?, REINSTALLMODE=vomus ,?,REINSTALLMODE,?,REINSTALL,?,?), ref: 004135DC
          • lstrcatA.KERNEL32(?, IS_MINOR_UPGRADE=1,?,IS_MINOR_UPGRADE,?,REINSTALLMODE,?,REINSTALL,?,?), ref: 004135FB
          • lstrlenA.KERNEL32(?,?,IS_MINOR_UPGRADE,?,REINSTALLMODE,?,REINSTALL,?,?), ref: 00413604
          • lstrcatA.KERNEL32(?,0042E804,?,?), ref: 00413614
          • lstrcatA.KERNEL32(?,?,?,?), ref: 0041361E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcat$lstrlen$lstrcpy
          • String ID: IS_MINOR_UPGRADE=1$ REINSTALL=ALL$ REINSTALLMODE=vomus $IS_MINOR_UPGRADE$REINSTALL$REINSTALLMODE
          • API String ID: 1797936820-1374138384
          • Opcode ID: df4979f32d4c21534bc27ca545be19f72fdeb0830db628fa2e4762c2aef9dae1
          • Instruction ID: 17e43ed686c713519f5ef8a45d9907e8e21d369755034197b317dd375f118ddb
          • Opcode Fuzzy Hash: df4979f32d4c21534bc27ca545be19f72fdeb0830db628fa2e4762c2aef9dae1
          • Instruction Fuzzy Hash: 8711EBF1B0022877CA10DA72ADC5FEE766D9B54B48F800077BA05D2040EABC9EC58A5C
          Function 0040558A Relevance: 21.2, APIs: 14, Instructions: 154memorywindowfileCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040558F
            • Part of subcall function 00405798: lstrlenA.KERNEL32(00000000,75BF8400,?,004055A6,00000000,?,00000000), ref: 004057A1
          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004055B2
          • SysAllocStringLen.OLEAUT32(00000000,00000400), ref: 004055F1
          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000400), ref: 0040560B
          • SysAllocStringLen.OLEAUT32(00000000,00000400), ref: 00405613
          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000400), ref: 00405629
          • CreateThread.KERNEL32(00000000,00000000,0040553E,?,00000000,00000000), ref: 0040566F
          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00405693
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004056AA
          • DispatchMessageA.USER32(?), ref: 004056CC
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AllocByteCharMessageMultiStringWide$CopyCreateDispatchFileH_prologMultipleObjectsPeekThreadWaitlstrlen
          • String ID:
          • API String ID: 3407787643-0
          • Opcode ID: f65d150ca95c40260c32da517fa507d626541e35abef31863bd2131f4f990c8a
          • Instruction ID: b4f86509d7bd0fb507de0dd4070fd6f71e1ca7c168b203e3feff88a0e01f8202
          • Opcode Fuzzy Hash: f65d150ca95c40260c32da517fa507d626541e35abef31863bd2131f4f990c8a
          • Instruction Fuzzy Hash: 44518971A00114FFDB20AF61CC88EAF7A79EB45360F50457AF919AA1E1CB394E41DF68
          Function 00407611 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 142libraryloaderCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00407616
          • GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 0040763B
          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0040767C
          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,?), ref: 004076A1
          • GetProcAddress.KERNEL32(?,WTHelperProvDataFromStateData), ref: 0040770B
          • GetProcAddress.KERNEL32(?,WTHelperGetProvSignerFromChain), ref: 00407723
          • GetProcAddress.KERNEL32(?,WTHelperGetProvCertFromChain), ref: 00407742
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$ByteCharMultiWide$H_prolog
          • String ID: <$WTHelperGetProvCertFromChain$WTHelperGetProvSignerFromChain$WTHelperProvDataFromStateData$WinVerifyTrust
          • API String ID: 2820147231-2103055557
          • Opcode ID: 346296377ea3aae3e5d57abf47fb4e59aa21031b1f857656ce50e065bf7fcda1
          • Instruction ID: ece930f1ea526063f56a0cd031b19169f59ebb7fb386fec364c7260646b6236b
          • Opcode Fuzzy Hash: 346296377ea3aae3e5d57abf47fb4e59aa21031b1f857656ce50e065bf7fcda1
          • Instruction Fuzzy Hash: 235139B1D0021CAEDB10DFA5DC84AEEBBB9FF08354F60452AF514B7291C775AE408B65
          Function 0040A70C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040AFE6: wsprintfA.USER32 ref: 0040AFF8
            • Part of subcall function 0040AFE6: CharNextA.USER32(?,00000000), ref: 0040B022
            • Part of subcall function 0040AFE6: CharNextA.USER32(00000000), ref: 0040B025
          • SetWindowTextA.USER32(?,?), ref: 0040A7AE
          • GetDlgItem.USER32(?,00004E21), ref: 0040A81C
          • GetWindowPlacement.USER32(00000000,?), ref: 0040A830
          • DestroyWindow.USER32(00000000), ref: 0040A847
          • GetDlgItem.USER32(?,000003ED), ref: 0040A853
          • SendMessageA.USER32(00000000,00000146,00000000,00000000), ref: 0040A883
          • EndDialog.USER32(?,00000001), ref: 0040A89D
          • EndDialog.USER32(?,000000FD), ref: 0040A8B5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$CharDialogItemNext$DestroyMessagePlacementSendTextwsprintf
          • String ID: ,$CANCEL$Description
          • API String ID: 595805203-797421613
          • Opcode ID: 272a7e012b60b33c9369bc957719443097213bf614af4825b3c53182daca1d2e
          • Instruction ID: cf21e81c6e36d9fa8c3379b63f73bafce5c4eb546a7e2246497e5a811f52cf0f
          • Opcode Fuzzy Hash: 272a7e012b60b33c9369bc957719443097213bf614af4825b3c53182daca1d2e
          • Instruction Fuzzy Hash: 0E419A72A00714BBE711AB61EC42F6E33ACAF55744F514036FD00B61D1E7789D128A6E
          Function 0040D3D5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 124registryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040D3DA
            • Part of subcall function 00409AB1: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,?,00000104,00000104,?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104), ref: 00409ACB
            • Part of subcall function 00409AB1: RegCloseKey.ADVAPI32(?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104,?,00000000,?,00000104,?,00000000), ref: 00409ADC
          • RegCloseKey.ADVAPI32(?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,?,00000000,00000000), ref: 0040D41B
          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries,000F003F,?,00000000,00000000), ref: 0040D462
          • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 0040D4E8
          • RegEnumValueA.ADVAPI32(?,00000001,?,00000208,00000000,?,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 0040D506
          • RegCloseKey.ADVAPI32(?), ref: 0040D51C
          • RegCloseKey.ADVAPI32(00000000,00000000,?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 0040D539
          • RegCloseKey.ADVAPI32(?,00000000,?,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnceEx,000F003F,80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,000F003F), ref: 0040D546
          Strings
          • SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries, xrefs: 0040D3FA
          • Software\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 0040D4B4
          • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0040D47E
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Close$EnumValue$H_prologOpen
          • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnceEx
          • API String ID: 2958348514-2087105512
          • Opcode ID: 3938ca202b1dd12048d72f4486caf69c2a6e614d3edcbbd7b2f87419d4099659
          • Instruction ID: f575dd992de4f83e8001ba3d5ed40eee30e5a46e9cca7dad8770919da0a13a2d
          • Opcode Fuzzy Hash: 3938ca202b1dd12048d72f4486caf69c2a6e614d3edcbbd7b2f87419d4099659
          • Instruction Fuzzy Hash: 05411A71E0021EAADF11DFE1DD45AFFB778AB54348F10407AE902B2281D7789E08CB65
          Function 00416C33 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00416C38
          • wsprintfA.USER32 ref: 00416C5C
          • CharNextA.USER32(?), ref: 00416C6B
          • CharNextA.USER32(00000000), ref: 00416C6E
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,00000000,?,?,00000000), ref: 00415E94
            • Part of subcall function 00415E6E: CharNextA.USER32(00000000,?,00000000), ref: 00415EAD
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,?,?,00000000), ref: 00415ECA
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,00000000,?,00000000), ref: 00415ED0
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          • lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00416CAB
          • wsprintfA.USER32 ref: 00416CB9
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • VerLanguageNameA.KERNEL32(?,?,?,Languages,?,00432C20,?,?,?), ref: 00416D0B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharH_prologNextlstrcpy$lstrcatwsprintf$LanguageNamelstrcpynlstrlen
          • String ID: %#04x$.ini$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$Languages
          • API String ID: 3200456682-1247365655
          • Opcode ID: 7296efa8a34ae2bce5b62c02b5da5aa705cd5e30511d91ce0a849cb0e14a61a8
          • Instruction ID: ab2caee1cc251b4b97f6b671ca4f37b684adf315e8606982e31c7ceabd4497fa
          • Opcode Fuzzy Hash: 7296efa8a34ae2bce5b62c02b5da5aa705cd5e30511d91ce0a849cb0e14a61a8
          • Instruction Fuzzy Hash: 06312FB290011CABCF11DBE5DD41DDEB77CEF48348F508066F911A7191DB789A498B98
          Function 004246AA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
          Download Yara Rule
          APIs
          • LCMapStringW.KERNEL32(00000000,00000100,0042A0CC,00000001,00000000,00000000,74DEE860,00436350,?,?,?,0041E7F8,?,?,?,00000000), ref: 004246EC
          • LCMapStringA.KERNEL32(00000000,00000100,0042A0C8,00000001,00000000,00000000,?,?,0041E7F8,?,?,?,00000000,00000001), ref: 00424708
          • LCMapStringA.KERNEL32(?,?,?,0041E7F8,?,?,74DEE860,00436350,?,?,?,0041E7F8,?,?,?,00000000), ref: 00424751
          • MultiByteToWideChar.KERNEL32(?,PcC,?,0041E7F8,00000000,00000000,74DEE860,00436350,?,?,?,0041E7F8,?,?,?,00000000), ref: 00424789
          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0041E7F8,?,00000000,?,?,0041E7F8,?), ref: 004247E1
          • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0041E7F8,?), ref: 004247F7
          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0041E7F8,?), ref: 0042482A
          • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0041E7F8,?), ref: 00424892
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$ByteCharMultiWide
          • String ID: PcC
          • API String ID: 352835431-855171052
          • Opcode ID: 2b821c46f4505f464b240c389b251daccd4b4bf8755fec0d6e61a31b87bab29f
          • Instruction ID: 53922c64483b790e0ab5652cbaf503fe00bb2bf2ceaa6caf1d1a61a02c11c25b
          • Opcode Fuzzy Hash: 2b821c46f4505f464b240c389b251daccd4b4bf8755fec0d6e61a31b87bab29f
          • Instruction Fuzzy Hash: 6D519D31600269EFDF219F94EC45AEF7FB5FB89750F50012AF914A2260C33A8D61DB69
          Function 00418C0A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 142stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00417769: SetLastError.KERNEL32(0000007F,00418C1F,?,00418B5E,00000000,00000000,?,00405DB3,00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00417781
          • lstrlenA.KERNEL32(00000006,ftp://,00000000,00000000,00000000,?,00405DB3,00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00418C70
          • lstrcpyA.KERNEL32(00000000,00000006,?,00405DB3,00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00418C82
          • lstrlenA.KERNEL32(00000006,ftp://,00000000,00000000,00000000,?,00405DB3,00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00418C89
          • lstrlenA.KERNEL32(?,?,00405DB3,00000002,?,80400100,00000000,00000006,ftp://,00000000), ref: 00418C9F
          • GetLastError.KERNEL32(?,80400100,00000000,00000006,ftp://,00000000), ref: 00418D07
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrlen$ErrorLast$lstrcpy
          • String ID: ftp://
          • API String ID: 2253992269-2553531909
          • Opcode ID: f4fbd7cab75e655432f554bcc2740a7d98c561080ab5e2ec977d3f534c54de3f
          • Instruction ID: 32db76a7d88a99573197dff7d600a5445c5ae8afd5dccf4cc5548486bd7f99f7
          • Opcode Fuzzy Hash: f4fbd7cab75e655432f554bcc2740a7d98c561080ab5e2ec977d3f534c54de3f
          • Instruction Fuzzy Hash: 3F418CB1500305AFEB209F74DC85BEB7BE9FF04310F14492FF55986291EB38A8919B68
          Function 004094D5 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 140stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004094DA
          • CharNextA.USER32(?,?,?), ref: 004094FE
          • CharNextA.USER32(00000000,?,?), ref: 0040953D
          • lstrcpyA.KERNEL32(?,00000000,00000452,?,?,?), ref: 0040956A
          • wsprintfA.USER32 ref: 004095F7
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNext$H_prologlstrcpywsprintf
          • String ID: %s%d$C:\Users\user\AppData\Local\Temp\_is8C78$Languages$count$key
          • API String ID: 1845217301-109189850
          • Opcode ID: 4f71655d1e7ac475178c26a75c8d2ffbb415a76c952c519df81684b99001783c
          • Instruction ID: 0efea2837576ad80daa65c73cc0fe14ef7eaa442775e45c679d818c6d503a88f
          • Opcode Fuzzy Hash: 4f71655d1e7ac475178c26a75c8d2ffbb415a76c952c519df81684b99001783c
          • Instruction Fuzzy Hash: 7B41A072A00258ABDB11EBA5DC55BEEBB78AF14304F4040BBF505B31C2DB789E45CB58
          Function 0040D84E Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 136registryCOMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 0040D8DC
            • Part of subcall function 00416429: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,000000FF), ref: 00416476
            • Part of subcall function 00416429: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,?,000000FF), ref: 00416493
            • Part of subcall function 00416429: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004164AA
            • Part of subcall function 00416429: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004164C0
            • Part of subcall function 00416429: GetExitCodeProcess.KERNELBASE(?,00000001), ref: 004164DF
            • Part of subcall function 00416429: CloseHandle.KERNEL32(?,?,?,?,?,?,000000FF), ref: 004164F0
            • Part of subcall function 00409AB1: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,?,00000104,00000104,?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104), ref: 00409ACB
            • Part of subcall function 00409AB1: RegCloseKey.ADVAPI32(?,?,00417181,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104,?,00000000,?,00000104,?,00000000), ref: 00409ADC
          • RegQueryValueExA.ADVAPI32(00000000,InstallerLocation,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,00000000,00000001), ref: 0040D9B9
          • SetCurrentDirectoryA.KERNEL32(?), ref: 0040D9C6
          • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,00000000,00000001), ref: 0040D9D5
          Strings
          • Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 0040D965
          • "%s" /c:"msiinst /delayrebootq", xrefs: 0040D8D0
          • "%s" /q, xrefs: 0040D8B4
          • InstallerLocation, xrefs: 0040D9AA
          • "%s" /quiet /norestart, xrefs: 0040D8C2
          • 2.0.2600.0, xrefs: 0040D8A1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Close$Process$CodeCreateCurrentDirectoryExitHandleMessageMultipleObjectsOpenPeekQueryValueWaitlstrcpywsprintf
          • String ID: "%s" /c:"msiinst /delayrebootq"$"%s" /q$"%s" /quiet /norestart$2.0.2600.0$InstallerLocation$Software\Microsoft\Windows\CurrentVersion\Installer
          • API String ID: 4063252211-3152253738
          • Opcode ID: 0e0561e24ae39bb9a3b8705994affdf8852a09ea012634765d712f09db3b9638
          • Instruction ID: 8a0501ea82ce1ba436525ff1881f6768fbd21b83fd2bd013dc3a54d86270663e
          • Opcode Fuzzy Hash: 0e0561e24ae39bb9a3b8705994affdf8852a09ea012634765d712f09db3b9638
          • Instruction Fuzzy Hash: C7412B72740218BBDB209BA5DC46BD977A89B05314F108077F545BB1D1D7B899888B5C
          Function 0040DBDD Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040DBE2
          • LoadLibraryA.KERNEL32(Msi.DLL,?,00000000,0040C1B2,00000000,?,?,?,?,?,00000000), ref: 0040DBFA
          • GetProcAddress.KERNEL32(00000000,MsiSetInternalUI), ref: 0040DC19
          • GetProcAddress.KERNEL32(00000000,MsiInstallProductA), ref: 0040DC2B
          • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040DC8A
          • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0040DC9A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Library$AddressFreeProc$H_prologLoad
          • String ID: Msi.DLL$MsiInstallProductA$MsiSetInternalUI$REBOOT=ReallySuppress ADDLOCAL=All
          • API String ID: 2362482000-2404585225
          • Opcode ID: 7d055ce27f9e5d69e304f297b151e552771f7138da1aa2a5458b6b4b827bddea
          • Instruction ID: 33f60292f8c7ab947b12e850b8579bd399df552198e765a50c8defc1dac251a7
          • Opcode Fuzzy Hash: 7d055ce27f9e5d69e304f297b151e552771f7138da1aa2a5458b6b4b827bddea
          • Instruction Fuzzy Hash: E621CF31A04215AAF710AF96DD45BFEB774EF84B10F10402BE801A62C0DBBC9905CA6D
          Function 00401233 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64windowmemoryCOMMON
          Download Yara Rule
          APIs
          • GlobalAlloc.KERNEL32(00000042,00000418,?,004011BE,00000000,?,00000000,00000000), ref: 0040123B
          • GlobalLock.KERNEL32(00000000), ref: 0040124D
          • GetDC.USER32(00000000), ref: 00401283
          • GetSystemPaletteEntries.GDI32(00000000,00000000,0000000A,00000004), ref: 0040129A
          • GetSystemPaletteEntries.GDI32(00000000,000000F6,0000000A,000003DC), ref: 004012AB
          • ReleaseDC.USER32(00000000,00000000), ref: 004012B0
          • CreatePalette.GDI32(00000000), ref: 004012C2
          • GlobalUnlock.KERNEL32(00000000), ref: 004012CB
          • GlobalFree.KERNEL32(00000000), ref: 004012D2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Global$Palette$EntriesSystem$AllocCreateFreeLockReleaseUnlock
          • String ID: b2A
          • API String ID: 685945034-1488577323
          • Opcode ID: 7dd2fe7c661f97c36a2b43d005bb25764f479169c2cda0078fb12f8c6d3e0cf1
          • Instruction ID: 18cbd53c7e9465df16803605e93cc2121a757624bf9d6c140418727c577267af
          • Opcode Fuzzy Hash: 7dd2fe7c661f97c36a2b43d005bb25764f479169c2cda0078fb12f8c6d3e0cf1
          • Instruction Fuzzy Hash: C0113836348344AFE3319B60EC88FA77BECEF59705F0444A9FA8A97391D6619805C339
          Function 00419382 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00417252: LoadLibraryA.KERNEL32(wininet.dll,00000000,0040629D,?,00000000,?,004064C5,?,00000000,00000000,00000006,ftp://,00000000), ref: 00417267
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 00417287
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetOpenUrlA), ref: 00417299
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetConnectA), ref: 004172AB
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCrackUrlA), ref: 004172BD
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCreateUrlA), ref: 004172CF
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCloseHandle), ref: 004172E1
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetReadFile), ref: 004172F3
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417305
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 00417317
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetLastResponseInfoA), ref: 00417329
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041733B
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0041734D
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetAutodial), ref: 0041735F
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetErrorDlg), ref: 00417371
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpOpenRequestA), ref: 00417383
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpSendRequestA), ref: 00417395
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpSendRequestExA), ref: 004173A7
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpEndRequestA), ref: 004173B9
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetQueryOptionA), ref: 004173CB
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 004173DD
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCanonicalizeUrlA), ref: 004173EF
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetCookieA), ref: 00417401
          • SetLastError.KERNEL32(00002EE6,?,00000000,00000001), ref: 004193EB
            • Part of subcall function 00417639: SetLastError.KERNEL32(0000007F,004195E2,?,00000000,00000000,0000003C,00000000,00000001,?,004193B6,?,00000000,00000001), ref: 00417651
          • lstrcmpiA.KERNEL32(?,?), ref: 0041946E
          • lstrlenA.KERNEL32(?,?,?,?,00000000,00000001), ref: 004194B6
          • lstrcpyA.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 004194CA
          • lstrlenA.KERNEL32(?,?,00000000,00000001), ref: 004194CF
          • lstrcpyA.KERNEL32(00000000,?), ref: 004194E5
          • lstrcatA.KERNEL32(00000000,?), ref: 004194F2
            • Part of subcall function 004175BD: SetLastError.KERNEL32(0000007F), ref: 004175D8
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$ErrorLast$lstrcpylstrlen$LibraryLoadlstrcatlstrcmpi
          • String ID: <$GET
          • API String ID: 4248792880-427699995
          • Opcode ID: aa3ec2aed6cf7c974e2099d8b5094c0a9d91955af4545af70c44be777cfc0463
          • Instruction ID: 987f26004621c9e0c95f8384c95d0eecf387fdbd8adb852411b9946d6700e21d
          • Opcode Fuzzy Hash: aa3ec2aed6cf7c974e2099d8b5094c0a9d91955af4545af70c44be777cfc0463
          • Instruction Fuzzy Hash: 0B519D72904109FBCF11AFA1DC45DEE7F7AEF48300F54406AF904A6161DB398EA2DB64
          Function 0041923C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 111stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004177CA: SetLastError.KERNEL32(0000007F,00419253,?,00000000,?,00002F00,?,?,00418E69,00000000), ref: 004177E2
          • GetLastError.KERNEL32(?,00002F00,?,?,00418E69,00000000), ref: 00419271
          • wsprintfA.USER32 ref: 004192AE
          • lstrcatA.KERNEL32(?,?,?,00002F00,?,?,00418E69,00000000), ref: 004192C8
          • ResetEvent.KERNEL32(?,?,00002F00,?,?,00418E69,00000000), ref: 004192D6
          • GetLastError.KERNEL32(?,00418E69,00000000), ref: 00419300
            • Part of subcall function 004177F7: SetLastError.KERNEL32(0000007F,0041926B,?,00000000,?,00002F00,?,?,00418E69,00000000), ref: 0041780F
          • ResetEvent.KERNEL32(?,?,00002F00,?,?,00418E69,00000000), ref: 00419352
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$EventReset$lstrcatwsprintf
          • String ID: A$Range: bytes=%d-$Range: bytes=%d-
          • API String ID: 4195990047-4039695729
          • Opcode ID: 2504c5747ccaafc89867c93627d8c33f59676e5a2b968c21c0cb175d7c1c03b9
          • Instruction ID: 9be4eb50cbf97854324940367c506154320e490ec20b89204eb27a0948349a42
          • Opcode Fuzzy Hash: 2504c5747ccaafc89867c93627d8c33f59676e5a2b968c21c0cb175d7c1c03b9
          • Instruction Fuzzy Hash: D6419671104605EFDB209F64CC94EE7B7E5AF05310F204A6EF9AB83290C735AC81DB28
          Function 00408FED Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85registrystringCOMMON
          Download Yara Rule
          APIs
          • CharNextA.USER32 ref: 00408FEE
          • lstrcmpA.KERNEL32(00000000,%IS_T%), ref: 00408FFC
          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 00409071
          • RegDeleteValueA.ADVAPI32(?,00000000,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 0040908A
          • RegCloseKey.ADVAPI32(?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 0040909E
          • RegCloseKey.ADVAPI32(?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 004090AF
            • Part of subcall function 00413164: lstrlenA.KERNEL32(?,00000000,00000000,00404B5A,00000000,00000001,?,?,00000000), ref: 0041316D
            • Part of subcall function 00413164: lstrcpyA.KERNEL32(00000000,?), ref: 00413189
            • Part of subcall function 00413164: lstrcpyA.KERNEL32(C:\Users\user\Desktop,?), ref: 00413191
            • Part of subcall function 00409682: __EH_prolog.LIBCMT ref: 00409687
          • RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion,000F003F), ref: 00409305
          Strings
          • %IS_T%, xrefs: 00408FF6
          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040901E
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Close$Valuelstrcpy$CharDeleteH_prologNextQuerylstrcmplstrlen
          • String ID: %IS_T%$Software\Microsoft\Windows\CurrentVersion
          • API String ID: 2302879836-2853854844
          • Opcode ID: cb94f9024832fc054e26b95ed5e4ce66bca2eca5e1b3c056c8b28b1516aabc6e
          • Instruction ID: b1f692033b854f13e380e8f4e2509a5f5ada5abdda0b0ae7d2fb49a7c218edf0
          • Opcode Fuzzy Hash: cb94f9024832fc054e26b95ed5e4ce66bca2eca5e1b3c056c8b28b1516aabc6e
          • Instruction Fuzzy Hash: 8631497160021CFFCB20DF51D841AEE7B68EB08364F10817AF91AA6291CB789E45CF59
          Function 0041464D Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON
          Download Yara Rule
          APIs
          • GetWindowLongA.USER32(?,00000000), ref: 0041465C
          • DefWindowProcA.USER32(?,00000002,?,?), ref: 0041468D
          • GetDC.USER32(?), ref: 004146AB
          • SelectPalette.GDI32(00000000,?,00000000), ref: 004146B5
          • RealizePalette.GDI32(00000000), ref: 004146BC
          • ReleaseDC.USER32(00000000,00000000), ref: 004146CF
          • GetDC.USER32(00000000), ref: 004146DA
          • ReleaseDC.USER32(00000000,00000000), ref: 004146F6
          • BeginPaint.USER32(?,?), ref: 00414706
          • EndPaint.USER32(?,?), ref: 00414729
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: PaintPaletteReleaseWindow$BeginLongProcRealizeSelect
          • String ID:
          • API String ID: 1992308970-0
          • Opcode ID: fce3c739b81143605c8912f8be825576903f9f656c711c93825f7f40ed7093f8
          • Instruction ID: 919e4ac10e9a7eb1677f3e1b8e5a781ec4795d8c278613886e8a66308adb464d
          • Opcode Fuzzy Hash: fce3c739b81143605c8912f8be825576903f9f656c711c93825f7f40ed7093f8
          • Instruction Fuzzy Hash: FB319132100209AFDB229FA1CC48EFF7BB9EF89704F04442AF955911A0C779DD91DB69
          Function 0040B192 Relevance: 15.1, APIs: 10, Instructions: 86stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrlenA.KERNEL32(00000000,00000000,00432C20,00000000,00000104,00000208,00432C20,00000000), ref: 0040B1F2
          • lstrlenA.KERNEL32(00000000), ref: 0040B1FC
          • lstrlenA.KERNEL32(00000001), ref: 0040B211
          • lstrlenA.KERNEL32(00000000), ref: 0040B218
          • lstrlenA.KERNEL32(?), ref: 0040B21F
          • lstrcatA.KERNEL32(00000000,0042E804), ref: 0040B24C
          • lstrcatA.KERNEL32(00000000,00000001), ref: 0040B252
          • lstrcatA.KERNEL32(00000000,?), ref: 0040B25D
          • lstrcatA.KERNEL32(00000000,00000000), ref: 0040B267
          • lstrcatA.KERNEL32(00000000,00000000), ref: 0040B272
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcatlstrlen$H_prolog
          • String ID:
          • API String ID: 1205604976-0
          • Opcode ID: 422cec889ea04d81e8c79752d8f2e3c709adf93aec102271894a71bb6d879bbd
          • Instruction ID: 4cfbd197b9b8a9fd7deaf4029618e7a52ae501c497426bf26dbdbe91b26c7925
          • Opcode Fuzzy Hash: 422cec889ea04d81e8c79752d8f2e3c709adf93aec102271894a71bb6d879bbd
          • Instruction Fuzzy Hash: 47217472A0021DABCF119F61CC85AEF7FA9EF44750F04807FBA04A6250D779D9919F98
          Function 00409682 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 292stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00409687
          • lstrcpyA.KERNEL32(?,00000000,00000452,?,?,00000000,00401380,?,?,00000000,004089A0,00408C05,?,?,?,?), ref: 004096F4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcpy
          • String ID: $%s%s%s%s%s%s%s%s%s%s$C:\Users\user\AppData\Local\Temp\_is8C78$d
          • API String ID: 3221978047-4150642985
          • Opcode ID: 2bcde9a837c169c52bf5bc647bd33385d063493adb10248bb60f6350092cbde4
          • Instruction ID: 765ad2ff039bc997e044bc35db7f11528cf1b3ebf57423d2cdcd63ee0394058d
          • Opcode Fuzzy Hash: 2bcde9a837c169c52bf5bc647bd33385d063493adb10248bb60f6350092cbde4
          • Instruction Fuzzy Hash: 0EA1D372A0065CBEDF10DAA5CC41ADEBB79AB48344F0001F6A609B7181DA365F84CFA5
          Function 0040EC36 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 250stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040EC3B
          • wsprintfA.USER32 ref: 0040ED07
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrlenW.KERNEL32(00429620,?,?,00000001), ref: 0040ED88
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00429620,000000FF,?,00000002,00000000,00000000), ref: 0040EDAD
          • __vprintf_l.LIBCMT ref: 0040EE94
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$ByteCharMultiWide__vprintf_llstrlenwsprintf
          • String ID: 1033$UseDotNetUI$y
          • API String ID: 1011140585-1376376707
          • Opcode ID: e406aa56991028485cd2c923ebfd46a64600f60ee1f92478d8e10e17f9f56580
          • Instruction ID: 8aa05dd520b733b0993c476f7ed2ffded14976560d54496aa60b9908abd2432e
          • Opcode Fuzzy Hash: e406aa56991028485cd2c923ebfd46a64600f60ee1f92478d8e10e17f9f56580
          • Instruction Fuzzy Hash: 1091AC71900249AEDF15DFA6C891ADEBBB4AF04314F1044BEE815B72D1DB385A48CB68
          Function 0040DE91 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 209windowCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040DE96
          • SendMessageA.USER32(0001040E,00000401,00000000,00000001), ref: 0040DEDE
          • wsprintfA.USER32 ref: 0040DFA6
            • Part of subcall function 00415862: wsprintfA.USER32 ref: 00415898
            • Part of subcall function 00415862: wvsprintfA.USER32(?,?,?), ref: 004158B3
          Strings
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 0040DF3D
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$H_prologMessageSendwvsprintf
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 4186911900-1593701051
          • Opcode ID: 9b5abba11d01cbb19edf5255fa45a9d11d002780355178b2e3514164faf800a0
          • Instruction ID: f96037c118a47b0fd4b793608d2fa5e1c44b0dcdae588da617309c2a23ea55bb
          • Opcode Fuzzy Hash: 9b5abba11d01cbb19edf5255fa45a9d11d002780355178b2e3514164faf800a0
          • Instruction Fuzzy Hash: C571A072A00259AFDF10DFA5CC41AEEBB79BF48304F0004BAE605B6191DB799E948F59
          Function 00416F8D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 202registrystringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00416F92
            • Part of subcall function 004052E1: __EH_prolog.LIBCMT ref: 004052E6
          • lstrcpyA.KERNEL32(?,?,?,?,000000AC,74DE83C0,00000000), ref: 00416FFE
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104,?,00000000,?), ref: 004171A7
          • RegCloseKey.ADVAPI32(?,80000002,System\CurrentControlSet\Control\Windows,00020019,?,00000000,?,00000104,?,00000000,?,00000104,?,00000000,?,00000104), ref: 004171BD
          • RegCloseKey.ADVAPI32(?), ref: 004171FF
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$Close$QueryValuelstrcmplstrcpy
          • String ID: 1.20.1827.0$CSDVersion$System\CurrentControlSet\Control\Windows
          • API String ID: 3610603056-2233653695
          • Opcode ID: f95728b6150507e6607ead287aa51be84b00bb7016708e20fb45b5b4b93712f3
          • Instruction ID: dbfd22e782bcf229bb055e24a7d671edfc32c353e6c714354d5e757a8918bf9b
          • Opcode Fuzzy Hash: f95728b6150507e6607ead287aa51be84b00bb7016708e20fb45b5b4b93712f3
          • Instruction Fuzzy Hash: 7E714B7190010ABFDF11DF94C881DEEBBB8EB04355F50857AF519A7290D734AE89CB68
          Function 0040D9EB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040D9F0
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          • CoInitialize.OLE32(00000000), ref: 0040DA93
          • lstrlenW.KERNEL32(?,00432C20,?,00000014), ref: 0040DB4A
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000002,00000000,00000000), ref: 0040DB6F
          • SysFreeString.OLEAUT32(?), ref: 0040DB89
          • SysFreeString.OLEAUT32(?), ref: 0040DBA9
          • CoUninitialize.OLE32 ref: 0040DBD0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FreeH_prologString$ByteCharInitializeMultiUninitializeWidelstrcmplstrlen
          • String ID: ScriptDriven
          • API String ID: 4103467500-4228136283
          • Opcode ID: af81b75f561484062ae436faee88eb550dda7206c222bb1b17f4c95e1b0a3b40
          • Instruction ID: 08d4fe4b66771de0f20f84c8cab7cc73e70deb8f03f81988fbf72c46fd302d4e
          • Opcode Fuzzy Hash: af81b75f561484062ae436faee88eb550dda7206c222bb1b17f4c95e1b0a3b40
          • Instruction Fuzzy Hash: EB51A071B00209AFDB10DFE5CC85AAEBB79EB44344F14447AF505E7290C6789E4ACB69
          Function 004126DC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004126E1
            • Part of subcall function 00412A5C: __EH_prolog.LIBCMT ref: 00412A61
            • Part of subcall function 00412A5C: GetLastError.KERNEL32(00000001,?,?,?,00412705,?,00000001,?,?,?), ref: 00412A8E
            • Part of subcall function 00412A5C: SetLastError.KERNEL32(00000000,?,?,?,00412705,?,00000001,?,?,?), ref: 00412AC8
            • Part of subcall function 00412A5C: SysStringLen.OLEAUT32(00000000), ref: 00412AD6
            • Part of subcall function 00412A5C: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00412AE3
            • Part of subcall function 00412A5C: SetLastError.KERNEL32(00000000,?,?,?,00412705,?,00000001,?,?,?), ref: 00412AF5
          • wsprintfA.USER32 ref: 00412762
          • SysStringLen.OLEAUT32(?), ref: 0041277D
            • Part of subcall function 00412846: SysAllocStringLen.OLEAUT32(00000000,?), ref: 0041286D
          • wsprintfA.USER32 ref: 004127B7
          • SysStringLen.OLEAUT32(?), ref: 004127D2
          • wsprintfA.USER32 ref: 004127EF
          • SysStringLen.OLEAUT32(?), ref: 00412807
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$ErrorLastwsprintf$AllocH_prolog
          • String ID: %d
          • API String ID: 3988536702-4214805362
          • Opcode ID: e67a8d28737d7c556676248c7221c4becf8120b460caa20a2904a11b45cbf3d4
          • Instruction ID: 4b490e439a15d988889f77628b85d7f2a31e3d3542f17942ee919bd1909226f5
          • Opcode Fuzzy Hash: e67a8d28737d7c556676248c7221c4becf8120b460caa20a2904a11b45cbf3d4
          • Instruction Fuzzy Hash: FB416F75A1012DABCF10EF95DD90EEEB3B9FF44314F04452AB514E7240DBB8AA54CBA8
          Function 00424116 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00424183
          • GetStdHandle.KERNEL32(000000F4,0042A3C0,00000000,00000000,00000000,?), ref: 00424259
          • WriteFile.KERNEL32(00000000), ref: 00424260
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$HandleModuleNameWrite
          • String ID: 'C$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
          • API String ID: 3784150691-4031347708
          • Opcode ID: cc52d4fc726448723df9c80c32b762a4c5d3960bcff3f5047844593527e34c95
          • Instruction ID: 5503d9b1cd3b37a96b0da683a6bde935e76104b3f8d1f8b50d40ab82fb4e7032
          • Opcode Fuzzy Hash: cc52d4fc726448723df9c80c32b762a4c5d3960bcff3f5047844593527e34c95
          • Instruction Fuzzy Hash: CC31CC7270022CAFDF24E761ED45FEA736CEF99304F90046BF544D6140DB78D9918A69
          Function 0040D54D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75stringregistryCOMMON
          Download Yara Rule
          APIs
          • RegQueryValueExA.ADVAPI32(?,80000002,00000000,00000000,00000000,?,6CCE7B60,80000002), ref: 0040D597
          • lstrcpyA.KERNEL32(?,00000000), ref: 0040D5C2
          • lstrcatA.KERNEL32(00000022," /%), ref: 0040D5DA
          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040D5F8
          • lstrlenA.KERNEL32(00000022), ref: 0040D601
          • RegSetValueExA.ADVAPI32(?,80000002,00000000,00000001,00000022,00000001), ref: 0040D619
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Valuelstrcat$Querylstrcpylstrlen
          • String ID: "$" /%
          • API String ID: 3753562477-2760458533
          • Opcode ID: 1422eebdd1a26c95999e67f928f4e7f2ebd9300f67856bed3a99c5c3bc1b1b5b
          • Instruction ID: 592f7511618e3fce6b9de72056911a260579d0af8388eda874582a98c1f1120f
          • Opcode Fuzzy Hash: 1422eebdd1a26c95999e67f928f4e7f2ebd9300f67856bed3a99c5c3bc1b1b5b
          • Instruction Fuzzy Hash: 89216572A4021CBBDF21DBA0DC49FEA777CEB14304F1044B6A605E3190DAB49F858BA8
          Function 00425EB8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0042423A,?,Microsoft Visual C++ Runtime Library,00012010,?,0042A3C0,?,0042A410,?,?,?,Runtime Error!Program: ), ref: 00425ECA
          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00425EE2
          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00425EF3
          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00425F00
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$LibraryLoad
          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
          • API String ID: 2238633743-4044615076
          • Opcode ID: 64b782b709f8b1189725224bd8e9f43dcb58b84eb437916eff0bc786e1f7967f
          • Instruction ID: fbb06cc913ed0f9afd715bf1cad2e72f5887bdc93a6a0ba26ea4fa7f764df3f5
          • Opcode Fuzzy Hash: 64b782b709f8b1189725224bd8e9f43dcb58b84eb437916eff0bc786e1f7967f
          • Instruction Fuzzy Hash: 8C018872704B236F87109FB5BD85D1B7AD89B48790356143BB914C2221EEF8CD119B6D
          Function 00415D59 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 27libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(COMCTL32,00000000,?,?,?,00414C54,?,?,00000000), ref: 00415D64
          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00415D76
          • #17.COMCTL32(?,?,?,00414C54,?,?,00000000), ref: 00415D96
          • FreeLibrary.KERNEL32(00000000,?,?,?,00414C54,?,?,00000000), ref: 00415D9D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Library$AddressFreeLoadProc
          • String ID: $COMCTL32$InitCommonControlsEx$TLA
          • API String ID: 145871493-3090278726
          • Opcode ID: 8234b9478dd662700ea343b0c6f558f4f50a57445233c352fd7c190f7c73b9fd
          • Instruction ID: 967f0887315711f9ed20ab7b9fe1ef51eab65fe5c9f9c6b72119c118eb8d4a5c
          • Opcode Fuzzy Hash: 8234b9478dd662700ea343b0c6f558f4f50a57445233c352fd7c190f7c73b9fd
          • Instruction Fuzzy Hash: 81E06D70A01A29FBC7205F90FC0DBDF3A78AF44751F908125E806A2241EFB89B45C6BD
          Function 00416B32 Relevance: 13.6, APIs: 9, Instructions: 102windowprocesssynchronizationCOMMON
          Download Yara Rule
          APIs
          • CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000020,00000000,00000000,?,?,?,?,?,?,00000000,75C0FB50), ref: 00416B88
          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00416BAA
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00416BC0
          • TranslateMessage.USER32(?), ref: 00416BE4
          • DispatchMessageA.USER32(?), ref: 00416BEE
          • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,00000000,75C0FB50), ref: 00416BF8
          • GetExitCodeProcess.KERNEL32(?,CCCCCCCC), ref: 00416C0B
          • CloseHandle.KERNEL32(0040B98A,?,?,?,?,00000000,75C0FB50), ref: 00416C22
          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,75C0FB50), ref: 00416C27
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$CloseHandleProcessWait$CodeCreateDispatchExitMultipleObjectObjectsPeekSingleTranslate
          • String ID:
          • API String ID: 2433874925-0
          • Opcode ID: 3c79c2b114588e3982f59f58b2cffdfe29eec405878c1dcb702de905ef4f6607
          • Instruction ID: 21cc1160a5fe34a69945e765aa84700279b043b11b0002eb50da29b33f89ab42
          • Opcode Fuzzy Hash: 3c79c2b114588e3982f59f58b2cffdfe29eec405878c1dcb702de905ef4f6607
          • Instruction Fuzzy Hash: 71313C75A01229BBCB20DBA6DD48DEFBF7CEF49750F50402AF904E2151D7349A41CBA9
          Function 00414749 Relevance: 13.6, APIs: 9, Instructions: 63windowCOMMON
          Download Yara Rule
          APIs
          • SelectPalette.GDI32(?,?,00000000), ref: 00414778
          • RealizePalette.GDI32(?), ref: 0041477E
          • CreateCompatibleDC.GDI32(?), ref: 00414785
          • GetObjectA.GDI32(?,00000018,?), ref: 00414797
          • SelectObject.GDI32(?,?), ref: 004147A3
          • BitBlt.GDI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00CC0020), ref: 004147BC
          • DeleteDC.GDI32(?), ref: 004147C5
          • SelectPalette.GDI32(?,?,00000000), ref: 004147D5
          • DrawIcon.USER32(?,00000000,00000000,?), ref: 004147E1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: PaletteSelect$Object$CompatibleCreateDeleteDrawIconRealize
          • String ID:
          • API String ID: 2931627916-0
          • Opcode ID: 8abdbc6a8d483c76631edde6335f7210564c285485bace3f10825d72114d64b8
          • Instruction ID: 71c3f65bf91bf26cc8a0a4859b7ff90213879a2fcfa6dcd8d49d1e7078049b4d
          • Opcode Fuzzy Hash: 8abdbc6a8d483c76631edde6335f7210564c285485bace3f10825d72114d64b8
          • Instruction Fuzzy Hash: 5811E432501229FBCF219FA1AD48CDFBF39FF49751F500026BA1561161C7318A61DBA5
          Function 00418844 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136stringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00418A0D: lstrlenA.KERNEL32(?,?,00418866,network.proxy.type,004187F0,?,00000000,?,004187F0,?,?,?,?,?,00000000), ref: 00418A26
          • lstrcatA.KERNEL32(00000000,0042F8F0,0000003D,004187F0,00000001), ref: 00418925
          • lstrcatA.KERNEL32(?,0042F888,786F7250,004187F0,00000001), ref: 0041895E
          • lstrcatA.KERNEL32(?,0042E804,786F7250,004187F0,00000001), ref: 00418981
          • lstrcpynA.KERNEL32(00000000,004187F0,00000001,00000001,0000003D,004187F0,00000001), ref: 004189B6
          Strings
          • "network.proxy.autoconfig_url", xrefs: 00418A00
          • network.proxy.type, xrefs: 0041885C
          • "network.proxy.no_proxies_on", xrefs: 00418999
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcat$lstrcpynlstrlen
          • String ID: "network.proxy.autoconfig_url"$"network.proxy.no_proxies_on"$network.proxy.type
          • API String ID: 4136844717-1183868771
          • Opcode ID: 0424f2e73cb1532392c38e5f902eefd8673143463b9a62e1936f614eb4e14947
          • Instruction ID: b4ebe721522434742330a02c391038bf3ca620143619e52b205e8295f13acbbf
          • Opcode Fuzzy Hash: 0424f2e73cb1532392c38e5f902eefd8673143463b9a62e1936f614eb4e14947
          • Instruction Fuzzy Hash: B5513D72E0025CAFDF11DB90DC44ADEBBB9AF04348F9041BBE940A6251DB755B88CF98
          Function 004248F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
          Download Yara Rule
          APIs
          • GetStringTypeW.KERNEL32(00000001,0042A0CC,00000001,?,74DEE860,00436350,?,?,0041E7F8,?,?,?,00000000,00000001), ref: 00424938
          • GetStringTypeA.KERNEL32(00000000,00000001,0042A0C8,00000001,?,?,0041E7F8,?,?,?,00000000,00000001), ref: 00424952
          • GetStringTypeA.KERNEL32(?,?,?,?,0041E7F8,74DEE860,00436350,?,?,0041E7F8,?,?,?,00000000,00000001), ref: 00424986
          • MultiByteToWideChar.KERNEL32(?,PcC,?,?,00000000,00000000,74DEE860,00436350,?,?,0041E7F8,?,?,?,00000000,00000001), ref: 004249BE
          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0041E7F8,?), ref: 00424A14
          • GetStringTypeW.KERNEL32(?,?,00000000,0041E7F8,?,?,?,?,?,?,0041E7F8,?), ref: 00424A26
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: StringType$ByteCharMultiWide
          • String ID: PcC
          • API String ID: 3852931651-855171052
          • Opcode ID: 94e5480758fc587f90881b29d42620bdb13088fa93ed807e72091ab4f8e22260
          • Instruction ID: 7cc367c8764b94aa89788c39fc2d89f81256ffdc69781a6ad5c1024ccc8bdb4a
          • Opcode Fuzzy Hash: 94e5480758fc587f90881b29d42620bdb13088fa93ed807e72091ab4f8e22260
          • Instruction Fuzzy Hash: 16416071740229EFCF209F94EC86AEF7F69EB48750F504526F91192250D3388D91DBA9
          Function 00417911 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00417AAD: RegQueryValueA.ADVAPI32(80000000,.htm,?,00000000), ref: 00417AD9
            • Part of subcall function 00417AAD: lstrcatA.KERNEL32(?,\shell\open\command,?,00000000), ref: 00417AF3
            • Part of subcall function 00417AAD: RegQueryValueA.ADVAPI32(80000000,?,?,00000000), ref: 00417B0F
            • Part of subcall function 00417AAD: lstrlenA.KERNEL32(?,?,00000000), ref: 00417B24
            • Part of subcall function 00417AAD: CharLowerBuffA.USER32(?,00000000,?,00000000), ref: 00417B32
            • Part of subcall function 00417AAD: lstrcpynA.KERNEL32(?,00000022,-0000000D,?,00000000), ref: 00417B72
          • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000), ref: 00417948
          • RegQueryValueExA.ADVAPI32(00000000,ProxyEnable,00000000,00000000,00000006,?), ref: 00417972
          • RegQueryValueExA.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,?,00000004), ref: 00417997
          • RegCloseKey.ADVAPI32(00000000), ref: 004179BF
          Strings
          • ProxyEnable, xrefs: 00417963
          • AutoConfigURL, xrefs: 0041798F
          • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0041793E
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: QueryValue$BuffCharCloseLowerOpenlstrcatlstrcpynlstrlen
          • String ID: AutoConfigURL$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
          • API String ID: 194912974-3224623278
          • Opcode ID: 3c6243237510763ea917e9b0384479601b3cec62faa968edcaa34b19e0ec73e8
          • Instruction ID: 0bb7990d8cfbaa47b9e149906025c2fb8146114e5c0ffcadbab681980824b3ae
          • Opcode Fuzzy Hash: 3c6243237510763ea917e9b0384479601b3cec62faa968edcaa34b19e0ec73e8
          • Instruction Fuzzy Hash: FE315CB1904209FEEF119F91C8819EEBB79EF00394F50807BE504A2250DB388E95DBA9
          Function 0040A441 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91memoryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040AE69: __EH_prolog.LIBCMT ref: 0040AE6E
            • Part of subcall function 0040ADD4: __EH_prolog.LIBCMT ref: 0040ADD9
            • Part of subcall function 0040A2CB: GetSystemDefaultLCID.KERNEL32(0040A4AD,00000000,00000000,?,?,?,?,?,0040A2C4,00000000,?,?,0040971E,00000000,00000BBA,00000064), ref: 0040A2CB
          • GlobalAlloc.KERNEL32(00000042,00000001,00000000,00000000,?,?,?,?,?,0040A2C4,00000000,?,?,0040971E,00000000,00000BBA), ref: 0040A4D3
          • GlobalLock.KERNEL32(00000000), ref: 0040A4DA
            • Part of subcall function 0040AEF2: __EH_prolog.LIBCMT ref: 0040AEF7
            • Part of subcall function 0040AEF2: wsprintfA.USER32 ref: 0040AF26
          • GlobalHandle.KERNEL32 ref: 0040A526
          • GlobalUnlock.KERNEL32(00000000), ref: 0040A529
          • GlobalHandle.KERNEL32 ref: 0040A535
          • GlobalFree.KERNEL32(00000000), ref: 0040A538
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Global$H_prolog$Handle$AllocDefaultFreeLockSystemUnlockwsprintf
          • String ID: 8SC
          • API String ID: 1414631992-2876928903
          • Opcode ID: 0d04d81bd385a49e2cc6ebff7482197c8cc0a051d9fd90973645ba4a69fa56d1
          • Instruction ID: 57e415ee6fb77ed786f5dc5fd52e3f86b13cfa7ce85160baa5023063eb7ac7a5
          • Opcode Fuzzy Hash: 0d04d81bd385a49e2cc6ebff7482197c8cc0a051d9fd90973645ba4a69fa56d1
          • Instruction Fuzzy Hash: 57315C75600305BFDB20DF66EC0986F7BE8EB48394B20447AFD05E7290E778D9508B6A
          Function 0040FFC4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040FFC9
          • GetLastError.KERNEL32(74DEDFA0,?,00000000,?,0040FA93,?,00000000,?,00000001,?,0040CF6A,%IS_T%,?,00000001,?,00000000), ref: 0040FFF2
          • SetLastError.KERNEL32(?,00000000,?,00000000,?,0040FA93,?,00000000,?,00000001,?,0040CF6A,%IS_T%,?,00000001), ref: 00410025
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000,?,0040FA93,?,00000000,?,00000001,?,0040CF6A), ref: 00410045
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00429620,00000000,?,00000000,?,0040FA93,?,00000000,?,00000001), ref: 0041006E
          • SetLastError.KERNEL32(?,?,00000000,?,0040FA93,?,00000000,?,00000001,?,0040CF6A,%IS_T%,?,00000001,?,00000000), ref: 0041007C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$ByteCharMultiWide$H_prolog
          • String ID: ,C
          • API String ID: 2853668335-300475510
          • Opcode ID: 660c5e291273fd42a73a4fef06bcdaa00c38a6313e6f9dc4693af9898e88e427
          • Instruction ID: 9707a4c1bf4e4692af30f710fd5893d20fbec763fcb5ed759ae4b72ce5393a39
          • Opcode Fuzzy Hash: 660c5e291273fd42a73a4fef06bcdaa00c38a6313e6f9dc4693af9898e88e427
          • Instruction Fuzzy Hash: DC2189B5600209EFCB218F59D88499AFBF9FF48304B40842EF54A97221C774ED91CBA8
          Function 0040687D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55memoryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00406882
          • GetLastError.KERNEL32(?,4[@,00000000,?,00405E7E), ref: 004068AF
          • SetLastError.KERNEL32(?,?,4[@,00000000,?,00405E7E), ref: 004068E9
          • SysStringLen.OLEAUT32(00000000), ref: 004068F7
          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00406904
          • SetLastError.KERNEL32(00000000,?,4[@,00000000,?,00405E7E), ref: 00406916
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$String$AllocH_prolog
          • String ID: 4[@
          • API String ID: 1014970518-4088418641
          • Opcode ID: df711cb4c03a9405729f6ee953fc8248fccfd583d06141abb770bf069ed49852
          • Instruction ID: 0963077177ea5533d0b5dbb609c40f003a7170e90fa576abeceb5bad16df91a9
          • Opcode Fuzzy Hash: df711cb4c03a9405729f6ee953fc8248fccfd583d06141abb770bf069ed49852
          • Instruction Fuzzy Hash: 05216475200600EFCB20EF58E944A8AFBF4FF44325F11C86AE49A8B661C3B8E945CF54
          Function 004147EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50windowCOMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(?), ref: 004147F2
          • GetWindowLongA.USER32(?,00000000), ref: 00414803
          • DeleteObject.GDI32(00000000), ref: 0041482B
          • DestroyIcon.USER32(00000000,?,?,?,00414737,?), ref: 00414833
          • DeleteObject.GDI32(?), ref: 0041484C
          • SetWindowLongA.USER32(7GA,00000000,00000000), ref: 00414858
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Window$DeleteLongObject$DestroyIcon
          • String ID: 7GA
          • API String ID: 2866036538-1619428035
          • Opcode ID: 8aa128e96fecd37dc6da78ccc6ee41d2d19064661ad8356582a0ab287d6a1798
          • Instruction ID: c4a5ee73b81c6188bdd0c159e5439908e16b63507d84eb89208a1707dc34d8fb
          • Opcode Fuzzy Hash: 8aa128e96fecd37dc6da78ccc6ee41d2d19064661ad8356582a0ab287d6a1798
          • Instruction Fuzzy Hash: 9D01FC3A200254DFD7306FA5ED488D77BA8FB84361B15893EF557D2110C735EC81CA29
          Function 00415A16 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 00415A2E
          • CharNextA.USER32(?), ref: 00415A40
          • CharNextA.USER32(00000000), ref: 00415A43
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,00000000,?,?,00000000), ref: 00415E94
            • Part of subcall function 00415E6E: CharNextA.USER32(00000000,?,00000000), ref: 00415EAD
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,?,?,00000000), ref: 00415ECA
            • Part of subcall function 00415E6E: lstrcpyA.KERNEL32(?,00000000,?,00000000), ref: 00415ED0
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          • lstrcatA.KERNEL32(?,.ini,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415A73
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNextlstrcpy$lstrcat$lstrcpynlstrlenwsprintf
          • String ID: %#04x$.ini$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI
          • API String ID: 272086339-2517337109
          • Opcode ID: 84f565fa47abd37ddb5d81e4cb3a6b47fca7847bcad84b72c000192f9a818267
          • Instruction ID: a546bf4acd87ab04b9627c78d1051b569aedb763bbb9034c9e8fa6c669010ff5
          • Opcode Fuzzy Hash: 84f565fa47abd37ddb5d81e4cb3a6b47fca7847bcad84b72c000192f9a818267
          • Instruction Fuzzy Hash: 57F03A7050011CBFCF116F21EC05DDA3F29EF08398F508021FE0865062C7359A56DA98
          Function 00420487 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
          Download Yara Rule
          APIs
          • LCMapStringW.KERNEL32(00000000,00000100,0042A0CC,00000001,00000000,00000000,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 004204C9
          • LCMapStringA.KERNEL32(00000000,00000100,0042A0C8,00000001,00000000,00000000), ref: 004204E5
          • LCMapStringW.KERNEL32(?,?,00000000,000000FF,00000000,?,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 0042052E
          • WideCharToMultiByte.KERNEL32(00000000,00000220,00000000,000000FF,00000000,00000000,00000000,00000000,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 00420561
          • WideCharToMultiByte.KERNEL32(?,00000220,00000000,00000000,?,?,00000000,00000000), ref: 004205B8
          • LCMapStringA.KERNEL32(?,?,?,?,00000000,00000000), ref: 004205D4
          • LCMapStringA.KERNEL32(?,?,?,?,?,00000000), ref: 0042062A
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$ByteCharMultiWide
          • String ID:
          • API String ID: 352835431-0
          • Opcode ID: b7f41bda90d4cb11f920c8335f1a5c7c3407ccb51f3fd8e81b91fcecd4e4673c
          • Instruction ID: b0dff8342697799c89bbf36ca8d77958deba8fe534e16b48911fc3d13263194d
          • Opcode Fuzzy Hash: b7f41bda90d4cb11f920c8335f1a5c7c3407ccb51f3fd8e81b91fcecd4e4673c
          • Instruction Fuzzy Hash: F6518F71600229BFDF218F55EC49AEF7FB5EB48760F50401AF904A1271C3398861DFA9
          Function 00423DEF Relevance: 12.1, APIs: 8, Instructions: 132COMMON
          Download Yara Rule
          APIs
          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041DBA2), ref: 00423E0A
          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041DBA2), ref: 00423E1E
          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041DBA2), ref: 00423E4A
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041DBA2), ref: 00423E82
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041DBA2), ref: 00423EA4
          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0041DBA2), ref: 00423EBD
          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041DBA2), ref: 00423ED0
          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00423F0E
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
          • String ID:
          • API String ID: 1823725401-0
          • Opcode ID: 146eb2b5dd8dce0f7b82e973477a3f676897e35f14906f17bf94854076cd573f
          • Instruction ID: 8891dae7175f7ab90eefd533ce8a8818f064253b11507722073f66473c403087
          • Opcode Fuzzy Hash: 146eb2b5dd8dce0f7b82e973477a3f676897e35f14906f17bf94854076cd573f
          • Instruction Fuzzy Hash: 69310672B082356E97307F757C8483BB6BCE645756796093BF541C3200D62D8E4A82BD
          Function 0040EF3E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162registryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040EF43
            • Part of subcall function 0040FE20: __EH_prolog.LIBCMT ref: 0040FE25
            • Part of subcall function 0040FE20: GetLastError.KERNEL32(?,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE4E
            • Part of subcall function 0040FE20: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE7C
            • Part of subcall function 0040F145: __EH_prolog.LIBCMT ref: 0040F14A
            • Part of subcall function 0040F145: VariantChangeType.OLEAUT32(?,?,00000000,00000002), ref: 0040F18A
            • Part of subcall function 0040F145: VariantClear.OLEAUT32(?), ref: 0040F34E
            • Part of subcall function 004105B2: lstrlenW.KERNEL32(00429620,00429650,00429648,00000000,?,?,0040F524,?,00000001,?,00000000,?,00000000,00000000), ref: 0041060A
            • Part of subcall function 004105B2: WideCharToMultiByte.KERNEL32(00000000,00000000,00429620,000000FF,?,00000002,00000000,00000000,?,0040F524,?,00000001,?,00000000,?,00000000), ref: 00410632
          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,?,?,00000000,?,00000001,00000000), ref: 0040EFAD
          • RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,00000000,?,?), ref: 0040F01C
          • RegCloseKey.ADVAPI32(00000000,?,00000000,?), ref: 0040F12E
            • Part of subcall function 00408854: RegCloseKey.ADVAPI32(?,00000001,0040F461), ref: 00408860
            • Part of subcall function 0040FB20: __EH_prolog.LIBCMT ref: 0040FB25
            • Part of subcall function 0040FB20: SetLastError.KERNEL32(?,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FB8B
            • Part of subcall function 0040B584: __EH_prolog.LIBCMT ref: 0040B589
            • Part of subcall function 0040B584: GetLastError.KERNEL32(?,00000001,?,004143CF,00000000,00000000,?,?,00000001), ref: 0040B5AC
            • Part of subcall function 0040B584: SysFreeString.OLEAUT32(00000000), ref: 0040B5CA
            • Part of subcall function 0040B584: SetLastError.KERNEL32(?,00000001,?,004143CF,00000000,00000000,?,?,00000001), ref: 0040B5EA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorH_prologLast$CloseVariant$ByteChangeCharClearFreeMultiOpenQueryStringTypeValueWidelstrlen
          • String ID: LWC$Version
          • API String ID: 960358220-2616443322
          • Opcode ID: a6efdae05a51159b1373534068c7cf736feef5e9cdd9bd2b30bafe07c4d1dcc6
          • Instruction ID: 8519b1c48b50585fcb07ac5b76b1b445895053c7d9877cda1f571a445f47a432
          • Opcode Fuzzy Hash: a6efdae05a51159b1373534068c7cf736feef5e9cdd9bd2b30bafe07c4d1dcc6
          • Instruction Fuzzy Hash: 9F519E71A00249EADF11DF95C855BDEBBB8AF14308F10407EE909B72C1DB786B49CB58
          Function 00406E9A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116timeCOMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?), ref: 00406F2B
          • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00406F6F
          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00406F82
          • SetFileTime.KERNEL32(?,?,00000000,?), ref: 00406F97
          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00406FC9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FileTime$AttributesDateErrorLastLocal
          • String ID: qt@
          • API String ID: 1921563805-2549949975
          • Opcode ID: 30daaf0220c49dc47e82508d6e07a0c9100f2bc2909714bd60d769b6cdebc657
          • Instruction ID: 93e6d621b9d153b4e14a6b851aa34b767a76c1493916d727942ec9ddb463ef5b
          • Opcode Fuzzy Hash: 30daaf0220c49dc47e82508d6e07a0c9100f2bc2909714bd60d769b6cdebc657
          • Instruction Fuzzy Hash: 7131907250011EAFDB20DFA4EC85DEB736CEB04724F110676F61AE21D0D634ED558B69
          Function 0040B27B Relevance: 10.6, APIs: 7, Instructions: 104windowstringCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • wsprintfA.USER32 ref: 0040B30A
          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B353
          • SendMessageA.USER32(?,00000401,00000000,00000001), ref: 0040B36B
          • MessageBoxA.USER32(?,?,0000066E,00000024), ref: 0040B37D
          • GetDlgItem.USER32(?,000003EA), ref: 0040B393
          • SendMessageA.USER32(00000000,0000000F,00000000,00000000), ref: 0040B39E
          • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0040B3A6
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$Send$wsprintf$ItemLoadStringlstrcat
          • String ID:
          • API String ID: 4105038997-0
          • Opcode ID: 098ac709005a5268656fc793b16eea7274cc2fad580c0f093238497fdd80a14b
          • Instruction ID: 83b6b36e16070f2fabe42393fc634729d1569dbfb566a1d5e15a83b62b622275
          • Opcode Fuzzy Hash: 098ac709005a5268656fc793b16eea7274cc2fad580c0f093238497fdd80a14b
          • Instruction Fuzzy Hash: 01313DB2A0021CBFDB10DB98DD85ADEBBBDEB4C304F1004B6E605E2191D675AF548F65
          Function 0040B99E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90registryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040B9A3
          • RegQueryValueExA.ADVAPI32(?,InstallerLocation,00000000,?,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,00000000,00000000,00000001), ref: 0040BA91
          • SetCurrentDirectoryA.KERNEL32(?), ref: 0040BA9E
          • RegCloseKey.ADVAPI32(?,80000002,Software\Microsoft\Windows\CurrentVersion\Installer,00020019,00000000,00000000,00000001), ref: 0040BAAC
          Strings
          • Software\Microsoft\Windows\CurrentVersion\Installer, xrefs: 0040BA42
          • InstallerLocation, xrefs: 0040BA86
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseCurrentDirectoryH_prologQueryValue
          • String ID: InstallerLocation$Software\Microsoft\Windows\CurrentVersion\Installer
          • API String ID: 455272628-1529162458
          • Opcode ID: cf8a1cd37fb688db7829ba5bd78f4c7d0b342a1342adc1e33fc769af12acaa5d
          • Instruction ID: 4dab44aa1ab8e854d5048aef1807158d4d3d442c8d599f8728e951e36e6ffc29
          • Opcode Fuzzy Hash: cf8a1cd37fb688db7829ba5bd78f4c7d0b342a1342adc1e33fc769af12acaa5d
          • Instruction Fuzzy Hash: 52314CB1700219AFDB20CF59D885ADA7BA4FB08744F50447BFA15AA291D3788D848FA9
          Function 004057C0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 79stringCOMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 004057E0
          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,00000000,?,00000000), ref: 004057FF
          • wsprintfA.USER32 ref: 00405878
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$lstrlen
          • String ID: %s%s$ftp://$http://$https://
          • API String ID: 217384638-620530764
          • Opcode ID: 7a2ecbc87537d4fe0892e2392e18ee4423e3636af960f46960a8d7632f1eacec
          • Instruction ID: d730c7a7f6f834d43f9ddc061c4ef2ad1bebfdce85e9ef895f0c694c83afcdd5
          • Opcode Fuzzy Hash: 7a2ecbc87537d4fe0892e2392e18ee4423e3636af960f46960a8d7632f1eacec
          • Instruction Fuzzy Hash: 6E214376E04358BEEB01A7B9EC89B8B7F6C9B05714F1440A3E901BA1C3C57885108BAD
          Function 0041D725 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 0041D749
          • InterlockedDecrement.KERNEL32(00436350), ref: 0041D760
          • MultiByteToWideChar.KERNEL32(00000009,?,000000FF,00000000,00000000,?,00000000,?,?,0040FB6D,00000000,?,00000000,00000001,?,0041439F), ref: 0041D786
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$ByteCharDecrementIncrementMultiWide
          • String ID: PcC
          • API String ID: 817727928-855171052
          • Opcode ID: 97e7267bbe04a152ed7a7947297409fa2101dcb51803252ae5cd99cad83ca456
          • Instruction ID: 15e8d26df4460bb7a947bf23366f5f42ec24fa89ba206091578b138516f6d81c
          • Opcode Fuzzy Hash: 97e7267bbe04a152ed7a7947297409fa2101dcb51803252ae5cd99cad83ca456
          • Instruction Fuzzy Hash: DD2105B0904215FFCB219F25EC88BEABBA49F01765F24412FF824561D1C7388DC2D69E
          Function 00411FE2 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          APIs
          • GetDlgItemTextA.USER32(?,000003E8,?,00000064), ref: 00412029
          • GetDlgItem.USER32(?,00000001), ref: 00412038
            • Part of subcall function 00411F9F: wsprintfA.USER32 ref: 00411FBD
            • Part of subcall function 00411F9F: lstrcmpA.KERNEL32(?,?), ref: 00411FCE
          • EnableWindow.USER32(00000000,?), ref: 00412058
          • EndDialog.USER32(?,00000002), ref: 00412065
          • EndDialog.USER32(?,00000002), ref: 0041207B
          • GetDlgItem.USER32(?,00000001), ref: 00412093
          • EnableWindow.USER32(00000000,00000000), ref: 004120A0
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Item$DialogEnableWindow$Textlstrcmpwsprintf
          • String ID:
          • API String ID: 2389365585-0
          • Opcode ID: 352e014dff354278bccd87dbd88ed11649f09d91154121569f9b0bc21ff6fa19
          • Instruction ID: 4e6dfad99e5a0046d46aab527c5d96c80073a97210971b735de9a0602a1434ec
          • Opcode Fuzzy Hash: 352e014dff354278bccd87dbd88ed11649f09d91154121569f9b0bc21ff6fa19
          • Instruction Fuzzy Hash: 7C213631A40209ABDB219F10DD49FEA3FA5EB0C750F404525BE05D92E0C7B5CDE1DA59
          Function 0040AEF2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040AEF7
          • wsprintfA.USER32 ref: 0040AF26
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$wsprintf
          • String ID: %s%d$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$Languages$key
          • API String ID: 172397338-829844466
          • Opcode ID: d98423d4187bafa6334c0e2bb97f83cd68b130ce0103157c584730cfbf5bd7be
          • Instruction ID: 3693657a3adbd668d3369536131c8b3ad73f0ea1b0927648b34728aee32b563b
          • Opcode Fuzzy Hash: d98423d4187bafa6334c0e2bb97f83cd68b130ce0103157c584730cfbf5bd7be
          • Instruction Fuzzy Hash: D121DBB0A00228ABCB10EB84DC02FDDB778FF04714F50026AF411732D0DBB86A04CB99
          Function 00416A3D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringCOMMON
          Download Yara Rule
          APIs
          • VerLanguageNameA.KERNEL32(00003CFF,?,00000103,?,?,00000000), ref: 00416A5B
          • VerLanguageNameA.KERNEL32(?,?,00000103,00003CFF,?,00000103,?,?,00000000), ref: 00416A85
          • lstrcmpiA.KERNEL32(?,?), ref: 00416A98
          • VerLanguageNameA.KERNEL32(?,?,00000103,?,00000000), ref: 00416AB5
          • lstrcpyA.KERNEL32(b2A,?,?,00000000), ref: 00416AC4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: LanguageName$lstrcmpilstrcpy
          • String ID: b2A
          • API String ID: 422536988-1488577323
          • Opcode ID: d2c1cf0c64e8f0e0c78ad8c28c95ab2b8e24eb4b85232b641f6c4dee446c28de
          • Instruction ID: 90cfb91436c2ad665397f96d819a7f8537889615d2e6cb1dac54245e8ead1099
          • Opcode Fuzzy Hash: d2c1cf0c64e8f0e0c78ad8c28c95ab2b8e24eb4b85232b641f6c4dee446c28de
          • Instruction Fuzzy Hash: 3F01A7B66001286FEB109A95DC84EFB33BCDF54305F0001B6FB85E2040D678DEC58A78
          Function 0040EBB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50registryCOMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 0040EBD1
          • RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,00000001,00000000), ref: 0040EBFB
          • RegDeleteKeyA.ADVAPI32(80000002,?), ref: 0040EC16
          • RegCloseKey.ADVAPI32(00000000,?), ref: 0040EC28
          Strings
          • Software\Microsoft\Windows\CurrentVersion\Uninstall\%s, xrefs: 0040EBC7
          • {31EE4FE8-7F9C-11D5-ABB8-00B0D02332EB}, xrefs: 0040EBBC
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseCreateDeletewsprintf
          • String ID: Software\Microsoft\Windows\CurrentVersion\Uninstall\%s${31EE4FE8-7F9C-11D5-ABB8-00B0D02332EB}
          • API String ID: 3829835781-358326583
          • Opcode ID: 977ee03aed3726d569adf77e8abeb295af677f713cecc3803cc35db96134d1c0
          • Instruction ID: d829eb606f9c4afe6ef152874e62a93f5932f76c57e1fec49dc973f30e32c324
          • Opcode Fuzzy Hash: 977ee03aed3726d569adf77e8abeb295af677f713cecc3803cc35db96134d1c0
          • Instruction Fuzzy Hash: DD015AB6A0021CBFDB218F959CC4DEFBB7DEB44344F5084BAF541A2141D6355E4A8BA8
          Function 00405B55 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49filestringCOMMON
          Download Yara Rule
          APIs
          • lstrlenW.KERNEL32(00000000,74DEE010,?,00000000,?,?,00406774,?,00001000,0040602E), ref: 00405B6F
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000002,00000000,00000000,?,00406774,?,00001000,0040602E), ref: 00405B95
          • DeleteFileA.KERNEL32(?,?,00000002,00000000,00000000,?,00406774,?,00001000,0040602E), ref: 00405B9C
          • GetLastError.KERNEL32(?,?,00000002,00000000,00000000,?,00406774,?,00001000,0040602E), ref: 00405BAC
          • GetLastError.KERNEL32(?,?,00000002,00000000,00000000,?,00406774,?,00001000,0040602E), ref: 00405BAE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$ByteCharDeleteFileMultiWidelstrlen
          • String ID: d
          • API String ID: 1873936967-2564639436
          • Opcode ID: 2329e34188b10a7f0df60c4053398638494fd2f281fd41d4dcdf7ae4ad7a9b97
          • Instruction ID: 782ce44f525ff6a511a694d36f57e4e3ae041ced1ddabf9d8b6d405e1e3a2596
          • Opcode Fuzzy Hash: 2329e34188b10a7f0df60c4053398638494fd2f281fd41d4dcdf7ae4ad7a9b97
          • Instruction Fuzzy Hash: 8101A271600218BFDB209BA59C49FAFBBBCEF01368F114466F900E3151C778AE018AA9
          Function 0042531A Relevance: 9.1, APIs: 6, Instructions: 143COMMON
          Download Yara Rule
          APIs
          • GetStringTypeW.KERNEL32(00000001,0042A0CC,00000001,?,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 00425359
          • GetStringTypeA.KERNEL32(00000000,00000001,0042A0C8,00000001,?), ref: 00425373
          • GetStringTypeW.KERNEL32(00000100,?,00000000,000000FF,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 0042539A
          • WideCharToMultiByte.KERNEL32(00000000,00000220,?,00000000,00000000,00000000,00000000,00000000,74DEE860,00436350,00000000,?,00000000,000000FF), ref: 004253CD
          • WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,00000000,00000000,00000000,00000000), ref: 00425436
          • GetStringTypeA.KERNEL32(?,00000100,?,?), ref: 004254A1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: StringType$ByteCharMultiWide
          • String ID:
          • API String ID: 3852931651-0
          • Opcode ID: e44042a53342ba9509110d42bf8db9bf96e61f1a6451086fbadad39a8cd488c5
          • Instruction ID: c0334695f3ac930ead75c60c8e9eebeec7a338e09d04eff260a4c2d1814b05c9
          • Opcode Fuzzy Hash: e44042a53342ba9509110d42bf8db9bf96e61f1a6451086fbadad39a8cd488c5
          • Instruction Fuzzy Hash: 8351AE31A00A19EBCF21DF94EC4AADFBF74FF44751F50851AF814A2290D3348991CBA9
          Function 00406C1E Relevance: 9.1, APIs: 6, Instructions: 86COMMON
          Download Yara Rule
          APIs
          • EndDialog.USER32(?,00000001), ref: 00406C4F
          • GetDlgItem.USER32(?,00000001), ref: 00406CAF
          • GetDlgItem.USER32(?,00000066), ref: 00406CB6
          • ShowWindow.USER32(00000000,00000000), ref: 00406CCA
          • ShowWindow.USER32(00000000,00000000), ref: 00406CE6
            • Part of subcall function 00416579: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,004132E4), ref: 00416588
            • Part of subcall function 00416579: OpenProcessToken.ADVAPI32(00000000,00000028,2A,?,?,?,?,?,?,004132E4), ref: 00416595
            • Part of subcall function 00416579: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004165AC
            • Part of subcall function 00416579: AdjustTokenPrivileges.ADVAPI32(2A,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,004132E4), ref: 004165D7
            • Part of subcall function 00416579: ExitWindowsEx.USER32(00000002,0000FFFF), ref: 004165E5
          • DeleteObject.GDI32 ref: 00406D10
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ItemProcessShowTokenWindow$AdjustCurrentDeleteDialogExitLookupObjectOpenPrivilegePrivilegesValueWindows
          • String ID:
          • API String ID: 1933714880-0
          • Opcode ID: b59f20492b31c0284013eac41518ca7845b18eed77075f54d93668425f597cb1
          • Instruction ID: 1b424485e731602bbeb54044c9cd8bdea14e595e05759e1a6493e7183abc38d4
          • Opcode Fuzzy Hash: b59f20492b31c0284013eac41518ca7845b18eed77075f54d93668425f597cb1
          • Instruction Fuzzy Hash: 6B21F87160020477EA20AF659C45FAB3778DF44B19F11043BF706BA1D2C6BDD9919A6C
          Function 0040AAAC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
          Download Yara Rule
          APIs
          • GetWindowRect.USER32(0040A8AB,?), ref: 0040AABC
          • GetParent.USER32(0040A8AB), ref: 0040AAD1
          • GetSystemMetrics.USER32(00000000), ref: 0040AADC
          • GetSystemMetrics.USER32(00000001), ref: 0040AAED
          • GetClientRect.USER32(00000000,?), ref: 0040AAFA
          • MoveWindow.USER32(0040A8AB,?,?,?,?,00000000,?,?,0040A8AB,?), ref: 0040AB25
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: MetricsRectSystemWindow$ClientMoveParent
          • String ID:
          • API String ID: 3434607708-0
          • Opcode ID: baa2a1d77a97e8c67d5bb1fedb874ab4d56ce83ce52022d69ce89883840d9e2c
          • Instruction ID: aeea89237ab181e7c709e39c3c4f73aa89554f5bac4ed8bec309e9994ccbe8d7
          • Opcode Fuzzy Hash: baa2a1d77a97e8c67d5bb1fedb874ab4d56ce83ce52022d69ce89883840d9e2c
          • Instruction Fuzzy Hash: 40113C72A0011ABFDB10DFFCDE8DDAEBFB9EB84351F450664F905E2194D670AD018A64
          Function 00412A5C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00412A61
          • GetLastError.KERNEL32(00000001,?,?,?,00412705,?,00000001,?,?,?), ref: 00412A8E
          • SetLastError.KERNEL32(00000000,?,?,?,00412705,?,00000001,?,?,?), ref: 00412AC8
          • SysStringLen.OLEAUT32(00000000), ref: 00412AD6
          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00412AE3
          • SetLastError.KERNEL32(00000000,?,?,?,00412705,?,00000001,?,?,?), ref: 00412AF5
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$String$AllocH_prolog
          • String ID:
          • API String ID: 1014970518-0
          • Opcode ID: 6f50b646eb4ee3abc7aa71f5d3334ecaaf3d994ff1083571124a52e746860d06
          • Instruction ID: c82083b957562879dbb2050b7beed402a9910b9dbeac15024b9b43c4c48ca1b7
          • Opcode Fuzzy Hash: 6f50b646eb4ee3abc7aa71f5d3334ecaaf3d994ff1083571124a52e746860d06
          • Instruction Fuzzy Hash: B0214271200601EFC7209F58E884B8ABBF4FF44329F01886AE4599B621C7B8E945CB94
          Function 0040591C Relevance: 9.1, APIs: 6, Instructions: 52COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(00000000,?,?,?,0040570F,00000000,00000000), ref: 00405935
          • SysFreeString.OLEAUT32(?), ref: 00405943
          • SetLastError.KERNEL32(?,?,?,?,0040570F,00000000,00000000), ref: 00405956
          • GetLastError.KERNEL32(?,?,?,0040570F,00000000,00000000), ref: 0040596E
          • SysFreeString.OLEAUT32(?), ref: 0040598F
          • SetLastError.KERNEL32(?,?,?,?,0040570F,00000000,00000000), ref: 004059A3
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$FreeString
          • String ID:
          • API String ID: 2425351278-0
          • Opcode ID: f4a9da06e61e9a7978911e4a0281ed81ee454d2b9f4f6140a425e7d34da32dcb
          • Instruction ID: 56c5861ab678e8601610f70cb5b158f18b7ef22e21b976a498e0c5cfbb8ed054
          • Opcode Fuzzy Hash: f4a9da06e61e9a7978911e4a0281ed81ee454d2b9f4f6140a425e7d34da32dcb
          • Instruction Fuzzy Hash: 4C114C36300616DFC7209F68EC48C50BBF0FF05319B558569E85ACB260D731ED19CB54
          Function 004059AE Relevance: 9.1, APIs: 6, Instructions: 52COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,00000200,?,?,004123C1,00000001,00000000), ref: 004059C7
          • SysFreeString.OLEAUT32(?), ref: 004059D5
          • SetLastError.KERNEL32(?,?,00000200,?,?,004123C1,00000001,00000000), ref: 004059E8
          • GetLastError.KERNEL32(?,00000200,?,?,004123C1,00000001,00000000), ref: 00405A00
          • SysFreeString.OLEAUT32(?), ref: 00405A21
          • SetLastError.KERNEL32(?,?,00000200,?,?,004123C1,00000001,00000000), ref: 00405A35
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$FreeString
          • String ID:
          • API String ID: 2425351278-0
          • Opcode ID: 1ca8cbcb048db6f4f64ee9f1b5aa92604fb7ef4bd676e787842e7da526733e48
          • Instruction ID: aaccc7bd5dc8e6d6778676204abfbd289f82e590b9f0b1fd60cd940a1d1e1148
          • Opcode Fuzzy Hash: 1ca8cbcb048db6f4f64ee9f1b5aa92604fb7ef4bd676e787842e7da526733e48
          • Instruction Fuzzy Hash: 58114836300616DFC7209F68EC48C90BBF0FF09319B558569E89ACB260DB32EC19CB94
          Function 0040F64A Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 202COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040F64F
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID: 1033$J#Version$LWC$SOFTWARE\Microsoft\Visual JSharp Setup\Redist
          • API String ID: 3519838083-1988488857
          • Opcode ID: 77302e15c609dd5cf57b47313027b55223559ee1191baa5be9cb61914a9d44d0
          • Instruction ID: f80ece1e2bb6a0a58d697737259a0bf208ec7c5534e58f68ad5d5570f593eb66
          • Opcode Fuzzy Hash: 77302e15c609dd5cf57b47313027b55223559ee1191baa5be9cb61914a9d44d0
          • Instruction Fuzzy Hash: 6A71C471900159AEDF25EBE5CC91EEEBB78EF14304F50407EE505B3681DB385A48CB69
          Function 00424361 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135fileCOMMON
          Download Yara Rule
          APIs
          • WriteFile.KERNEL32(?,?,?,00000000,00000000, RB,00000000,00001000), ref: 00424428
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FileWrite
          • String ID: RB
          • API String ID: 3934441357-3612573848
          • Opcode ID: 584f9136fa61a9189c2b37cc4789ace3cad439f1a3b2a00172fe0d6a052bcd34
          • Instruction ID: a175d66da91387187e21a20cc4462c06ecdc2d2fdb307d933fe4d7e38305c3b9
          • Opcode Fuzzy Hash: 584f9136fa61a9189c2b37cc4789ace3cad439f1a3b2a00172fe0d6a052bcd34
          • Instruction Fuzzy Hash: C151C030B00268EFDB11DF69D884B9E7BF4FF80354FA084AAE9158B251D734DA41CB69
          Function 0042075A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
          Download Yara Rule
          APIs
          • GetVersionExA.KERNEL32 ref: 00420779
          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004207AE
          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042080E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: EnvironmentFileModuleNameVariableVersion
          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
          • API String ID: 1385375860-4131005785
          • Opcode ID: bfcf0b28020059c5f766c2251ef952fec9d99d29a28dda63c3f2a9649339246b
          • Instruction ID: df01fc609d0ae0ed22be8efc420ad8364d2d3b3e18dc02eb6d04c5003dc6687f
          • Opcode Fuzzy Hash: bfcf0b28020059c5f766c2251ef952fec9d99d29a28dda63c3f2a9649339246b
          • Instruction Fuzzy Hash: 4E310471B012686EEB35A6707C81BEB77E89B02704FA400DBD144D6243E6389E86CB5D
          Function 0040B477 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040B47C
            • Part of subcall function 0040FB20: __EH_prolog.LIBCMT ref: 0040FB25
            • Part of subcall function 0040FB20: SetLastError.KERNEL32(?,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FB8B
            • Part of subcall function 0040FBD6: __EH_prolog.LIBCMT ref: 0040FBDB
            • Part of subcall function 004105B2: lstrlenW.KERNEL32(00429620,00429650,00429648,00000000,?,?,0040F524,?,00000001,?,00000000,?,00000000,00000000), ref: 0041060A
            • Part of subcall function 004105B2: WideCharToMultiByte.KERNEL32(00000000,00000000,00429620,000000FF,?,00000002,00000000,00000000,?,0040F524,?,00000001,?,00000000,?,00000000), ref: 00410632
          • lstrcpyA.KERNEL32(?,00000000,0000002C,?,00000000,?,00000001,?,dotnetfx.exe,00000000), ref: 0040B4F8
          • lstrcatA.KERNEL32(?,langpack.exe), ref: 0040B50A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$ByteCharErrorLastMultiWidelstrcatlstrcpylstrlen
          • String ID: dotnetfx.exe$langpack.exe
          • API String ID: 3330973134-172045066
          • Opcode ID: 603895010f0c463e3700e5f11b4116aabbb99cbbfb6a97e03f4c58c4911d64ff
          • Instruction ID: ec1f3efcdb59aeaba6e9594e7a6005fc61a8fdc0bbae18537a8aeacfbc1b7a2b
          • Opcode Fuzzy Hash: 603895010f0c463e3700e5f11b4116aabbb99cbbfb6a97e03f4c58c4911d64ff
          • Instruction Fuzzy Hash: 00315971D00209EACB10EFE5CD959EEBBB4AF04304F1041BAE526B2281D7385B49CB68
          Function 00407537 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80libraryloaderCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040753C
          • GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 0040755B
          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000001), ref: 0040759D
          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000001), ref: 004075B9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ByteCharMultiWide$AddressH_prologProc
          • String ID: WinVerifyTrust
          • API String ID: 2363843230-2766335691
          • Opcode ID: b3b6bff49ab47257ccfa4c915d3575437a72f7a5452df6d0d277211c5e836fe7
          • Instruction ID: 140bf4a4483b7b4fb943c7f515088cb36b977dec73ab7ecf93c74ada66dc2e23
          • Opcode Fuzzy Hash: b3b6bff49ab47257ccfa4c915d3575437a72f7a5452df6d0d277211c5e836fe7
          • Instruction Fuzzy Hash: 83217F71E04208AACB109FA9DC45EDFBBBCEB84710F50452BF511F6291D67999408BA9
          Function 0041998D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
          Download Yara Rule
          APIs
          • GetFileVersionInfoSizeA.VERSION(?,?,00000000,00417EC0,?,?,00000000), ref: 0041999D
          • GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?,?,00000000,00417EC0,?,?,00000000), ref: 004199BD
          • VerQueryValueA.VERSION(?,0042EC0C,?,00000000,?,?,00000000,00000000,?,?,00000000,00417EC0,?,?,00000000), ref: 004199D6
          • VerQueryValueA.VERSION(?,\VarFileInfo\Translation,00417EC0,00000000,80000000,00000104,?,0042EC0C,?,00000000,?,?,00000000,00000000,?,?), ref: 00419A08
          Strings
          • \VarFileInfo\Translation, xrefs: 004199FE
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FileInfoQueryValueVersion$Size
          • String ID: \VarFileInfo\Translation
          • API String ID: 2099394744-675650646
          • Opcode ID: ef3e2bf04d08e5bad501c4ba31788feebbcc5ecde097e15ed0917254f55cc686
          • Instruction ID: c8654e6dd0015b650882fa546259864a34b99b62182af4840b9c2747cdfd06ab
          • Opcode Fuzzy Hash: ef3e2bf04d08e5bad501c4ba31788feebbcc5ecde097e15ed0917254f55cc686
          • Instruction Fuzzy Hash: B4214CB2910108ABDF00DEA5C981CEB7BBDEF44344B5440ABE901DB246E635DE86DB64
          Function 0041017D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00410182
          • lstrlenA.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,0040FB83,00000000,00000000,?,00000001,?,00000000,00000001), ref: 004101D1
          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00000000,?,0040FB83,00000000,00000000,?,00000001,?,00000000), ref: 0041020C
          • SetLastError.KERNEL32(?,?,?,00000001,?,00000000,?,0040FB83,00000000,00000000,?,00000001,?,00000000,00000001), ref: 00410224
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ByteCharErrorH_prologLastMultiWidelstrlen
          • String ID: ,C
          • API String ID: 1667447809-300475510
          • Opcode ID: 816c8df249a6412b8af5082be2fd7c73eb461c4ac519a49cbf75111a3326bd71
          • Instruction ID: dbf301e402bfeb3da82d9293ac39d69e3cc01e9ea3ed32d8db6329afa75ee688
          • Opcode Fuzzy Hash: 816c8df249a6412b8af5082be2fd7c73eb461c4ac519a49cbf75111a3326bd71
          • Instruction Fuzzy Hash: E621BD71A00219EBCB209F5ADC449EFBBE9EF85354F10852BF80497250C7B88DC5CB98
          Function 0040F59C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67registryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RegQueryValueExA.ADVAPI32(?,Install,00000000,00000000,?,00000000,?,00000000,00020019,00429650,00429648,00000000,?,?,0040F52E,?), ref: 0040F5FD
          • RegQueryValueExA.ADVAPI32(?,0042F190,00000000,00000000,00000001,00000004,?,?,0040F52E,?,00000000,?,00000001,?), ref: 0040F61C
          • RegCloseKey.ADVAPI32(?,?,?,0040F52E,?,00000000,?,00000001,?), ref: 0040F626
          • RegCloseKey.ADVAPI32(?,?,00000000,00020019,00429650,00429648,00000000,?,?,0040F52E,?,00000000,?,00000001,?,00000000), ref: 0040F638
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseQueryValue
          • String ID: Install
          • API String ID: 3356406503-3765929189
          • Opcode ID: 6ce530977cc732b00b85d432b5e4a15e87404219eaaca029db9096e3cfa129cc
          • Instruction ID: 11a5905277305d8b6cadc4873b63154a1ee95108dd8e9fe64d2cf6b2ddea5f15
          • Opcode Fuzzy Hash: 6ce530977cc732b00b85d432b5e4a15e87404219eaaca029db9096e3cfa129cc
          • Instruction Fuzzy Hash: DF2136B550025DFFDF20DF54DC809DB7BA8FB08394B40483AF905A7260D3719E2A8BA8
          Function 0040668C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57sleepfileCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00406691
            • Part of subcall function 0040692B: SysFreeString.OLEAUT32(00000000), ref: 00406940
            • Part of subcall function 0040692B: SysStringLen.OLEAUT32(00000000), ref: 00406949
            • Part of subcall function 0040692B: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00406953
            • Part of subcall function 00405A78: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,?,00000000,00000000,?,?,00000000,00405CEF,00000000,00000007,http://,00000000), ref: 00405ADB
          • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,4[@,00000000,?,00405E88), ref: 004066D2
          • CloseHandle.KERNEL32(00000000,?,4[@,00000000,?,00405E88), ref: 004066E6
          • Sleep.KERNEL32(000001F4,?,4[@,00000000,?,00405E88), ref: 00406701
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$AllocByteCharCloseCreateFileFreeH_prologHandleMultiSleepWide
          • String ID: 4[@
          • API String ID: 1308190005-4088418641
          • Opcode ID: 847315015748bb7217514cc1bfda5c49537f28e84007c5715b453823c96bd03b
          • Instruction ID: fbd0f91ad4bfc0b599bca0f2e59f1191b23916d4c6583df9954f402e199f4e20
          • Opcode Fuzzy Hash: 847315015748bb7217514cc1bfda5c49537f28e84007c5715b453823c96bd03b
          • Instruction Fuzzy Hash: A211B231700206EBDB309F64CC46B9EB7A0EB00339F104B2EF5A2A61D0C7789945CB18
          Function 0040B040 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040B045
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          • lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_is8C78,?,00000000), ref: 0040B079
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrcat$lstrcpynlstrlen
          • String ID: .ini$C:\Users\user\AppData\Local\Temp\_is8C78$Title
          • API String ID: 2806805196-2080538517
          • Opcode ID: f8c1d97f4acad0a3a90ce6e0531e3adb8932cf4a79277953e64b742281d0a553
          • Instruction ID: a8c768d9978abcd298b25148dd6cfd91b3de2ec58f8c0990674adde277e5ce29
          • Opcode Fuzzy Hash: f8c1d97f4acad0a3a90ce6e0531e3adb8932cf4a79277953e64b742281d0a553
          • Instruction Fuzzy Hash: 76117031E00219AACF10EFA9DD56ADEB774EF18754F50816AF421B21D1E7789A04CB58
          Function 0040ADD4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040ADD9
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          Strings
          • C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI, xrefs: 0040ADEC
          • Languages, xrefs: 0040AE0C
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 0040ADE1
          • default, xrefs: 0040AE07
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78$C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$Languages$default
          • API String ID: 3519838083-2236530621
          • Opcode ID: bea6890a4ac5f4253564550829af6067d83c96dcb2d0b2c49274cb33e05fdb67
          • Instruction ID: 1a3fd3cecd26516d6c62652a1ff752881dd112ad27817bf46fc942d741314373
          • Opcode Fuzzy Hash: bea6890a4ac5f4253564550829af6067d83c96dcb2d0b2c49274cb33e05fdb67
          • Instruction Fuzzy Hash: 320188B1A40228EACB00EB95EC42FDDB738EF14718F50416BF811731D1EBBC5B098A89
          Function 00408B9A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39windowCOMMON
          Download Yara Rule
          APIs
          • MessageBoxA.USER32(00000000,This Setup was created with a BETA VERSION of InstallShield Express,Beta,00000000), ref: 00408BFA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message
          • String ID: Beta$Evaluation$This Setup was created with a BETA VERSION of InstallShield Express$This Setup was created with an EVALUATION VERSION of InstallShield Express
          • API String ID: 2030045667-2679690426
          • Opcode ID: 69106bef02b9bd9d33dc518b0df19977a51a77cbd2f67b06474488ae89570472
          • Instruction ID: 04feb87d5c5b9c392fd474a5cab8a02e5f367dc3fef77aae7de7c34b47016dd8
          • Opcode Fuzzy Hash: 69106bef02b9bd9d33dc518b0df19977a51a77cbd2f67b06474488ae89570472
          • Instruction Fuzzy Hash: ADF0BE3234462066EA217632BD02F9766689F08314F50403FF981FA2D2EEA8AC8285DD
          Function 00423F21 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
          Download Yara Rule
          APIs
          • GetStartupInfoA.KERNEL32(?), ref: 00423F7F
          • GetFileType.KERNEL32(?,?,00000000), ref: 0042402A
          • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0042408D
          • GetFileType.KERNEL32(00000000,?,00000000), ref: 0042409B
          • SetHandleCount.KERNEL32 ref: 004240D2
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FileHandleType$CountInfoStartup
          • String ID:
          • API String ID: 1710529072-0
          • Opcode ID: d7af6475b0312ded80c26304920e186160933eda8d22c13bceca7a37bcf1a59e
          • Instruction ID: 69f4d2a40ff49ec7e32e0e3bc6ea2fdc8526e7ee3ba0c53b6be3b0887a571e75
          • Opcode Fuzzy Hash: d7af6475b0312ded80c26304920e186160933eda8d22c13bceca7a37bcf1a59e
          • Instruction Fuzzy Hash: 96513A31B002219FCB20CF28E98476677F0EB51728F65866ED6628B3E1D738DD86C759
          Function 004051CF Relevance: 7.6, APIs: 5, Instructions: 100stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004051D4
            • Part of subcall function 004052E1: __EH_prolog.LIBCMT ref: 004052E6
          • lstrcpyA.KERNEL32(00000000,?,?,74DF0440,00000000,00432C20), ref: 00405247
          • lstrcpyA.KERNEL32(00000000,?), ref: 0040526D
          • lstrcpyA.KERNEL32(000000AC,00000000), ref: 0040528A
          • lstrlenA.KERNEL32(-000000AC,00432C20), ref: 004052C5
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$H_prolog$lstrlen
          • String ID:
          • API String ID: 1925044846-0
          • Opcode ID: c5daf197741864794d4244aad3308c4f7d6b65e7b2a198d061b970a8fefe3bb9
          • Instruction ID: 073f4cb206263ab8c48a6771a093e2d986ecd63bd5dc960c03f2c90d16b54183
          • Opcode Fuzzy Hash: c5daf197741864794d4244aad3308c4f7d6b65e7b2a198d061b970a8fefe3bb9
          • Instruction Fuzzy Hash: FD317272B00618ABDB01EBB4DC81AEFB779EF48304F1045BAE501F7291DB3899058E64
          Function 0040F9FE Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040FA03
          • GetLastError.KERNEL32(74DEDFF0,74DEE0B0,00000000,?,0040CF6A,%IS_T%,?,00000001,?,00000000,00000000,00000000), ref: 0040FA2C
          • SetLastError.KERNEL32(?,00000000,?,0040CF6A,%IS_T%,?,00000001,?,00000000,00000000,00000000), ref: 0040FA63
          • lstrlenA.KERNEL32(?,?,0040CF6A,%IS_T%,?,00000001,?,00000000,00000000,00000000), ref: 0040FA78
          • SetLastError.KERNEL32(?,?,0040CF6A,%IS_T%,?,00000001,?,00000000,00000000,00000000), ref: 0040FA9B
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$H_prologlstrlen
          • String ID:
          • API String ID: 3457754828-0
          • Opcode ID: 264718d8f1d315f6a2690ebfa3034c4acd074ea7517488a2153b85d3738ff0b0
          • Instruction ID: 8212438b25a6194e5aeb5ad38f748e6c6c7ce77149b533b22cc8a7de8f022d0a
          • Opcode Fuzzy Hash: 264718d8f1d315f6a2690ebfa3034c4acd074ea7517488a2153b85d3738ff0b0
          • Instruction Fuzzy Hash: AF213471600215EFCB21CF5AC88499AFBF4FF18304B54857EE58997660D774AA49CF88
          Function 0040A5ED Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(0404,0804,00435338,00000000,00000000,00000000,?,0040A5C6,00000000,?,0040A505,00000000,?,?,?,?,0040A2C4), ref: 0040A5FA
          • lstrcmpiA.KERNEL32(0404,0804,ALL), ref: 0040A60A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcmpilstrlen
          • String ID: 0404,0804$ALL$B
          • API String ID: 3649823140-4085699363
          • Opcode ID: fcccb5d48408472aa0dc647ca6626993fe6c6a8c92d5d64956d003a89004f3ef
          • Instruction ID: 0b0df9907c3b105901fafe0aabd3e90504c12df14ad3eba65117ebf77d2fc6eb
          • Opcode Fuzzy Hash: fcccb5d48408472aa0dc647ca6626993fe6c6a8c92d5d64956d003a89004f3ef
          • Instruction Fuzzy Hash: 0D01F772B0432576D610A273AC49EDB372CCE52324F5C083BF905A21C1EAADAE5181BF
          Function 004130CD Relevance: 7.5, APIs: 5, Instructions: 49stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00413109
          • lstrcpyA.KERNEL32(00000000,00000000,?,00000000), ref: 00413119
          • GetModuleFileNameA.KERNEL32(?,00000000,00000400,?,?,00000000), ref: 0041312F
          • lstrlenA.KERNEL32(00000000,?,00000000), ref: 0041313C
          • lstrcpyA.KERNEL32(00000000,00000000,?,00000000), ref: 00413154
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpylstrlen$FileModuleName
          • String ID:
          • API String ID: 271103609-0
          • Opcode ID: ef1d7453f10347459965ec6c3940e9f35442aaef06475e8bd580523594bb13b2
          • Instruction ID: a2eaa9f10ad0f09bf180e6fe5feda7d6a7a894dabf7e7a18a78b4f1dac7aab4c
          • Opcode Fuzzy Hash: ef1d7453f10347459965ec6c3940e9f35442aaef06475e8bd580523594bb13b2
          • Instruction Fuzzy Hash: E5019EB290012DBADF11AB64DC45FFA7B6CEB04348F4440B6A708E6151DB74AE468FA8
          Function 0040145C Relevance: 7.5, APIs: 5, Instructions: 46fileCOMMON
          Download Yara Rule
          APIs
          • GetFileSize.KERNEL32(?,00000000,00000000,00000000,?,?,0040144C,00000000,?,?,00415011,?,00000000,?,00000000,?), ref: 00401468
          • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000), ref: 0040147A
          • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,?,0040144C,00000000,?,?,00415011,?,00000000,?), ref: 0040148D
          • UnmapViewOfFile.KERNEL32(00000000,00000000,?,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000,?), ref: 004014AB
          • CloseHandle.KERNEL32(00000000,?,?,0040144C,00000000,?,?,00415011,?,00000000,?,00000000,?,?,00000000,00000000), ref: 004014B2
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: File$View$CloseCreateHandleMappingSizeUnmap
          • String ID:
          • API String ID: 1558290345-0
          • Opcode ID: 2daed4fdbff9a09fac96a5ed59be4ea7141f2ee0af7e672b8a29fc20f646da57
          • Instruction ID: 617d00b3500476377c41a776f0f4feb9411ea8238c85190e1dc453c06f00841d
          • Opcode Fuzzy Hash: 2daed4fdbff9a09fac96a5ed59be4ea7141f2ee0af7e672b8a29fc20f646da57
          • Instruction Fuzzy Hash: ECF04F72602124BBCB311BA69C8DC9F7E6CEF4ABA0F404471FA0996160D6758D01D6F4
          Function 00415F9D Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
          Download Yara Rule
          APIs
          • CharNextA.USER32(?,000000FF,74DE83C0), ref: 00415FD0
          • lstrcpyA.KERNEL32(00000000,00000000), ref: 00415FE0
          • CharNextA.USER32(00000000), ref: 00415FF2
          • CharPrevA.USER32(00000000,00000000), ref: 00416001
          • lstrcpyA.KERNEL32(?,?), ref: 0041601A
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Char$Nextlstrcpy$Prev
          • String ID:
          • API String ID: 1912086007-0
          • Opcode ID: f65374f51f4c82febafe35108b92fcf947f2bbb206185357d46dbf6f532d1c2a
          • Instruction ID: 9b01b6cae44e77dbd13374231392b98d2af8839c86af1812c23b3ae8d77e3703
          • Opcode Fuzzy Hash: f65374f51f4c82febafe35108b92fcf947f2bbb206185357d46dbf6f532d1c2a
          • Instruction Fuzzy Hash: B60125B2D04159BADB22D764CC04BEA7FAC6B49344F0540F6D744A7151C7789D868FA8
          Function 0041212A Relevance: 7.5, APIs: 5, Instructions: 39COMMON
          Download Yara Rule
          APIs
          • GetDC.USER32(004120B4), ref: 00412132
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041213F
          • MulDiv.KERNEL32(?,00000000), ref: 00412149
          • ReleaseDC.USER32(004120B4,00000000), ref: 00412157
          • CreateFontA.GDI32(00000000,00000000,00000000,00000000,?,00000000,004120D0,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00412175
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CapsCreateDeviceFontRelease
          • String ID:
          • API String ID: 2367478762-0
          • Opcode ID: 883bb3438b7a0f46ec6916da4861f5687dc557593d6648271c87fc4940ce5930
          • Instruction ID: f5f750c5a605ba202373e93dfab19da97f911a06754dd352eb731d29d53fe1eb
          • Opcode Fuzzy Hash: 883bb3438b7a0f46ec6916da4861f5687dc557593d6648271c87fc4940ce5930
          • Instruction Fuzzy Hash: D9F062B2200519BFEB221F61EC09CFB7F6DEB59662F404021FE05C5060C6368D62ABB5
          Function 0041FB33 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(00000103,7FFFFFFF,0041E79A,0041BB24,00000000,?,?,00000000,00000001), ref: 0041FB35
          • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0041FB43
          • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041FB8F
            • Part of subcall function 004244EC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 004245E2
          • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041FB67
          • GetCurrentThreadId.KERNEL32 ref: 0041FB78
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLastValue$AllocCurrentHeapThread
          • String ID:
          • API String ID: 2020098873-0
          • Opcode ID: 2bd62c6466ff5d23811399dfb039058906fed1324dddb2c859f48569690ac798
          • Instruction ID: 1cbfad1e7824cc152ae60ad50c759f1a64b9977ef4a081d17d8ccdb9abd60ee8
          • Opcode Fuzzy Hash: 2bd62c6466ff5d23811399dfb039058906fed1324dddb2c859f48569690ac798
          • Instruction Fuzzy Hash: 2DF0F6357052225BE7312B71EC1DAAA3A61EF447B1F40033AF541962D0CB289C83C79C
          Function 00408EEA Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 34COMMON
          Download Yara Rule
          APIs
          • CharNextA.USER32 ref: 00408EF1
          • CharNextA.USER32(00000000,00000000), ref: 00408F0B
          • CharNextA.USER32(00000000,00000000), ref: 00408F1B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNext
          • String ID: /m1$/m2
          • API String ID: 3213498283-2289526375
          • Opcode ID: 34b0796e64c67e419bc7af67c2e19fafedfcdc4468e79f462b931f1f07f2b106
          • Instruction ID: 06c38e9f57e3f544e29168feee4eab1de45380038203b86a515f2571267f201b
          • Opcode Fuzzy Hash: 34b0796e64c67e419bc7af67c2e19fafedfcdc4468e79f462b931f1f07f2b106
          • Instruction Fuzzy Hash: 1EF0A771B54210B9D61457976C65FBA2B58E788750F20403BBE02B51C1C97C5C828D5D
          Function 00410263 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 292COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID: %*.*f$I64
          • API String ID: 3519838083-2444075078
          • Opcode ID: 68199843e4164ed365506dd4ea5377c29aac2616f00abd7f58ad6be8842db2b4
          • Instruction ID: 29320bf0d96a8156f22092a2c05c3accc2833c0fd8e32a6bc16c5fb00745ef0d
          • Opcode Fuzzy Hash: 68199843e4164ed365506dd4ea5377c29aac2616f00abd7f58ad6be8842db2b4
          • Instruction Fuzzy Hash: 6991C27690021A9BDB24DE68C8887FFB7A0EB04324F548027E95596245D7FC8EC18B5D
          Function 00401D30 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 209stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00401D35
          • lstrcpynA.KERNEL32(?,?,?,00000001,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000001,?), ref: 00401F6E
            • Part of subcall function 004028EC: __EH_prolog.LIBCMT ref: 004028F1
          • lstrcpynA.KERNEL32(?,?,?,00000001,?,?,?,00000000,00000000,?,?,00000000), ref: 00401F8E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcpyn
          • String ID: ,C
          • API String ID: 588646068-300475510
          • Opcode ID: f9eaa20e9bd5b961e595f4b087e1dad9894ee337d30156a1bafd44d7d367a991
          • Instruction ID: a97006765bda54f81fbc6367ae65ee988dee8793773f70279d1c24a3d16522d6
          • Opcode Fuzzy Hash: f9eaa20e9bd5b961e595f4b087e1dad9894ee337d30156a1bafd44d7d367a991
          • Instruction Fuzzy Hash: 83818A7180425AEECF11EF94D8819EEBB78AF15304F44417FF841732A2D7389A46DBA9
          Function 00401579 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040157E
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
            • Part of subcall function 00416211: GetFileAttributesA.KERNELBASE(?,00416290,00404BCA,00000000,00404BCA,?), ref: 00416215
          • lstrlenA.KERNEL32(?,?,?,?,00000400,?,?,?), ref: 004016DE
            • Part of subcall function 0041624B: SetErrorMode.KERNELBASE(00008001,?,?,00000400,0040172A,?,?,?,00000400,?,?,?), ref: 00416267
            • Part of subcall function 0041624B: RemoveDirectoryA.KERNELBASE(?), ref: 0041626D
            • Part of subcall function 0041624B: SetErrorMode.KERNELBASE(00000000), ref: 0041627C
          • lstrlenA.KERNEL32(?,?,?,?,00000400,?,?,?), ref: 00401748
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrlen$ErrorMode$AttributesDirectoryFileH_prologRemovelstrcatlstrcpyn
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 3513510907-1593701051
          • Opcode ID: b325ccf5ccc07163539c2f2e94a3da500d9a15a5511ac548e0d9033c30f09de9
          • Instruction ID: f80fa0ecb08f0b8575869afcc04643ed98268ea28c70073812d9c71cdb61fb4e
          • Opcode Fuzzy Hash: b325ccf5ccc07163539c2f2e94a3da500d9a15a5511ac548e0d9033c30f09de9
          • Instruction Fuzzy Hash: 10515F71900259ABCF21EBA5CC44EDFB7BCAF04344F4444ABB505B3191DB38AB85CB68
          Function 00422BA8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,0041DBAC), ref: 00422BF9
            • Part of subcall function 00420338: LeaveCriticalSection.KERNEL32(?,0041D03B,00000009,0041D027,00000000,?,00000000,00000000,00000000), ref: 00420345
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CriticalSection$EnterInfoInitializeLeave
          • String ID: bC$ bC$%C
          • API String ID: 1866836854-2913701193
          • Opcode ID: 54dc7a33dbc7b73d347d31dfe4c867acb066a451dd907db6f282cdbcce294a84
          • Instruction ID: 180a7a20c60aeca666ff7b3179e9b934dc3e719c5dd36d82886c364df5c140c8
          • Opcode Fuzzy Hash: 54dc7a33dbc7b73d347d31dfe4c867acb066a451dd907db6f282cdbcce294a84
          • Instruction Fuzzy Hash: A7418931B042727EEB10DF35FA853AA7BD0AB09304FA5947BE5458B292C6FD48418B5C
          Function 0040F415 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127registryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040F41A
          • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,00000000), ref: 0040F44B
          • RegCloseKey.ADVAPI32(?), ref: 0040F58A
            • Part of subcall function 00408854: RegCloseKey.ADVAPI32(?,00000001,0040F461), ref: 00408860
            • Part of subcall function 0040FE20: __EH_prolog.LIBCMT ref: 0040FE25
            • Part of subcall function 0040FE20: GetLastError.KERNEL32(?,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE4E
            • Part of subcall function 0040FE20: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040FB50,?,00000000,00000001,?,0041439F,?,?,00000001), ref: 0040FE7C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CloseErrorH_prologLast$Open
          • String ID: LWC
          • API String ID: 1699883992-2632873487
          • Opcode ID: 0bb493ae1f45d9c313db8940cc29ee7f3ba0e542b5b7b3b073a1206d99f55b47
          • Instruction ID: 9c7e8786838883bf945a1213fcfb748d131ff82d7c7d924e31ea85acc98f842d
          • Opcode Fuzzy Hash: 0bb493ae1f45d9c313db8940cc29ee7f3ba0e542b5b7b3b073a1206d99f55b47
          • Instruction Fuzzy Hash: F3412A71900219EECF14DF95CC919EEBBB8FF14308F40847EE819A7692D7389A49CB58
          Function 0041259E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109stringCOMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 0041265E
          • lstrcatA.KERNEL32(00000000,00000000), ref: 0041269A
          • wsprintfA.USER32 ref: 004126BC
            • Part of subcall function 004128BA: __EH_prolog.LIBCMT ref: 004128BF
            • Part of subcall function 004128BA: GetLastError.KERNEL32(?,00000000,?,0041231F,00000001,?,75BF8400,00000000), ref: 004128EB
            • Part of subcall function 004128BA: SetLastError.KERNEL32(?,?,00000000,?,0041231F,00000001,?,75BF8400,00000000), ref: 00412921
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLastwsprintf$H_prologlstrcat
          • String ID: %01d.%01d %s%s
          • API String ID: 3897922275-3724692234
          • Opcode ID: 661dbf64c6cb5dfcf21e3ebc2efb38ad87a12cae265aab756fd68c52a2732bef
          • Instruction ID: 7a3ee01698ca35436f59e33215b0580c7ea4419fc606db007b6a7a57f4749c76
          • Opcode Fuzzy Hash: 661dbf64c6cb5dfcf21e3ebc2efb38ad87a12cae265aab756fd68c52a2732bef
          • Instruction Fuzzy Hash: F031F6F7A00218ABDB14DA54CD81FDA73ACEB44304F0040A6F709E7182DA749E998B68
          Function 00405A78 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
          Download Yara Rule
          APIs
          • SysStringLen.OLEAUT32(?), ref: 00405A92
          • SysStringLen.OLEAUT32(?), ref: 00405AC5
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,?,00000000,00000000,?,?,00000000,00405CEF,00000000,00000007,http://,00000000), ref: 00405ADB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$ByteCharMultiWide
          • String ID: ftp://
          • API String ID: 352835431-2553531909
          • Opcode ID: 7603f0735355579cde9a8c74c37f8128ba819af997205366fd725363993b3f4a
          • Instruction ID: a5117484e707fc5d9106cd172688f9c80e7920b9e5202afbf2487b4a54f9c363
          • Opcode Fuzzy Hash: 7603f0735355579cde9a8c74c37f8128ba819af997205366fd725363993b3f4a
          • Instruction Fuzzy Hash: CF016DB2204B06AFCB20DA65DCC0867B7EDEA453143508E3EE596E3650C734FC458E68
          Function 00413E60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00413E65
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • wsprintfA.USER32 ref: 00413ECE
            • Part of subcall function 00413CA1: SetWindowTextA.USER32(?,00000000), ref: 00413CAB
            • Part of subcall function 004160AF: lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
            • Part of subcall function 004160AF: lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
            • Part of subcall function 004160AF: lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          Strings
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 00413EE9
          • %s: %s, xrefs: 00413EC8
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$H_prologLoadStringTextWindowlstrcatlstrcpynlstrlen
          • String ID: %s: %s$C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 530167989-57566482
          • Opcode ID: 2a423237e12cfd95ffb50aa8842282789c81c5f28c0b555c674826048c01919d
          • Instruction ID: dc78a4b81c178967ecb5d58d98b1cc3bda2c9efba7c3c8a3213c4cbb63597f64
          • Opcode Fuzzy Hash: 2a423237e12cfd95ffb50aa8842282789c81c5f28c0b555c674826048c01919d
          • Instruction Fuzzy Hash: C6119372A00208ABDF11EB64CC06BDEBB74BF44704F0045BAE615B60E1EB785B59CE44
          Function 0040FF28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040FF2D
          • GetLastError.KERNEL32(00429650,00429648,00000000,?,0040F4C8,0042F18C,?,00000000,00000000,?,00000000,00000000,00000001), ref: 0040FF56
          • SetLastError.KERNEL32(?,?,00000000,00000000,?,0040F4C8,0042F18C,?,00000000,00000000,?,00000000,00000000,00000001), ref: 0040FFAB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$H_prolog
          • String ID: LWC
          • API String ID: 2881783280-2632873487
          • Opcode ID: 79c4578060ae8ae16f9e2a6e51e61c963d1cf4cd1e3385691fa3a84afaa12411
          • Instruction ID: 7b2e1d93a1566df9dc2c9c7c399f0210194e508afb2a2694b6021ace1dfb00f5
          • Opcode Fuzzy Hash: 79c4578060ae8ae16f9e2a6e51e61c963d1cf4cd1e3385691fa3a84afaa12411
          • Instruction Fuzzy Hash: 48116AB5600745DFCB208F1AC88088AFBF5FF48304B40852EF49987721C778E954CB88
          Function 004157E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
          Download Yara Rule
          APIs
          • FormatMessageA.KERNEL32(00001300,00000000,0040E8A9,00000000,0040E8A9,00000000,00000000,00000000), ref: 00415803
          • wsprintfA.USER32 ref: 00415838
            • Part of subcall function 00415718: __EH_prolog.LIBCMT ref: 0041571D
          • LocalFree.KERNEL32(0040E8A9), ref: 00415850
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: FormatFreeH_prologLocalMessagewsprintf
          • String ID: %s %s
          • API String ID: 1200432034-2939940506
          • Opcode ID: dac2b8fd5711129a7e9f1d28cd7d443c27c8497808f57ef9a0944fa155dd6d92
          • Instruction ID: d30a5296da6876d7413ced2aec99853b6b4d77a752e53a978d0093f5382bbe47
          • Opcode Fuzzy Hash: dac2b8fd5711129a7e9f1d28cd7d443c27c8497808f57ef9a0944fa155dd6d92
          • Instruction Fuzzy Hash: AE01F4B260010DBFEF21AF94DC85FEA7B6CFB48348F004476F705A50A1D6719E568A68
          Function 0042034D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 00420373
          • InterlockedDecrement.KERNEL32(00436350), ref: 00420388
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$DecrementIncrement
          • String ID: PcC
          • API String ID: 2172605799-855171052
          • Opcode ID: 4df1ca80a28e9b73e18021a6098c34f14067454efb5a3fd7bab203d0c8a1d137
          • Instruction ID: c9007c5ea85def0eb76adeacd33d48045c0fdef5599f07f8c8dade3d9544a0b2
          • Opcode Fuzzy Hash: 4df1ca80a28e9b73e18021a6098c34f14067454efb5a3fd7bab203d0c8a1d137
          • Instruction Fuzzy Hash: 94F0C8323057269BD620EB55BCC5B8A63D5EB80319F94443FF90085152C7685C82895E
          Function 0041E7A7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 0041E7CD
          • InterlockedDecrement.KERNEL32(00436350), ref: 0041E7E2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$DecrementIncrement
          • String ID: PcC
          • API String ID: 2172605799-855171052
          • Opcode ID: b10a404c20a6ae2a59afa34582d57021d053277c5da1f762af95a8e79e4a038e
          • Instruction ID: 5c8a568bbdf9585f682f665101255e62bf544e40ba8ffcd70690b2d547e81d86
          • Opcode Fuzzy Hash: b10a404c20a6ae2a59afa34582d57021d053277c5da1f762af95a8e79e4a038e
          • Instruction Fuzzy Hash: 84F0C236201216AFE720BF5BACC59CBA395EB81315F60883FF90096190CB699CC1896E
          Function 0041CCB1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 0041CCDB
          • InterlockedDecrement.KERNEL32(00436350), ref: 0041CCF0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$DecrementIncrement
          • String ID: PcC
          • API String ID: 2172605799-855171052
          • Opcode ID: e9744cd134827af08fac2d69e7918d96d3e32c868d4feb65030c828583c84411
          • Instruction ID: d3f2b4973e2ccbce7e2b9fcb8e44f4bb2e61702657ea21c025552725184c43c5
          • Opcode Fuzzy Hash: e9744cd134827af08fac2d69e7918d96d3e32c868d4feb65030c828583c84411
          • Instruction Fuzzy Hash: 15F02832244217ABE7206B05FCC1BDBA795EB80711F94403FF500411909B6C5CC385AE
          Function 0040625B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00406260
          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,ftp://,?,00000000,?,004064C5,?,00000000,00000000,00000006,ftp://,00000000), ref: 00406280
          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,004064C5,?,00000000,00000000,00000006,ftp://,00000000), ref: 0040628C
            • Part of subcall function 00417252: LoadLibraryA.KERNEL32(wininet.dll,00000000,0040629D,?,00000000,?,004064C5,?,00000000,00000000,00000006,ftp://,00000000), ref: 00417267
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 00417287
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetOpenUrlA), ref: 00417299
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetConnectA), ref: 004172AB
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCrackUrlA), ref: 004172BD
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCreateUrlA), ref: 004172CF
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCloseHandle), ref: 004172E1
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetReadFile), ref: 004172F3
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00417305
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(FtpFindFirstFileA), ref: 00417317
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetLastResponseInfoA), ref: 00417329
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041733B
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetConnectedState), ref: 0041734D
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetAutodial), ref: 0041735F
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetErrorDlg), ref: 00417371
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpOpenRequestA), ref: 00417383
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpSendRequestA), ref: 00417395
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpSendRequestExA), ref: 004173A7
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(HttpEndRequestA), ref: 004173B9
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetQueryOptionA), ref: 004173CB
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetQueryDataAvailable), ref: 004173DD
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetCanonicalizeUrlA), ref: 004173EF
            • Part of subcall function 00417252: GetProcAddress.KERNEL32(InternetGetCookieA), ref: 00417401
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressProc$CreateEvent$H_prologLibraryLoad
          • String ID: ftp://
          • API String ID: 3294091413-2553531909
          • Opcode ID: 5eeffedbc4f3978d3202b28e21743f9a99114b0b2c8a469ae65440ca8da3743a
          • Instruction ID: 2d10fbbc6a76ca095f0d4616a175e8af238b980bec4b2cdd2375fb229c62d6d9
          • Opcode Fuzzy Hash: 5eeffedbc4f3978d3202b28e21743f9a99114b0b2c8a469ae65440ca8da3743a
          • Instruction Fuzzy Hash: 9501E8B1A00750AEC3309F5BD88499BFFF8FFD5B10B008A5FA49A83611C7B4A544CB64
          Function 0040AE69 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040AE6E
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00405355: __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00405355: lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrcmp
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI$Languages$count
          • API String ID: 4174983478-3088102838
          • Opcode ID: 128c2587499a59bc0eac9379a3dd193d8d819cedddd5f7a0e2d5fceb22d71745
          • Instruction ID: 0663194a4ece20595dc10f12361e9e578d499acfa2117d8ba3f6ecd21f1e2f81
          • Opcode Fuzzy Hash: 128c2587499a59bc0eac9379a3dd193d8d819cedddd5f7a0e2d5fceb22d71745
          • Instruction Fuzzy Hash: FC018472E41214AACB14EBA9E852ADDB774EB14714F60816FF422761D0DBBC1B09CB98
          Function 0041091E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00410923
          • GetLastError.KERNEL32(?,00000001), ref: 0041094F
          • SetLastError.KERNEL32(00000000,?,00000000,?,00000001), ref: 00410984
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$H_prolog
          • String ID: LWC
          • API String ID: 2881783280-2632873487
          • Opcode ID: e523f796f2599bc64f421f3731da4a6bba612d96ee8962c2ffc6fc38438fdbf2
          • Instruction ID: acbab4b3912dce083f0ab5e4695bd1a754cb157520c9f4483a6375180cd0a6e4
          • Opcode Fuzzy Hash: e523f796f2599bc64f421f3731da4a6bba612d96ee8962c2ffc6fc38438fdbf2
          • Instruction Fuzzy Hash: 9701A771510104EBDB25EB65D894BEEBBB8EF04318F10457FF451A3292DB7899C5CB48
          Function 00425BC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 00425BCF
          • InterlockedDecrement.KERNEL32(00436350), ref: 00425BE6
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          • InterlockedDecrement.KERNEL32(00436350), ref: 00425C16
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
          • String ID: PcC
          • API String ID: 2038102319-855171052
          • Opcode ID: 3bd75a82230cd9ced104e95933f2f5d27501d326bc494598148d8a087fc58c45
          • Instruction ID: adc50f129fb84b8eb2b69441b9848e4f4f2845b30e275d4b88b61cbae2afc5ec
          • Opcode Fuzzy Hash: 3bd75a82230cd9ced104e95933f2f5d27501d326bc494598148d8a087fc58c45
          • Instruction Fuzzy Hash: 9AF0243230032EBFDB102F92BC41DDA3758EF40324F80403BFA0056151DBB99D428AAD
          Function 00424B87 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(00436350), ref: 00424B93
          • InterlockedDecrement.KERNEL32(00436350), ref: 00424BAA
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          • InterlockedDecrement.KERNEL32(00436350), ref: 00424BD6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
          • String ID: PcC
          • API String ID: 2038102319-855171052
          • Opcode ID: 0570deb5fe707fbf342e9fc326acf40d3cbd9e7dc7e56a3c130906f8fc3c9e4f
          • Instruction ID: b002beaa395d990e37c49e4a7352255c25f0ee4e20773fb27ac0b09fbe3daaf8
          • Opcode Fuzzy Hash: 0570deb5fe707fbf342e9fc326acf40d3cbd9e7dc7e56a3c130906f8fc3c9e4f
          • Instruction Fuzzy Hash: 48F0B432301229BEDB112B56BC41EDA7B98DF84335F91803BFA04591518B79AD428A6D
          Function 00405355 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040535A
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrcmpA.KERNEL32(?,00432C20,00000000,?,00432C20,?,?,Languages,00000000,00000000,?,00413DA2,Languages,count,00000000,?), ref: 00405389
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrcmp
          • String ID: ,C$Languages
          • API String ID: 4174983478-1812234814
          • Opcode ID: 72064fa73321a604903f1ee5ba0af2e1a68c5838b1bedc27f8246dd421b2b20e
          • Instruction ID: 290d4ac695817f43df49047243d499ad1fee0cf839fee303ffc0d4b1a6c0cda1
          • Opcode Fuzzy Hash: 72064fa73321a604903f1ee5ba0af2e1a68c5838b1bedc27f8246dd421b2b20e
          • Instruction Fuzzy Hash: 24F01D31511219AFCF119F46DD45ADF7B65EF01395F00842AF805A51A0C7B99820DAA8
          Function 00421CA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32,0041D197), ref: 00421CAD
          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00421CBD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: IsProcessorFeaturePresent$KERNEL32
          • API String ID: 1646373207-3105848591
          • Opcode ID: 2255ff5268dcd6947be429fc39638a25715443197826f31c06e1d842c6eb2788
          • Instruction ID: 9d33a740abc1fd2959013b1a84b113634df7b9b84ad6dc88c223c1bb2651dedd
          • Opcode Fuzzy Hash: 2255ff5268dcd6947be429fc39638a25715443197826f31c06e1d842c6eb2788
          • Instruction Fuzzy Hash: 24C0126838026766EB202FB3BE0DB2768982F60B02FD004267809D12B1DE9CCC12802E
          Function 0041E305 Relevance: 6.5, APIs: 5, Instructions: 278COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1b12f8167513fff0ebf286ca35986edbc7876437d4e1b4fe01c6d981c718ea78
          • Instruction ID: e0883a08fd8ca1b53dea0014b3cf7852d5135ec48246229c82773d1f89705bf6
          • Opcode Fuzzy Hash: 1b12f8167513fff0ebf286ca35986edbc7876437d4e1b4fe01c6d981c718ea78
          • Instruction Fuzzy Hash: 03914A75D00128BACF21AB66DC449DEBBB5EB44764F644127FC14B7292E3398DC08B6C
          Function 00421446 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • HeapAlloc.KERNEL32(00000000,00002020,00430498,00430498,?,?,00421912,00000000,00000010,00000000,00000009,00000009,?,0041D01A,00000010,00000000), ref: 00421467
          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00421912,00000000,00000010,00000000,00000009,00000009,?,0041D01A,00000010,00000000), ref: 0042148B
          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00421912,00000000,00000010,00000000,00000009,00000009,?,0041D01A,00000010,00000000), ref: 004214A5
          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00421912,00000000,00000010,00000000,00000009,00000009,?,0041D01A,00000010,00000000,?), ref: 00421566
          • HeapFree.KERNEL32(00000000,00000000,?,?,00421912,00000000,00000010,00000000,00000009,00000009,?,0041D01A,00000010,00000000,?,00000000), ref: 0042157D
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AllocVirtual$FreeHeap
          • String ID:
          • API String ID: 714016831-0
          • Opcode ID: b7a1758f7bec70182e399be0e907964f95d31a9b600db013b0d252681060a751
          • Instruction ID: 695e108c7e435092bf569ba8389090f9500ca8c96cc886ffd7fe824905209307
          • Opcode Fuzzy Hash: b7a1758f7bec70182e399be0e907964f95d31a9b600db013b0d252681060a751
          • Instruction Fuzzy Hash: FC31E471740712ABD330CF28EC45B22B7E0E7A4754F50863EE65A972A0E778A985CB5C
          Function 00419B71 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 199stringCOMMON
          Download Yara Rule
          APIs
          • lstrcmpA.KERNEL32(00000000,GIF87a), ref: 00419BB5
          • lstrcmpA.KERNEL32(00000000,GIF89a), ref: 00419BCD
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcmp
          • String ID: GIF87a$GIF89a
          • API String ID: 1534048567-2918331024
          • Opcode ID: f6545d395b8ce86a6d24cf3b36f5636e5fe687c12e14d6d0af99ad6a051203ec
          • Instruction ID: a1afab4379b92ace986bb1e7bad7f16d075d7bf5c64bd507520116c8b68f2dfb
          • Opcode Fuzzy Hash: f6545d395b8ce86a6d24cf3b36f5636e5fe687c12e14d6d0af99ad6a051203ec
          • Instruction Fuzzy Hash: 9661E371600205EBDB248F64D896FD6B7B9FF05308F20845BE986CA282E378DDC5CB58
          Function 00424CB0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004202D7: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 00420314
            • Part of subcall function 004202D7: EnterCriticalSection.KERNEL32(?,?,?,004245A2,00000009,00000000,00000000,00000001,0041FB58,00000001,00000074,?,?,00000000,00000001), ref: 0042032F
          • InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,?,?,0042510E,?,00000000,00000000), ref: 00424D03
          • EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,?,?,0042510E,?,00000000,00000000), ref: 00424D18
          • LeaveCriticalSection.KERNEL32(00000068,?,00000000,?,?,0042510E,?,00000000,00000000), ref: 00424D25
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CriticalSection$EnterInitialize$Leave
          • String ID:
          • API String ID: 713024617-3916222277
          • Opcode ID: 63cfe0bd4d5f5842da4e4915c21040cd00cc08458e2a608916e09337b162e7b8
          • Instruction ID: 05ce30fff74d13b0e759a38557e5b1c4a870b36292c30e1029c2e29a5f5e7ad3
          • Opcode Fuzzy Hash: 63cfe0bd4d5f5842da4e4915c21040cd00cc08458e2a608916e09337b162e7b8
          • Instruction Fuzzy Hash: 723146727003219FE714CF24FC8475A77E0FB80328F648A2EE5618B2C2D7789844C759
          Function 0040E233 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(00000000,00000000,?,75BF8400,00000000), ref: 0040E27D
          • wsprintfA.USER32 ref: 0040E2C2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpywsprintf
          • String ID: %s /g %s /g %s$%s /g %s /g %s /s
          • API String ID: 2408954437-3131057161
          • Opcode ID: 4c26aa459a2a7960de19ea629cb7ed94869e7f7792ec24228e2ccadd8a96a823
          • Instruction ID: 380ee5c9d402d6cc3c13d77e016bdcf9d26665b2862657db394efe258d792543
          • Opcode Fuzzy Hash: 4c26aa459a2a7960de19ea629cb7ed94869e7f7792ec24228e2ccadd8a96a823
          • Instruction Fuzzy Hash: 24313B72A0461CBFDF109B25DC14BDF77A9AB44300F0048BBF605A61D1D7799E948F49
          Function 00406A7B Relevance: 6.1, APIs: 4, Instructions: 77COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00406B32: GetVersionExA.KERNEL32(?), ref: 00406B55
          • CompareStringW.KERNEL32(00000400,00000000,?,?,?,?,?,?,?,?,00406A06,?,?,?,?,?), ref: 00406A9D
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 00406B10
          • CompareStringA.KERNEL32(00000400,00000001,?,?,00000000,?,?,?,00000000,00000000,?,?,?,?,00406A06,?), ref: 00406B22
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CompareString$ByteCharMultiVersionWide
          • String ID:
          • API String ID: 3684582312-0
          • Opcode ID: a21e5f0ee5d1e192c2eefe0fa922488120ce471bcba93ee7e7d9956cbaf2e244
          • Instruction ID: 6b796dcaef353328c8592d5de854411a42418290b223792525f8e8537c494cd9
          • Opcode Fuzzy Hash: a21e5f0ee5d1e192c2eefe0fa922488120ce471bcba93ee7e7d9956cbaf2e244
          • Instruction Fuzzy Hash: E3215BB224021DBFEB109F94CC81CEB7B6CEF05358B01882AFA1696250D375DA20CBB4
          Function 00412C22 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
          Download Yara Rule
          APIs
          • SysStringLen.OLEAUT32(?), ref: 00412C3C
          • SysStringLen.OLEAUT32(?), ref: 00412C73
          • SysStringLen.OLEAUT32(?), ref: 00412C85
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000001,?,00000000,00000000,?,00000000,?,?,00412B62,00000000,00000200,0041236F), ref: 00412C9B
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$ByteCharMultiWide
          • String ID:
          • API String ID: 352835431-0
          • Opcode ID: 6e94d42654196f311d6885b0ea601060da5586da82ad7f5c33b579264eb9c57b
          • Instruction ID: 52088d6c2a2db4d9929835d484a7ac9fb72e34d0c813e979b9f340133c98136d
          • Opcode Fuzzy Hash: 6e94d42654196f311d6885b0ea601060da5586da82ad7f5c33b579264eb9c57b
          • Instruction Fuzzy Hash: 4F119EB2200705AF8720CF65DE808ABB3EDEF953403508D2EF696D3610E774FC9586A8
          Function 00418A6F Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
          Download Yara Rule
          APIs
          • MsgWaitForMultipleObjects.USER32(00000002,?,00000000,?,000000FF), ref: 00418A9C
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00418AAC
          • TranslateMessage.USER32(?), ref: 00418ABA
          • DispatchMessageA.USER32(?), ref: 00418AC4
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$DispatchMultipleObjectsPeekTranslateWait
          • String ID:
          • API String ID: 2231909638-0
          • Opcode ID: 14c051910025a3168f6140fbb1308b164dbf38a67bef8a0c0772179662a0238b
          • Instruction ID: cf9208c5e63e12eb5151a3ac84a4679b786666cd188bfe063fd9cfed0c6ddbff
          • Opcode Fuzzy Hash: 14c051910025a3168f6140fbb1308b164dbf38a67bef8a0c0772179662a0238b
          • Instruction Fuzzy Hash: 6A010CB6A00108BFDB10DBD4DC85EEBBBBCEF08294F104467FA01E6150D675DE828B64
          Function 0040B584 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040B589
          • GetLastError.KERNEL32(?,00000001,?,004143CF,00000000,00000000,?,?,00000001), ref: 0040B5AC
          • SysFreeString.OLEAUT32(00000000), ref: 0040B5CA
          • SetLastError.KERNEL32(?,00000001,?,004143CF,00000000,00000000,?,?,00000001), ref: 0040B5EA
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$FreeH_prologString
          • String ID:
          • API String ID: 1156525562-0
          • Opcode ID: 0ff54385c3bb6dc5f6e910ce5847f68d024103765115ceb4c4f4ed6f0cb61acd
          • Instruction ID: 1ce152e2b94d4a6b39f24b1c84d996e97b50ff4775359722c8f56abdd554cd6d
          • Opcode Fuzzy Hash: 0ff54385c3bb6dc5f6e910ce5847f68d024103765115ceb4c4f4ed6f0cb61acd
          • Instruction Fuzzy Hash: BC019A36B00511EFC7188F28E809AA8B7E0FF88314F05426EE856D3260DB75AD40CB84
          Function 0040826B Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
          Download Yara Rule
          APIs
          • CreateCompatibleDC.GDI32(?), ref: 00408277
          • SelectObject.GDI32(00000000), ref: 00408286
          • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 004082B7
          • DeleteDC.GDI32(00000000), ref: 004082C2
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CompatibleCreateDeleteObjectSelect
          • String ID:
          • API String ID: 3360107340-0
          • Opcode ID: 7ce2e8f095f5c3f3de035946f4f719bd9645d30f2b98ece02728265b76b333a9
          • Instruction ID: eaa9e9c8918fee07d05fe742b749d678e6dc8bff7f96bae29fe8bc4e081f0ee4
          • Opcode Fuzzy Hash: 7ce2e8f095f5c3f3de035946f4f719bd9645d30f2b98ece02728265b76b333a9
          • Instruction Fuzzy Hash: B8F08131200508EBDB214F65EC44FBB3B6AEF84B30F10422DFA65962E0CB319C52DA68
          Function 0040588F Relevance: 6.0, APIs: 4, Instructions: 40memoryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00405894
          • GetLastError.KERNEL32(00000008,00000000,?,0040577D,QV@,00000000,00000000,00000400,00405651,?,?,00000004), ref: 004058C0
          • SysAllocString.OLEAUT32(00000000), ref: 004058CF
          • SetLastError.KERNEL32(?,?,0040577D,QV@,00000000,00000000,00000400,00405651,?,?,00000004), ref: 004058FE
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$AllocH_prologString
          • String ID:
          • API String ID: 1734030179-0
          • Opcode ID: cf348611c2704847ace1efbb63f87a465e7bedba572630d44b3ceadb97172800
          • Instruction ID: 8df585bc618b2b2893aa6400cad21a325daa58d57b8e973ff98620fd3d5a3fc0
          • Opcode Fuzzy Hash: cf348611c2704847ace1efbb63f87a465e7bedba572630d44b3ceadb97172800
          • Instruction Fuzzy Hash: 95115371600611EFD7209F54E908A8ABBF0FF04719F00C46EE89A9B641C7B8A949CB98
          Function 0041293F Relevance: 6.0, APIs: 4, Instructions: 40memoryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 00412944
          • GetLastError.KERNEL32(?,00000200,?,00412398,0042F204,00000001,?,75BF8400,00000000), ref: 00412970
          • SysAllocString.OLEAUT32(00000000), ref: 0041297F
          • SetLastError.KERNEL32(?,?,00000200,?,00412398,0042F204,00000001,?,75BF8400,00000000), ref: 004129AE
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast$AllocH_prologString
          • String ID:
          • API String ID: 1734030179-0
          • Opcode ID: 0d84bff09253f87a555890ab7c6eeae66d2dc31cc2d7f11bbc597ba7f68dc608
          • Instruction ID: d237af1bd0152fe78fd2570cb4d90f2a02b3920ace707c6e2f8faead720e2bc7
          • Opcode Fuzzy Hash: 0d84bff09253f87a555890ab7c6eeae66d2dc31cc2d7f11bbc597ba7f68dc608
          • Instruction Fuzzy Hash: 8D113571600711DFC7209F58E908B9ABBF0FF04718F50C42EE89A9B741D7B8A949CB98
          Function 00412B67 Relevance: 6.0, APIs: 4, Instructions: 40memorystringCOMMON
          Download Yara Rule
          APIs
          • SysFreeString.OLEAUT32(?), ref: 00412B75
          • lstrlenA.KERNEL32(00000000,?,00412B47,?), ref: 00412B88
          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00412B47,?), ref: 00412BAF
          • SysAllocString.OLEAUT32(00000000), ref: 00412BB9
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: String$AllocByteCharFreeMultiWidelstrlen
          • String ID:
          • API String ID: 90228818-0
          • Opcode ID: 4380fb4b58bf898f2abb9bb7b0098c298f66dd18e76ec1f884ec427ec04e2d82
          • Instruction ID: 85d97fcbc3b297ba8bb69dfcc3e718a042a502b4dfa908fad131254b6fcb3ef4
          • Opcode Fuzzy Hash: 4380fb4b58bf898f2abb9bb7b0098c298f66dd18e76ec1f884ec427ec04e2d82
          • Instruction Fuzzy Hash: D7F08132940214FBDB205F55DC09B9ABB78FB41361F104566F91693290D7B06E51C7A4
          Function 00408F6A Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 37stringCOMMON
          Download Yara Rule
          APIs
          • lstrcmpiA.KERNEL32(?,removeonly), ref: 00408F70
            • Part of subcall function 00414265: __EH_prolog.LIBCMT ref: 0041426A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prologlstrcmpi
          • String ID: /removeonly$removeonly$runas
          • API String ID: 2018383997-3587812613
          • Opcode ID: eae3dcef35f5631e072b046d5b673d645ea7d972d59e35b2fe3f86833221a9a3
          • Instruction ID: a4fc1f85fd49b62f6fb69f9f5d1620d5a39d966a545d728fc67dcc61bd98cfba
          • Opcode Fuzzy Hash: eae3dcef35f5631e072b046d5b673d645ea7d972d59e35b2fe3f86833221a9a3
          • Instruction Fuzzy Hash: ECF05471358215BDE7005692ACC5FBB37589B94B9CF60443FFC01A52C1D6BC4C825A19
          Function 0040AFE6 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
          Download Yara Rule
          APIs
          • wsprintfA.USER32 ref: 0040AFF8
            • Part of subcall function 0040B040: __EH_prolog.LIBCMT ref: 0040B045
            • Part of subcall function 0040B040: lstrcatA.KERNEL32(?,.ini,?,C:\Users\user\AppData\Local\Temp\_is8C78,?,00000000), ref: 0040B079
          • CharNextA.USER32(?,00000000), ref: 0040B022
          • CharNextA.USER32(00000000), ref: 0040B025
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNext$H_prologlstrcatwsprintf
          • String ID: %#04x
          • API String ID: 1423492500-3155933392
          • Opcode ID: c90dd86ffef62306410b66d9d01f24618a3c3c99b758de87476988fabca54865
          • Instruction ID: cfab32d3c133e5f3cd1ebe0f598b445e5cfecfc7a796276159153b4d86fe5e47
          • Opcode Fuzzy Hash: c90dd86ffef62306410b66d9d01f24618a3c3c99b758de87476988fabca54865
          • Instruction Fuzzy Hash: 65F0307290020DBBCF01AFA5DC05DDF3F6DEB08248B444421BD14B2062E735DA21DBE9
          Function 00409D56 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
          Download Yara Rule
          APIs
          • IsWindow.USER32(00000001), ref: 00409D5F
            • Part of subcall function 00409DAF: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00409DD9
            • Part of subcall function 00409DAF: IsDialogMessageA.USER32(?,?,?,?,?,?,?,00409D6E,?,?,?,?,00000000,75C0FB50), ref: 00409DED
            • Part of subcall function 00409DAF: TranslateMessage.USER32(?), ref: 00409DFB
            • Part of subcall function 00409DAF: DispatchMessageA.USER32(?), ref: 00409E05
          • GetDlgItem.USER32(000003EA), ref: 00409D79
          • SendMessageA.USER32(00000000,00000408,00000000,00000000), ref: 00409D91
          • SendMessageA.USER32(00000000,00000402,00000000,00000000), ref: 00409DA9
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Message$Send$DialogDispatchItemPeekTranslateWindow
          • String ID:
          • API String ID: 4202329498-0
          • Opcode ID: 774bba700e68023afe64415471ee69bd87c99ba4aeb524ca0f0872e2d967cf76
          • Instruction ID: 5c7b974a346a25f49a3fe786b49983883f5ea819a6724f8a661d1e92b4dea993
          • Opcode Fuzzy Hash: 774bba700e68023afe64415471ee69bd87c99ba4aeb524ca0f0872e2d967cf76
          • Instruction Fuzzy Hash: 64E0E5B03402047FE6106B21FCC9E3B2A6CEFC4759B40003AF604F50D1CA796C12867D
          Function 004160AF Relevance: 6.0, APIs: 4, Instructions: 32stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(?,75BF3530,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160B7
          • lstrcpynA.KERNEL32(?,?,-00000001,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160D5
          • lstrcpyA.KERNEL32(?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160E1
          • lstrcatA.KERNEL32(?,?,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 004160F5
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcatlstrcpylstrcpynlstrlen
          • String ID:
          • API String ID: 3428934214-0
          • Opcode ID: c25148c562f7628e4229d16e7600583c8743126d504015b61357d7616a4d2761
          • Instruction ID: b1daff398409c59c8e98a8683c19445599f8aa593133d964b2cce87dc0df625e
          • Opcode Fuzzy Hash: c25148c562f7628e4229d16e7600583c8743126d504015b61357d7616a4d2761
          • Instruction Fuzzy Hash: DAF05E32514128FBEF319F91EC089EA3F28EF05360F508426F50885061C775CC92DBA8
          Function 00416807 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041681D
          • GetObjectA.GDI32(00000000,0000003C,?), ref: 00416826
            • Part of subcall function 00416774: GetLocaleInfoA.KERNEL32(7hA,00001004,?,00000014,?,?,?,?,?,?,?,?,?,?,?,00416837), ref: 0041679B
            • Part of subcall function 00416774: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004167B6
          • CreateFontIndirectA.GDI32(?), ref: 0041683F
          • SendMessageA.USER32(?,00000030,00000000,00000000), ref: 00416852
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
          • String ID:
          • API String ID: 2681337867-0
          • Opcode ID: 050b08ee21cd7694af03b9f04d001dc3b4a09b32116eaf0c6741690eb37f98e6
          • Instruction ID: bfc094bbd91db6de2ff2b6fb88e53053737241eed0a0dc66ae9e82a2b0dce189
          • Opcode Fuzzy Hash: 050b08ee21cd7694af03b9f04d001dc3b4a09b32116eaf0c6741690eb37f98e6
          • Instruction Fuzzy Hash: E3F01272A40318BBDF156BE0EC06FDD3B7CAB18740F504015FA01BA1E5DAB0AA05CB58
          Function 00415F56 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
          Download Yara Rule
          APIs
          • CharNextA.USER32(?,?,?,00000000,004160EF,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F6B
          • CharPrevA.USER32(?,?,?,?,00000000,004160EF,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F74
          • CharNextA.USER32(00000000,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F8C
          • CharNextA.USER32(00000000,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00415F92
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Char$Next$Prev
          • String ID:
          • API String ID: 589700163-0
          • Opcode ID: fd44e64e9610de1a8da13418f81bcf26c3770e2bfa616ad760b2944094b4bf67
          • Instruction ID: 75509177851036b6563177be0cdc2f3c6707d0e43d4520bef511e18b2534e6bd
          • Opcode Fuzzy Hash: fd44e64e9610de1a8da13418f81bcf26c3770e2bfa616ad760b2944094b4bf67
          • Instruction Fuzzy Hash: 8EF030B15087A1AEE72253758C44BE76FDC5B9E351F0900A2F584D3252C6689C828B79
          Function 00413164 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 21stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(?,00000000,00000000,00404B5A,00000000,00000001,?,?,00000000), ref: 0041316D
          • lstrcpyA.KERNEL32(00000000,?), ref: 00413189
          • lstrcpyA.KERNEL32(C:\Users\user\Desktop,?), ref: 00413191
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$lstrlen
          • String ID: C:\Users\user\Desktop
          • API String ID: 367037083-224404859
          • Opcode ID: 9e2b3ed29c04e6024dfd319db1d7dc475d5ebc37b092765b681aa98a5b37e0d4
          • Instruction ID: 659378a193054d8701b91472ddfe2dd576858e9a79081452b1a8e9882c8c0403
          • Opcode Fuzzy Hash: 9e2b3ed29c04e6024dfd319db1d7dc475d5ebc37b092765b681aa98a5b37e0d4
          • Instruction Fuzzy Hash: B6D05B72900211BE96215767AC0CC5BFF6CDAD5730B11442FF508D3100CE745C03C6B8
          Function 00422DFB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
          Download Yara Rule
          APIs
          • GetCPInfo.KERNEL32(?,00000000), ref: 00422E0F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Info
          • String ID: $
          • API String ID: 1807457897-3032137957
          • Opcode ID: a97507c1d670d096e8f1ba0dee207892cba4ff5ce29692559d5db544296dd034
          • Instruction ID: 00634d7907d86143888754830e1d4f46bcd4e58b1e197a1ac9017579bb2f056b
          • Opcode Fuzzy Hash: a97507c1d670d096e8f1ba0dee207892cba4ff5ce29692559d5db544296dd034
          • Instruction Fuzzy Hash: DC41AC312042797AEF129710EF49BF77FB89B06300F4614E6D589C7193C2A94A04E77E
          Function 00426100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00424AA7: SetFilePointer.KERNEL32(00000000,00000100,00000000,00000000,00000100,00000000,004251D6,00000000,000000FF,00000002), ref: 00424AD1
            • Part of subcall function 00424AA7: GetLastError.KERNEL32 ref: 00424ADE
          • SetEndOfFile.KERNEL32(00000000,?,?,?,00000100,?,?,?,00425220,00000000,?), ref: 004261DD
          • GetLastError.KERNEL32(?,?,?,00000100,?,?,?,00425220,00000000,?), ref: 004261FB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorFileLast$Pointer
          • String ID: RB
          • API String ID: 1697706070-3612573848
          • Opcode ID: f6a80a3623331370b03286a5af152769d13c612f72c66a6829609f10798d79cf
          • Instruction ID: 18aee762f6edeaaf5cd5a324a74f538a250e19feff0651a1328dc11864c22c35
          • Opcode Fuzzy Hash: f6a80a3623331370b03286a5af152769d13c612f72c66a6829609f10798d79cf
          • Instruction Fuzzy Hash: 99313931700134ABDF213F66EC45B9A3E65DF40364F824177FA189B2E2EA39CD5146AC
          Function 00406388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 0040638D
            • Part of subcall function 004064AC: __EH_prolog.LIBCMT ref: 004064B1
            • Part of subcall function 004064AC: GetDesktopWindow.USER32 ref: 0040653C
            • Part of subcall function 004064AC: QueryPerformanceFrequency.KERNEL32(00000000), ref: 00406594
            • Part of subcall function 00417AAD: RegQueryValueA.ADVAPI32(80000000,.htm,?,00000000), ref: 00417AD9
            • Part of subcall function 00417AAD: lstrcatA.KERNEL32(?,\shell\open\command,?,00000000), ref: 00417AF3
            • Part of subcall function 00417AAD: RegQueryValueA.ADVAPI32(80000000,?,?,00000000), ref: 00417B0F
            • Part of subcall function 00417AAD: lstrlenA.KERNEL32(?,?,00000000), ref: 00417B24
            • Part of subcall function 00417AAD: CharLowerBuffA.USER32(?,00000000,?,00000000), ref: 00417B32
            • Part of subcall function 00417AAD: lstrcpynA.KERNEL32(?,00000022,-0000000D,?,00000000), ref: 00417B72
          • InterlockedIncrement.KERNEL32(00435C60), ref: 00406445
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Query$H_prologValue$BuffCharDesktopFrequencyIncrementInterlockedLowerPerformanceWindowlstrcatlstrcpynlstrlen
          • String ID: ftp://
          • API String ID: 29447242-2553531909
          • Opcode ID: 6ad03f5f473f0023ca61663f7fc167c49cf27f9e8be25e27636d5898539014f8
          • Instruction ID: cff7f64d877e23aab633a92cce587c34cc8cc3b73b497b7a543349bda441c18f
          • Opcode Fuzzy Hash: 6ad03f5f473f0023ca61663f7fc167c49cf27f9e8be25e27636d5898539014f8
          • Instruction Fuzzy Hash: 7821A071700204AFCF15EF69C8816AEBBA1EF48304F10843FF946A3291CB799DA59B5D
          Function 00418B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: Event
          • String ID: d
          • API String ID: 4201588131-2564639436
          • Opcode ID: e2a90b2b42527a1e7293fe753d8aad72944ba0c8ee9a7df1bdac0116e3a53024
          • Instruction ID: 075b5b2c9926920302bc67c1dd745e17301cc5bc0d67377b308e3b8977ccbed7
          • Opcode Fuzzy Hash: e2a90b2b42527a1e7293fe753d8aad72944ba0c8ee9a7df1bdac0116e3a53024
          • Instruction Fuzzy Hash: 4B212475504605DFCB24CF14C8489AAB7F4FF18315B14852EF94A8B721DB34F991CB99
          Function 00415E04 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
          Download Yara Rule
          APIs
          • GetDriveTypeA.KERNEL32(00404D47,00000000,?,?,00404D47,00000003,00000000,00000001), ref: 00415E33
            • Part of subcall function 00415DA6: CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,00000000), ref: 00415DDC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CreateDriveFileType
          • String ID: :$\
          • API String ID: 3443067566-1166558509
          • Opcode ID: 1f03a66c6ea18ffd2aaacf14f3b88b52253db7efff3926d4629aecc78ede472d
          • Instruction ID: c8916d21bcc177fcd91209f843a3b351175aee8582a7d48e2e53da29790b50ee
          • Opcode Fuzzy Hash: 1f03a66c6ea18ffd2aaacf14f3b88b52253db7efff3926d4629aecc78ede472d
          • Instruction Fuzzy Hash: 5801D435009BC6CDDB028F7858449DB3FA89F53358F18485BE8A4C6242D229D75A976A
          Function 004019C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39stringCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog.LIBCMT ref: 004019C9
            • Part of subcall function 00401AE9: __EH_prolog.LIBCMT ref: 00401AEE
            • Part of subcall function 00401D30: __EH_prolog.LIBCMT ref: 00401D35
          • lstrlenA.KERNEL32(?,?,00000000,00432C20,?,00000400,000001F4,C:\Users\user\AppData\Local\Temp\_is8C78), ref: 00401A06
          Strings
          • C:\Users\user\AppData\Local\Temp\_is8C78, xrefs: 004019D1
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog$lstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\_is8C78
          • API String ID: 3243491680-1593701051
          • Opcode ID: a7314d44f472652021954a9211aee0278bb82145901bc8219b0609a779e39cc4
          • Instruction ID: 59bdd9aee2d604e39f8a682bb9b047cb3703b623f74839805350cd25e7a1a4ef
          • Opcode Fuzzy Hash: a7314d44f472652021954a9211aee0278bb82145901bc8219b0609a779e39cc4
          • Instruction Fuzzy Hash: 11015E72A01214EBCF10EFA5D945BDDBB34EF18718F10812AF821761E0DB785A14CA48
          Function 0041B417 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: H_prolog
          • String ID: ,C$string too long
          • API String ID: 3519838083-1064043291
          • Opcode ID: fa598cac134bf5505d7f62e455d1ccb6d6a3c6e0d9c2b090a8b7b910cb775d6b
          • Instruction ID: 626fb143130218738aad23d3938fcc7cbc36d1b06618662cc20ee54ce1104f87
          • Opcode Fuzzy Hash: fa598cac134bf5505d7f62e455d1ccb6d6a3c6e0d9c2b090a8b7b910cb775d6b
          • Instruction Fuzzy Hash: 6DF06276B00215AFC704DF85D841BAEFBA8EF84704F00441FE551A7241C7F85904C768
          Function 00415862 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • wsprintfA.USER32 ref: 00415898
          • wvsprintfA.USER32(?,?,?), ref: 004158B3
            • Part of subcall function 0041568F: __EH_prolog.LIBCMT ref: 00415694
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$H_prologLoadStringwvsprintf
          • String ID: %d: %s
          • API String ID: 2226253583-204819183
          • Opcode ID: 4c94e71ccdd098df294670ba03ec6a79bf995186e9b99889d8a5fa6644bbb5f5
          • Instruction ID: 964a0e33e05a15bd1923817a2da4b8cd8dfec65b680f5a6f455a9e8c4d039d4a
          • Opcode Fuzzy Hash: 4c94e71ccdd098df294670ba03ec6a79bf995186e9b99889d8a5fa6644bbb5f5
          • Instruction Fuzzy Hash: 75F0307290021CABCF11EBA0DC45ECA777CAB08314F4041E2BA09E1091EA74DB988BD8
          Function 004158CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00415942: wsprintfA.USER32 ref: 00415954
            • Part of subcall function 00415942: LoadStringA.USER32(?,?,?), ref: 0041597F
          • wsprintfA.USER32 ref: 00415901
          • wvsprintfA.USER32(?,?,?), ref: 0041591C
            • Part of subcall function 0041568F: __EH_prolog.LIBCMT ref: 00415694
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: wsprintf$H_prologLoadStringwvsprintf
          • String ID: %d: %s
          • API String ID: 2226253583-204819183
          • Opcode ID: 988f7596183b892491fb383f9bc67f7bcd1a2899eb98c9ff937e825f9ef89bd7
          • Instruction ID: 6c0c896b8be8b66746a48a5c29a848151f914cae7a717ac7ca6866456a251ceb
          • Opcode Fuzzy Hash: 988f7596183b892491fb383f9bc67f7bcd1a2899eb98c9ff937e825f9ef89bd7
          • Instruction Fuzzy Hash: 68F0547290021CABCF11EBA0DC45FCA777CAB08314F4041E6FA15E1091EA74DB988FD8
          Function 00420FA4 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00420D6C,00000000,00000000,00000000,0041CFBC,00000000,00000000,?,00000000,00000000,00000000), ref: 00420FCC
          • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00420D6C,00000000,00000000,00000000,0041CFBC,00000000,00000000,?,00000000,00000000,00000000), ref: 00421000
          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0042101A
          • HeapFree.KERNEL32(00000000,?), ref: 00421031
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: AllocHeap$FreeVirtual
          • String ID:
          • API String ID: 3499195154-0
          • Opcode ID: f8fa02a9222113bbb47b49c00ba3a8164ca69f8d430b9dab45345e1b1486e222
          • Instruction ID: 4e363e05c2c952d19a648d182ae2915dfe9db599835541944b80dc2d4a15ae57
          • Opcode Fuzzy Hash: f8fa02a9222113bbb47b49c00ba3a8164ca69f8d430b9dab45345e1b1486e222
          • Instruction Fuzzy Hash: 65112830300302BFD7318F19EC45926BBB5FB95760BA29939E952C65B0C371A842CF18
          Function 00415EE0 Relevance: 5.0, APIs: 4, Instructions: 49stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpyA.KERNEL32(?,?,?,0001040E,00000000), ref: 00415EFC
          • CharNextA.USER32(00000000), ref: 00415F2B
          • lstrcpyA.KERNEL32(00000000,?), ref: 00415F40
          • lstrcpyA.KERNEL32(0040DF31,00000000), ref: 00415F46
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: lstrcpy$CharNext
          • String ID:
          • API String ID: 3801418090-0
          • Opcode ID: 35a003a38b7131027bc96a660cff7c0f5bbb7e558f93d335a234d1702172fa8b
          • Instruction ID: bc19e44355eb4671eb1624ab242cfd2cec4a7607a420250a3067a343c1572e03
          • Opcode Fuzzy Hash: 35a003a38b7131027bc96a660cff7c0f5bbb7e558f93d335a234d1702172fa8b
          • Instruction Fuzzy Hash: 64018677500219AADB209BA1EC45FEB7B6CEBC4364F14047BF709E6180EA74DD468B68
          Function 00416114 Relevance: 5.0, APIs: 4, Instructions: 39COMMON
          Download Yara Rule
          APIs
          • CharNextA.USER32(?,00000000,75BF3530,0041610C,?,00415F87,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00416126
          • CharNextA.USER32(?,00000000,75BF3530,0041610C,?,00415F87,?,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00416140
          • CharNextA.USER32(00000000,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 00416148
          • CharNextA.USER32(00000000,?,00415A6B,?,?,?,C:\Users\user\AppData\Local\Temp\_is8C78\Setup.INI,?,?), ref: 0041614D
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CharNext
          • String ID:
          • API String ID: 3213498283-0
          • Opcode ID: f9ffba8ebb5328562812fa2cb4dee786131e2375406c45500c0076535e5c1f5a
          • Instruction ID: 0715d0f5cbebe4189091f73a24a9d81e79cb7034fdb5362b444f815f3cd9e609
          • Opcode Fuzzy Hash: f9ffba8ebb5328562812fa2cb4dee786131e2375406c45500c0076535e5c1f5a
          • Instruction Fuzzy Hash: 35F06772C042993CEB2202289D40BE7AB9A4B8B720F5A445BD18092353C2ACCCD3876A
          Function 00418AE0 Relevance: 5.0, APIs: 4, Instructions: 32COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: ErrorLast
          • String ID:
          • API String ID: 1452528299-0
          • Opcode ID: 020d2f3c2ac1e11b164ec16f4aeeff81966126517d81768ee87b8c79225da140
          • Instruction ID: 188effcd2ce96b2a3a7613be403583c74c66de35c5047345ad31e39c0be7b37c
          • Opcode Fuzzy Hash: 020d2f3c2ac1e11b164ec16f4aeeff81966126517d81768ee87b8c79225da140
          • Instruction Fuzzy Hash: 7AF0277120421057D6212B12CC089EF7354AF90790F15042FF81157350CF7CACC395AD
          Function 004202AE Relevance: 5.0, APIs: 4, Instructions: 12COMMON
          Download Yara Rule
          APIs
          • InitializeCriticalSection.KERNEL32(?,0041FAD2,?,0041DB7C), ref: 004202BB
          • InitializeCriticalSection.KERNEL32(?,0041FAD2,?,0041DB7C), ref: 004202C3
          • InitializeCriticalSection.KERNEL32(?,0041FAD2,?,0041DB7C), ref: 004202CB
          • InitializeCriticalSection.KERNEL32(?,0041FAD2,?,0041DB7C), ref: 004202D3
          Memory Dump Source
          • Source File: 00000000.00000002.2104533905.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.2104516536.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104561889.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104581218.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104598084.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104615865.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.2104633421.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_plotdemo.jbxd
          Similarity
          • API ID: CriticalInitializeSection
          • String ID:
          • API String ID: 32694325-0
          • Opcode ID: 43aa7fb460e2189669a6dfd6958393cb85aff370d4f4333fb49d1d36185365cc
          • Instruction ID: 4237ad7f692b87586f6a50a751bedb32dfef000adefe8ada1b755afc56ca1c8e
          • Opcode Fuzzy Hash: 43aa7fb460e2189669a6dfd6958393cb85aff370d4f4333fb49d1d36185365cc
          • Instruction Fuzzy Hash: 41C00231952039ABDF226B66FC2C85B3F66EB052A0375A3B2E504520308A221C21EFD8

          Execution Graph

          Execution Coverage:10.1%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:1.2%
          Total number of Nodes:2000
          Total number of Limit Nodes:64
          execution_graph 18937 401400 18938 401421 18937->18938 18939 401415 18937->18939 18950 40b67f 18938->18950 18939->18938 18943 401390 18939->18943 18956 4012e0 18943->18956 18947 4013b7 GetDlgItem EnableWindow PostMessageA 18981 414e70 18947->18981 18949 4013f5 18949->18938 19858 40d05b 18950->19858 19863 40ecde 18950->19863 18951 40b6a1 18952 40142f 18951->18952 19937 40b566 18951->19937 18989 41053c 18956->18989 18963 414e70 _$I10_OUTPUT 5 API calls 18964 401386 18963->18964 18965 4075f0 18964->18965 19459 407520 EnumPrintersA LocalAlloc 18965->19459 18967 4075fd 18968 407602 GetVersion 18967->18968 18969 407659 18967->18969 18970 40761b GetCurrentProcess IsWow64Process 18968->18970 18971 40762d 18968->18971 18969->18947 18970->18971 18971->18969 18972 407643 18971->18972 18973 407639 18971->18973 18974 407654 18972->18974 18975 40764a 18972->18975 19465 401470 18973->19465 19709 4050b0 18974->19709 19565 402c90 18975->19565 18982 414e78 18981->18982 18983 414e7a IsDebuggerPresent 18981->18983 18982->18949 19857 420a62 18983->19857 18986 418e93 SetUnhandledExceptionFilter UnhandledExceptionFilter 18987 418eb0 __invoke_watson 18986->18987 18988 418eb8 GetCurrentProcess TerminateProcess 18986->18988 18987->18988 18988->18949 19000 411bc7 18989->19000 18991 41054b 18992 4012fc GetModuleFileNameA 18991->18992 19010 4116d0 18991->19010 18994 4151a5 18992->18994 19139 414fb5 18994->19139 18997 4151ef 19432 418bba 18997->19432 19006 411bd3 __EH_prolog3 19000->19006 19002 411c21 19016 411669 EnterCriticalSection 19002->19016 19006->19002 19023 411163 19006->19023 19026 4118ec TlsAlloc 19006->19026 19007 411c34 19029 41198e 19007->19029 19008 411c47 ctype 19008->18991 19011 4116dc __EH_prolog3_catch 19010->19011 19014 411705 ctype 19011->19014 19122 412458 19011->19122 19013 4116eb 19132 4124c5 19013->19132 19014->18991 19017 411680 19016->19017 19018 4116a7 LeaveCriticalSection 19016->19018 19017->19018 19019 411685 TlsGetValue 19017->19019 19020 4116b0 19018->19020 19019->19018 19021 411691 19019->19021 19020->19007 19020->19008 19021->19018 19022 411696 LeaveCriticalSection 19021->19022 19022->19020 19053 41840f 19023->19053 19025 41117c 19027 411918 19026->19027 19028 41191d InitializeCriticalSection 19026->19028 19027->19028 19028->19006 19056 415e31 19029->19056 19031 41199a EnterCriticalSection 19032 411a9d LeaveCriticalSection 19031->19032 19033 4119b9 19031->19033 19036 411ac0 ctype 19032->19036 19033->19032 19034 4119c2 TlsGetValue 19033->19034 19037 411a00 19034->19037 19038 4119d0 19034->19038 19036->19008 19061 411641 LocalAlloc 19037->19061 19038->19032 19040 411a45 19038->19040 19041 4119ea 19038->19041 19043 407710 ctype 80 API calls 19040->19043 19057 407710 19041->19057 19045 411a51 LocalReAlloc 19043->19045 19048 411a5d 19045->19048 19049 411a61 LeaveCriticalSection 19048->19049 19050 411a6f _memset 19048->19050 19068 41112f 19049->19068 19052 411a88 TlsSetValue 19050->19052 19052->19032 19054 418442 RaiseException 19053->19054 19055 418436 19053->19055 19054->19025 19055->19054 19056->19031 19058 40771c 19057->19058 19059 40772b LocalAlloc 19058->19059 19071 4076f0 19058->19071 19059->19048 19062 411651 19061->19062 19063 411656 19061->19063 19064 41112f ctype RaiseException 19062->19064 19065 41175d 19063->19065 19064->19063 19118 411747 19065->19118 19069 41840f __CxxThrowException@8 RaiseException 19068->19069 19070 411148 19069->19070 19072 407700 19071->19072 19073 4076fb 19071->19073 19079 411277 19072->19079 19074 41112f ctype RaiseException 19073->19074 19074->19072 19077 40772b 19077->19059 19078 4076f0 ctype 80 API calls 19078->19077 19080 411283 __EH_prolog3 19079->19080 19090 407743 19080->19090 19082 41128a ctype 19083 41840f __CxxThrowException@8 RaiseException 19082->19083 19084 4112b9 FormatMessageA 19083->19084 19086 4112f0 19084->19086 19087 407706 19084->19087 19094 410ead 19086->19094 19087->19077 19087->19078 19089 411300 LocalFree 19089->19087 19093 40774b 19090->19093 19092 407769 19092->19082 19093->19092 19097 415725 19093->19097 19115 418459 19094->19115 19096 410ec2 ctype 19096->19089 19098 4157d2 19097->19098 19108 415733 19097->19108 19099 41a513 _realloc 66 API calls 19098->19099 19100 4157d8 19099->19100 19102 4166fc __locking 66 API calls 19100->19102 19101 41aa45 __FF_MSGBANNER 66 API calls 19101->19108 19103 4157de 19102->19103 19103->19093 19104 41a8a5 _fast_error_exit 66 API calls 19104->19108 19105 4156d6 _malloc 66 API calls 19105->19108 19106 415796 HeapAlloc 19106->19108 19107 415f0a _fast_error_exit GetModuleHandleA GetProcAddress ExitProcess 19107->19108 19108->19101 19108->19104 19108->19105 19108->19106 19108->19107 19109 4157c9 19108->19109 19110 4157bd 19108->19110 19111 41a513 _realloc 66 API calls 19108->19111 19113 4157bb 19108->19113 19109->19093 19112 4166fc __locking 66 API calls 19110->19112 19111->19108 19112->19113 19114 4166fc __locking 66 API calls 19113->19114 19114->19109 19116 41f935 _wctomb_s 77 API calls 19115->19116 19117 418470 19116->19117 19117->19096 19119 411753 19118->19119 19120 41174e 19118->19120 19119->19038 19121 411163 ctype RaiseException 19120->19121 19121->19119 19123 412462 19122->19123 19124 412467 19122->19124 19125 411163 ctype RaiseException 19123->19125 19126 412475 19124->19126 19136 4123ef 19124->19136 19125->19124 19128 4124b6 EnterCriticalSection 19126->19128 19129 41248f EnterCriticalSection 19126->19129 19128->19013 19130 4124ab LeaveCriticalSection 19129->19130 19131 41249b InitializeCriticalSection 19129->19131 19130->19128 19131->19130 19133 4124d3 LeaveCriticalSection 19132->19133 19134 4124ce 19132->19134 19133->19014 19135 411163 ctype RaiseException 19134->19135 19135->19133 19137 4123f8 InitializeCriticalSection 19136->19137 19138 41240d 19136->19138 19137->19138 19138->19126 19140 415044 19139->19140 19141 414fc7 19139->19141 19163 4166fc 19140->19163 19141->19140 19145 418459 _wctomb_s 77 API calls 19141->19145 19152 415036 19141->19152 19145->19152 19147 415111 19147->19140 19149 401329 19147->19149 19151 415184 19147->19151 19148 4150cc 19148->19140 19150 4150e7 19148->19150 19154 418459 _wctomb_s 77 API calls 19148->19154 19149->18997 19150->19140 19150->19149 19155 4150fb 19150->19155 19153 418459 _wctomb_s 77 API calls 19151->19153 19157 41508e 19152->19157 19159 4150af 19152->19159 19160 418582 19152->19160 19153->19149 19154->19150 19156 418459 _wctomb_s 77 API calls 19155->19156 19156->19149 19157->19140 19158 418459 _wctomb_s 77 API calls 19157->19158 19157->19159 19158->19159 19159->19147 19159->19148 19169 41851c 19160->19169 19164 419154 _raise 67 API calls 19163->19164 19165 41515b 19164->19165 19165->19149 19166 4196b1 19165->19166 19167 418faf _raise 67 API calls 19166->19167 19168 4196bf __invoke_watson 19167->19168 19172 4181ab 19169->19172 19173 4181ba 19172->19173 19179 418207 19172->19179 19180 4191cb 19173->19180 19176 4181e7 19176->19179 19200 41f08d 19176->19200 19179->19152 19216 419154 GetLastError 19180->19216 19182 4191d1 19183 4181bf 19182->19183 19230 415ec0 19182->19230 19183->19176 19185 41f7cc 19183->19185 19186 41f7d8 CallUnexpected 19185->19186 19187 4191cb CallUnexpected 67 API calls 19186->19187 19188 41f7dd 19187->19188 19189 41f80b 19188->19189 19191 41f7ef 19188->19191 19327 4199d9 19189->19327 19193 4191cb CallUnexpected 67 API calls 19191->19193 19192 41f812 19334 41f78e 19192->19334 19195 41f7f4 19193->19195 19198 41f802 CallUnexpected 19195->19198 19199 415ec0 __amsg_exit 67 API calls 19195->19199 19198->19176 19199->19198 19201 41f099 CallUnexpected 19200->19201 19202 4191cb CallUnexpected 67 API calls 19201->19202 19203 41f09e 19202->19203 19204 41f0b0 19203->19204 19205 4199d9 __lock 67 API calls 19203->19205 19207 41f0be CallUnexpected 19204->19207 19209 415ec0 __amsg_exit 67 API calls 19204->19209 19206 41f0ce 19205->19206 19208 41f117 19206->19208 19211 41f0e5 InterlockedDecrement 19206->19211 19212 41f0ff InterlockedIncrement 19206->19212 19207->19179 19428 41f128 19208->19428 19209->19207 19211->19212 19213 41f0f0 19211->19213 19212->19208 19213->19212 19214 415296 ___free_lc_time 67 API calls 19213->19214 19215 41f0fe 19214->19215 19215->19212 19237 419026 TlsGetValue 19216->19237 19219 4191bf SetLastError 19219->19182 19221 41917d 19221->19219 19247 418faf TlsGetValue 19221->19247 19224 4191b6 19271 415296 19224->19271 19225 41919e 19257 419095 19225->19257 19228 4191bc 19228->19219 19229 4191a6 GetCurrentThreadId 19229->19219 19284 41aa45 19230->19284 19235 418faf _raise 67 API calls 19236 415ed9 19235->19236 19236->19183 19238 419054 19237->19238 19239 419039 19237->19239 19238->19219 19242 4194c8 19238->19242 19240 418faf _raise 65 API calls 19239->19240 19241 419044 TlsSetValue 19240->19241 19241->19238 19244 4194cc 19242->19244 19243 4155b8 __calloc_impl 66 API calls 19243->19244 19244->19243 19245 41950b 19244->19245 19246 4194ec Sleep 19244->19246 19245->19221 19246->19244 19248 418fe3 GetModuleHandleA 19247->19248 19249 418fc2 19247->19249 19251 418ff4 19248->19251 19255 418fdb 19248->19255 19249->19248 19250 418fcc TlsGetValue 19249->19250 19253 418fd7 19250->19253 19252 418ecc _raise 63 API calls 19251->19252 19254 418ff9 19252->19254 19253->19248 19253->19255 19254->19255 19256 418ffd GetProcAddress 19254->19256 19255->19224 19255->19225 19256->19255 19258 416904 CallUnexpected 19257->19258 19259 4190a1 GetModuleHandleA 19258->19259 19260 4190c3 19259->19260 19261 4190f2 InterlockedIncrement 19259->19261 19262 418ecc _raise 63 API calls 19260->19262 19263 4199d9 __lock 63 API calls 19261->19263 19264 4190c8 19262->19264 19265 419119 19263->19265 19264->19261 19266 4190cc GetProcAddress GetProcAddress 19264->19266 19267 41f67c ___addlocaleref 8 API calls 19265->19267 19266->19261 19268 419138 19267->19268 19269 41914b _raise LeaveCriticalSection 19268->19269 19270 419145 CallUnexpected 19269->19270 19270->19229 19272 4152a2 CallUnexpected 19271->19272 19273 4152e1 19272->19273 19275 4199d9 __lock 65 API calls 19272->19275 19276 41531b CallUnexpected _realloc 19272->19276 19274 4152f6 HeapFree 19273->19274 19273->19276 19274->19276 19277 415308 19274->19277 19280 4152b9 ___sbh_find_block 19275->19280 19276->19228 19278 4166fc __locking 65 API calls 19277->19278 19279 41530d GetLastError 19278->19279 19279->19276 19282 419a7d ___sbh_free_block VirtualFree VirtualFree HeapFree __VEC_memcpy 19280->19282 19283 4152d3 19280->19283 19281 4152ec ___free_lc_time LeaveCriticalSection 19281->19273 19282->19283 19283->19281 19285 420d91 __FF_MSGBANNER 67 API calls 19284->19285 19286 41aa4c 19285->19286 19287 41aa59 19286->19287 19289 420d91 __FF_MSGBANNER 67 API calls 19286->19289 19288 41a8a5 _fast_error_exit 67 API calls 19287->19288 19292 415ec5 19287->19292 19290 41aa71 19288->19290 19289->19287 19291 41a8a5 _fast_error_exit 67 API calls 19290->19291 19291->19292 19293 41a8a5 19292->19293 19294 41a8b1 19293->19294 19295 420d91 __FF_MSGBANNER 64 API calls 19294->19295 19325 415ece 19294->19325 19296 41a8d1 19295->19296 19297 41aa0c GetStdHandle 19296->19297 19299 420d91 __FF_MSGBANNER 64 API calls 19296->19299 19298 41aa1a _strlen 19297->19298 19297->19325 19302 41aa34 WriteFile 19298->19302 19298->19325 19300 41a8e2 19299->19300 19300->19297 19301 41a8f4 19300->19301 19303 4164b9 _strcpy_s 64 API calls 19301->19303 19301->19325 19302->19325 19304 41a916 19303->19304 19305 41a92a GetModuleFileNameA 19304->19305 19307 4195b5 __invoke_watson 10 API calls 19304->19307 19306 41a948 19305->19306 19312 41a96b _strlen 19305->19312 19309 4164b9 _strcpy_s 64 API calls 19306->19309 19308 41a927 19307->19308 19308->19305 19310 41a958 19309->19310 19310->19312 19313 4195b5 __invoke_watson 10 API calls 19310->19313 19311 41a9ae 19314 416841 _strcat_s 64 API calls 19311->19314 19312->19311 19316 41835c _wctomb_s 64 API calls 19312->19316 19313->19312 19315 41a9c1 19314->19315 19317 41a9d2 19315->19317 19319 4195b5 __invoke_watson 10 API calls 19315->19319 19318 41a99b 19316->19318 19320 416841 _strcat_s 64 API calls 19317->19320 19318->19311 19321 4195b5 __invoke_watson 10 API calls 19318->19321 19319->19317 19322 41a9e3 19320->19322 19321->19311 19324 4195b5 __invoke_watson 10 API calls 19322->19324 19326 41a9f4 19322->19326 19323 420bd4 _fast_error_exit 64 API calls 19323->19325 19324->19326 19325->19235 19326->19323 19328 4199ec 19327->19328 19329 4199ff EnterCriticalSection 19327->19329 19345 419916 19328->19345 19329->19192 19331 4199f2 19331->19329 19332 415ec0 __amsg_exit 66 API calls 19331->19332 19333 4199fe 19332->19333 19333->19329 19335 41f792 19334->19335 19341 41f7c4 19334->19341 19335->19341 19371 41f67c InterlockedIncrement 19335->19371 19337 41f7a5 19337->19341 19383 41f702 19337->19383 19342 41f836 19341->19342 19427 419901 LeaveCriticalSection 19342->19427 19344 41f83d 19344->19195 19346 419922 CallUnexpected 19345->19346 19347 419948 19346->19347 19348 41aa45 __FF_MSGBANNER 67 API calls 19346->19348 19350 419488 __malloc_crt 67 API calls 19347->19350 19353 419958 CallUnexpected 19347->19353 19349 419937 19348->19349 19351 41a8a5 _fast_error_exit 67 API calls 19349->19351 19352 419963 19350->19352 19354 41993e 19351->19354 19355 419979 19352->19355 19356 41996a 19352->19356 19353->19331 19358 415f0a _fast_error_exit GetModuleHandleA GetProcAddress ExitProcess 19354->19358 19357 4199d9 __lock 67 API calls 19355->19357 19359 4166fc __locking 67 API calls 19356->19359 19360 419980 19357->19360 19358->19347 19359->19353 19361 4199b4 19360->19361 19362 419988 19360->19362 19364 415296 ___free_lc_time 67 API calls 19361->19364 19363 41c503 ___crtInitCritSecAndSpinCount 67 API calls 19362->19363 19365 419993 19363->19365 19366 4199a5 19364->19366 19365->19366 19368 415296 ___free_lc_time 67 API calls 19365->19368 19367 4199d0 __mtinitlocknum LeaveCriticalSection 19366->19367 19367->19353 19369 41999f 19368->19369 19370 4166fc __locking 67 API calls 19369->19370 19370->19366 19372 41f697 InterlockedIncrement 19371->19372 19373 41f69a 19371->19373 19372->19373 19374 41f6a4 InterlockedIncrement 19373->19374 19375 41f6a7 19373->19375 19374->19375 19376 41f6b1 InterlockedIncrement 19375->19376 19377 41f6b4 19375->19377 19376->19377 19378 41f6be InterlockedIncrement 19377->19378 19380 41f6c1 19377->19380 19378->19380 19379 41f6d6 InterlockedIncrement 19379->19380 19380->19379 19381 41f6e6 InterlockedIncrement 19380->19381 19382 41f6ef InterlockedIncrement 19380->19382 19381->19380 19382->19337 19384 41f70b InterlockedDecrement 19383->19384 19385 41f78a 19383->19385 19386 41f721 InterlockedDecrement 19384->19386 19387 41f724 19384->19387 19385->19341 19397 41f53c 19385->19397 19386->19387 19388 41f731 19387->19388 19389 41f72e InterlockedDecrement 19387->19389 19390 41f73b InterlockedDecrement 19388->19390 19391 41f73e 19388->19391 19389->19388 19390->19391 19392 41f748 InterlockedDecrement 19391->19392 19394 41f74b 19391->19394 19392->19394 19393 41f760 InterlockedDecrement 19393->19394 19394->19393 19395 41f770 InterlockedDecrement 19394->19395 19396 41f779 InterlockedDecrement 19394->19396 19395->19394 19396->19385 19398 41f5bd 19397->19398 19401 41f550 19397->19401 19399 415296 ___free_lc_time 67 API calls 19398->19399 19400 41f60a 19398->19400 19403 41f5de 19399->19403 19402 4228b7 ___free_lc_time 67 API calls 19400->19402 19423 41f631 19400->19423 19401->19398 19407 415296 ___free_lc_time 67 API calls 19401->19407 19409 41f584 19401->19409 19404 41f62a 19402->19404 19405 415296 ___free_lc_time 67 API calls 19403->19405 19406 415296 ___free_lc_time 67 API calls 19404->19406 19410 41f5f1 19405->19410 19406->19423 19412 41f579 19407->19412 19408 41f670 19413 415296 ___free_lc_time 67 API calls 19408->19413 19414 415296 ___free_lc_time 67 API calls 19409->19414 19426 41f5a5 19409->19426 19415 415296 ___free_lc_time 67 API calls 19410->19415 19411 415296 ___free_lc_time 67 API calls 19417 41f5b2 19411->19417 19419 422a87 ___free_lconv_mon 67 API calls 19412->19419 19420 41f676 19413->19420 19421 41f59a 19414->19421 19422 41f5ff 19415->19422 19416 415296 67 API calls ___free_lc_time 19416->19423 19418 415296 ___free_lc_time 67 API calls 19417->19418 19418->19398 19419->19409 19420->19341 19424 422a47 ___free_lconv_num 67 API calls 19421->19424 19425 415296 ___free_lc_time 67 API calls 19422->19425 19423->19408 19423->19416 19424->19426 19425->19400 19426->19411 19427->19344 19431 419901 LeaveCriticalSection 19428->19431 19430 41f12f 19430->19204 19431->19430 19433 418bca 19432->19433 19434 418bcf 19432->19434 19433->19434 19441 418bef 19433->19441 19435 4166fc __locking 67 API calls 19434->19435 19436 418bd4 19435->19436 19437 4196b1 __locking 67 API calls 19436->19437 19438 40133d 19437->19438 19438->18963 19439 4166fc __locking 67 API calls 19439->19436 19440 418c3f 19440->19438 19440->19439 19441->19440 19443 4187de 19441->19443 19446 418747 19443->19446 19447 418771 19446->19447 19448 418755 19446->19448 19450 418793 19447->19450 19451 418779 19447->19451 19449 4166fc __locking 67 API calls 19448->19449 19453 41875a 19449->19453 19455 4181ab __isspace_l 77 API calls 19450->19455 19458 41876a 19450->19458 19452 4166fc __locking 67 API calls 19451->19452 19454 41877e 19452->19454 19456 4196b1 __locking 67 API calls 19453->19456 19457 4196b1 __locking 67 API calls 19454->19457 19455->19458 19456->19458 19457->19458 19458->19440 19460 407553 EnumPrintersA 19459->19460 19461 40756e 19459->19461 19460->19461 19462 407576 LocalFree 19461->19462 19464 407584 19461->19464 19462->18967 19463 4075d5 LocalFree 19463->18967 19464->19463 19466 401494 19465->19466 19466->19466 19467 40151a GetSystemDirectoryA 19466->19467 19468 401553 19467->19468 19468->19468 19469 401585 GetPrinterDriverDirectoryA 19468->19469 19470 4015b0 19469->19470 19470->19470 19471 40162a CopyFileA 19470->19471 19472 401650 19471->19472 19472->19472 19473 4016ca CopyFileA 19472->19473 19474 401700 CopyFileA 19473->19474 19476 4017b0 19474->19476 19476->19476 19477 40182a CopyFileA 19476->19477 19478 401860 19477->19478 19478->19478 19479 4018da CopyFileA 19478->19479 19480 401910 19479->19480 19480->19480 19481 40198a CopyFileA 19480->19481 19482 4019b0 19481->19482 19482->19482 19483 401a2a CopyFileA 19482->19483 19484 401a60 RegCreateKeyExA 19483->19484 19486 401ad1 RegCloseKey 19484->19486 19487 401adc RegCreateKeyExA 19484->19487 19486->19487 19489 401b7a RegSetValueExA 19487->19489 19493 401d5f 19487->19493 19493->19493 19566 402cb4 19565->19566 19566->19566 19567 402d0a GetSystemDirectoryA 19566->19567 19568 402d43 19567->19568 19568->19568 19569 402d4d GetPrinterDriverDirectoryA 19568->19569 19570 402d83 19569->19570 19570->19570 19571 402e1a CopyFileA 19570->19571 19572 405097 19571->19572 19575 402e47 19571->19575 19573 414e70 _$I10_OUTPUT 5 API calls 19572->19573 19574 4050a9 19573->19574 19574->18947 19575->19575 19576 402e7a CopyFileA 19575->19576 19576->19572 19577 402eb9 CopyFileA 19576->19577 19579 402f60 19577->19579 19579->19579 19580 402f8a CopyFileA 19579->19580 19581 402fc0 19580->19581 19581->19581 19582 40303a CopyFileA 19581->19582 19583 403060 19582->19583 19583->19583 19584 40308a CopyFileA 19583->19584 19585 4030d0 19584->19585 19585->19585 19586 40314a CopyFileA 19585->19586 19587 403170 19586->19587 19587->19587 19588 40319a CopyFileA 19587->19588 19710 4050d4 19709->19710 19710->19710 19711 40512a GetSystemDirectoryA 19710->19711 19712 405170 19711->19712 19712->19712 19713 40517a GetPrinterDriverDirectoryA 19712->19713 19714 4051e0 19713->19714 19714->19714 19715 40527a CopyFileA 19714->19715 19716 4074f8 19715->19716 19719 4052a7 19715->19719 19717 414e70 _$I10_OUTPUT 5 API calls 19716->19717 19718 40750a 19717->19718 19718->18969 19719->19719 19720 4052da CopyFileA 19719->19720 19720->19716 19721 405319 CopyFileA 19720->19721 19723 4053c0 19721->19723 19723->19723 19724 4053ea CopyFileA 19723->19724 19725 405420 19724->19725 19725->19725 19726 40549a CopyFileA 19725->19726 19727 4054c0 19726->19727 19727->19727 19728 4054ea CopyFileA 19727->19728 19729 405530 19728->19729 19729->19729 19730 4055aa CopyFileA 19729->19730 19731 4055d0 19730->19731 19731->19731 19732 4055fa CopyFileA 19731->19732 19857->18986 19859 411bc7 ctype 94 API calls 19858->19859 19860 40d06d 19859->19860 19862 40b566 2 API calls 19860->19862 19861 40d089 19861->18951 19862->19861 19864 40ecea __EH_prolog3 19863->19864 19865 40ed06 19864->19865 19866 40ed28 19864->19866 19942 40e23d 19865->19942 19867 40ed6f 19866->19867 19868 40ed5f 19866->19868 19891 40ed14 19866->19891 19870 40ed74 19867->19870 19877 40ed88 19867->19877 19970 40d0ff 19868->19970 19869 40bddf 2 API calls 19872 40eefa ctype 19869->19872 19988 40e71d 19870->19988 19872->18951 19886 40ed1c 19877->19886 19952 40bdb0 19877->19952 19878 40bddf 2 API calls 19879 40f1ed 19878->19879 19883 40eedf 19884 40bddf 2 API calls 19883->19884 19925 40ed52 19884->19925 19885 40ee26 19885->19883 19885->19886 19887 40bddf 2 API calls 19885->19887 19888 40ef40 19885->19888 19889 40f044 19885->19889 19890 40f084 19885->19890 19885->19891 19892 40f109 19885->19892 19893 40f00e 19885->19893 19894 40f0cf 19885->19894 19895 40ef14 19885->19895 19896 40f118 19885->19896 19897 40efd7 19885->19897 19898 40ef5c 19885->19898 19899 40f0dd 19885->19899 19900 40f0a1 19885->19900 19901 40f0ab 19885->19901 19902 40ef34 19885->19902 19903 40f035 19885->19903 19904 40f0b5 19885->19904 19905 40f0fd 19885->19905 19906 40f1b9 19885->19906 19923 40ef6a 19885->19923 19885->19925 19886->19878 19887->19885 19915 40d0ff 101 API calls 19888->19915 19958 4011e0 IsIconic 19889->19958 19909 40d0ff 101 API calls 19890->19909 19891->19886 19891->19925 19918 40d0ff 101 API calls 19892->19918 19907 40d0ff 101 API calls 19893->19907 19921 40d0ff 101 API calls 19894->19921 20006 410b0e 19895->20006 19896->19886 19924 40d0ff 101 API calls 19896->19924 20023 410b80 19897->20023 19916 40d0ff 101 API calls 19898->19916 19922 40d0ff 101 API calls 19899->19922 19911 410b0e 100 API calls 19900->19911 19912 412c8e 100 API calls 19901->19912 19914 40d0ff 101 API calls 19902->19914 20028 412c8e 19903->20028 19913 412c8e 100 API calls 19904->19913 19917 40d0ff 101 API calls 19905->19917 19919 40bddf 2 API calls 19906->19919 19907->19886 19920 40f08c 19909->19920 19911->19886 19912->19886 19913->19886 19914->19886 19915->19886 19916->19886 19917->19886 19918->19886 19919->19886 19926 40d0ff 101 API calls 19920->19926 19921->19886 19922->19886 20009 40bdf9 19923->20009 19924->19886 19925->19869 19926->19886 19932 40efac 20019 40d850 19932->20019 19938 40b595 CallWindowProcA 19937->19938 19940 40b573 19937->19940 19939 40b5a8 19938->19939 19939->18952 19940->19938 19941 40b581 DefWindowProcA 19940->19941 19941->19939 19943 40e28c 19942->19943 19947 40e25b 19942->19947 19945 411bc7 ctype 94 API calls 19943->19945 19944 40e25f 19944->19891 19946 40e29b 19945->19946 19948 40e2a4 19946->19948 19949 411163 ctype RaiseException 19946->19949 19947->19944 20031 40a439 19947->20031 19948->19944 20039 40da70 19948->20039 19949->19948 19953 40bdbe 19952->19953 19954 40bdd5 19953->19954 19955 411163 ctype RaiseException 19953->19955 19956 412458 ctype 6 API calls 19954->19956 19955->19953 19957 40bddb 19956->19957 19957->19885 20002 40bddf 19957->20002 19959 401285 19958->19959 19960 401207 19958->19960 20113 40a29e 19959->20113 20123 410b99 19960->20123 19963 401211 SendMessageA GetSystemMetrics GetSystemMetrics GetClientRect DrawIcon 20130 410bed 19963->20130 19964 40128c PostMessageA 19968 414e70 _$I10_OUTPUT 5 API calls 19964->19968 19967 401283 19967->19964 19969 4012c3 19968->19969 19969->19886 19971 40d08b ctype 100 API calls 19970->19971 19972 40d108 19971->19972 20181 411fa5 19972->20181 19974 40d115 20193 41102e 19974->20193 19977 40e6a7 20202 410f40 19977->20202 19979 40e6b7 19987 40e716 19979->19987 20205 40e39c 19979->20205 19981 40e6c6 19982 40e6d4 IsWindow 19981->19982 19983 40e6e8 19981->19983 19981->19987 19982->19983 19984 40e6e1 19982->19984 19985 40e701 SendMessageA 19983->19985 19983->19987 19986 40e39c 105 API calls 19984->19986 19985->19987 19986->19983 19987->19867 19989 40e727 19988->19989 19990 40e78c 19988->19990 19989->19990 19991 40e39c 105 API calls 19989->19991 19990->19877 19990->19886 19992 40e74a 19991->19992 19992->19990 19993 40e74e GetLastActivePopup 19992->19993 19994 40d0ff 101 API calls 19993->19994 19995 40e75d 19994->19995 19995->19990 19996 40e763 GetForegroundWindow 19995->19996 19997 40d0ff 101 API calls 19996->19997 19998 40e76f 19997->19998 19998->19990 20226 410f95 19998->20226 20000 40e77a 20000->19990 20001 40e77e SetForegroundWindow 20000->20001 20001->19990 20003 40bdeb 20002->20003 20005 40bdf1 20002->20005 20004 4124c5 ctype 2 API calls 20003->20004 20004->20005 20005->19885 20007 410a9a ctype 100 API calls 20006->20007 20008 410b15 20007->20008 20010 409d6d 100 API calls 20009->20010 20011 40be01 20010->20011 20012 40d126 20011->20012 20013 40d08b ctype 100 API calls 20012->20013 20014 40d12d 20013->20014 20014->19932 20015 412dee 20014->20015 20016 412df2 20015->20016 20018 412df7 20015->20018 20017 411163 ctype RaiseException 20016->20017 20017->20018 20018->19932 20020 40d85c __EH_prolog3 20019->20020 20021 40d896 ctype 20020->20021 20229 40d33e 20020->20229 20021->19897 20024 410b98 20023->20024 20025 410b8c 20023->20025 20024->19886 20026 410b4f ctype 100 API calls 20025->20026 20027 410b91 DeleteDC 20026->20027 20027->20024 20237 412c1a 20028->20237 20030 412c95 20058 409bae 20031->20058 20033 40a454 20034 40a473 GetParent 20033->20034 20038 40a458 20033->20038 20035 40d0ff 101 API calls 20034->20035 20036 40a482 20035->20036 20036->20038 20069 408994 20036->20069 20038->19944 20040 40da7c __EH_prolog3 20039->20040 20084 40d08b 20040->20084 20042 40da83 20043 412dee ctype RaiseException 20042->20043 20045 40da87 ctype 20042->20045 20044 40da99 20043->20044 20046 40da9d GetParent 20044->20046 20047 40dafe 20044->20047 20045->19947 20049 412dee ctype RaiseException 20046->20049 20048 40d4a3 94 API calls 20047->20048 20048->20045 20050 40daac 20049->20050 20050->20045 20051 412dee ctype RaiseException 20050->20051 20052 40dac0 20051->20052 20052->20045 20092 40b50e 20052->20092 20057 40d850 ctype 101 API calls 20057->20045 20059 409bea 20058->20059 20060 409bbc 20058->20060 20061 409bc1 20059->20061 20066 409c6b 20059->20066 20062 41053c ctype 100 API calls 20060->20062 20063 411163 ctype RaiseException 20061->20063 20064 409bcc 20061->20064 20067 409bd1 20061->20067 20062->20061 20063->20064 20065 41053c ctype 100 API calls 20064->20065 20065->20067 20066->20067 20072 409a76 20066->20072 20067->20033 20076 41056f 20069->20076 20075 409a80 20072->20075 20073 411163 ctype RaiseException 20073->20075 20074 409a90 20074->20067 20075->20073 20075->20074 20077 41053c ctype 100 API calls 20076->20077 20078 410574 20077->20078 20081 408003 20078->20081 20082 411bc7 ctype 94 API calls 20081->20082 20083 40800d 20082->20083 20083->20038 20085 40d097 __EH_prolog3 20084->20085 20086 41056f ctype 100 API calls 20085->20086 20087 40d09c ctype 20086->20087 20088 407743 ctype 67 API calls 20087->20088 20090 40d0e3 ctype 20087->20090 20089 40d0bd 20088->20089 20089->20090 20100 411f1c 20089->20100 20090->20042 20110 409d6d 20092->20110 20095 40d4a3 20096 411bc7 ctype 94 API calls 20095->20096 20097 40d4b5 20096->20097 20098 40d4be 20097->20098 20099 411163 ctype RaiseException 20097->20099 20098->20057 20099->20098 20101 411f28 __EH_prolog3 ctype 20100->20101 20102 411163 ctype RaiseException 20101->20102 20103 411f76 20101->20103 20102->20101 20106 412d18 20103->20106 20105 411f80 ctype 20105->20090 20107 412d24 ctype 20106->20107 20108 407743 ctype 67 API calls 20107->20108 20109 412d56 _memset 20107->20109 20108->20109 20109->20105 20111 41053c ctype 100 API calls 20110->20111 20112 409d75 20111->20112 20112->20095 20114 40a2aa __EH_prolog3_GS 20113->20114 20115 410b99 101 API calls 20114->20115 20116 40a2b5 20115->20116 20117 40a2cf 20116->20117 20118 40d05b 96 API calls 20116->20118 20119 410bed ctype 102 API calls 20117->20119 20118->20117 20120 40a2db 20119->20120 20137 415eb1 20120->20137 20140 415dfe 20123->20140 20125 410ba5 BeginPaint 20141 410b1c 20125->20141 20128 410be3 ctype 20128->19963 20176 415dfe 20130->20176 20132 410bf9 EndPaint 20177 410b4f 20132->20177 20134 410c1c 20135 410b80 ctype 101 API calls 20134->20135 20136 410c27 ctype 20135->20136 20136->19967 20138 414e70 _$I10_OUTPUT 5 API calls 20137->20138 20139 415ebb 20138->20139 20139->20139 20140->20125 20142 410b27 20141->20142 20143 410b3c 20141->20143 20150 410a9a 20142->20150 20143->20128 20147 410702 20143->20147 20145 410b31 20158 412fa0 20145->20158 20148 41840f __CxxThrowException@8 RaiseException 20147->20148 20149 41071b 20148->20149 20151 410aa6 __EH_prolog3 20150->20151 20152 41056f ctype 100 API calls 20151->20152 20153 410aab ctype 20152->20153 20154 407743 ctype 67 API calls 20153->20154 20156 410af2 ctype 20153->20156 20155 410acc 20154->20155 20155->20156 20157 411f1c ctype 68 API calls 20155->20157 20156->20145 20157->20156 20160 412fb9 20158->20160 20159 412fd5 20159->20143 20160->20159 20161 412fce 20160->20161 20162 412d18 ctype 67 API calls 20160->20162 20164 412f52 20161->20164 20162->20161 20165 412f69 20164->20165 20166 412f5b 20164->20166 20165->20159 20168 413dc9 20166->20168 20169 413dd1 20168->20169 20170 413df4 20168->20170 20169->20170 20171 413dd8 20169->20171 20172 411163 ctype RaiseException 20170->20172 20173 407743 ctype 67 API calls 20171->20173 20174 413df9 20172->20174 20175 413de6 20173->20175 20175->20165 20176->20132 20178 410b5a 20177->20178 20180 410b61 ctype 20177->20180 20179 410a9a ctype 100 API calls 20178->20179 20179->20180 20180->20134 20182 411fb1 __EH_prolog3_catch 20181->20182 20183 412dee ctype RaiseException 20182->20183 20192 411fba ctype 20182->20192 20184 411fcd 20183->20184 20185 412dee ctype RaiseException 20184->20185 20184->20192 20186 411fda ctype 20185->20186 20186->20192 20198 413d89 20186->20198 20189 412014 20191 412fa0 68 API calls 20189->20191 20190 41112f ctype RaiseException 20190->20189 20191->20192 20192->19974 20194 411035 20193->20194 20195 40d11f 20193->20195 20194->20195 20196 41103b GetParent 20194->20196 20195->19977 20197 412dee ctype RaiseException 20196->20197 20197->20195 20199 413d92 20198->20199 20201 412009 20198->20201 20200 413dc9 68 API calls 20199->20200 20200->20201 20201->20189 20201->20190 20203 410f52 20202->20203 20204 410f46 GetWindowLongA 20202->20204 20204->19979 20206 40e3a7 20205->20206 20208 40e3a0 20205->20208 20206->19981 20208->20206 20209 40e3bc 20208->20209 20212 40e357 20208->20212 20210 40d0ff 101 API calls 20209->20210 20211 40e3c2 20210->20211 20211->19981 20213 40d126 100 API calls 20212->20213 20214 40e362 20213->20214 20215 40e376 GetWindowLongA 20214->20215 20216 40e366 20214->20216 20217 40e386 GetParent 20215->20217 20218 40e38f GetWindow 20215->20218 20221 40e0bc 20216->20221 20220 40e36d 20217->20220 20218->20220 20220->20208 20222 40e0c3 GetParent 20221->20222 20223 40e0cc 20221->20223 20222->20223 20224 40d0ff 101 API calls 20223->20224 20225 40e0d2 20224->20225 20225->20220 20227 410fa5 20226->20227 20228 410f9b IsWindowEnabled 20226->20228 20228->20000 20230 40d34b 20229->20230 20231 40d08b ctype 100 API calls 20230->20231 20232 40d372 20230->20232 20236 40d350 20230->20236 20233 40d35e 20231->20233 20235 40d383 KiUserCallbackDispatcher 20232->20235 20232->20236 20234 412dee ctype RaiseException 20233->20234 20234->20232 20235->20236 20236->20021 20238 412c26 __EH_prolog3 20237->20238 20239 41056f ctype 100 API calls 20238->20239 20241 412c2b ctype 20239->20241 20240 412c72 ctype 20240->20030 20241->20240 20242 407743 ctype 67 API calls 20241->20242 20243 412c4c 20242->20243 20243->20240 20244 411f1c ctype 68 API calls 20243->20244 20244->20240 20245 4011a0 20248 40a654 20245->20248 20247 4011a9 SendMessageA SendMessageA 20249 40a666 20248->20249 20250 40a65e 20248->20250 20278 40fc4d 20249->20278 20270 40f804 20250->20270 20253 40a664 20254 40a674 20253->20254 20289 40ca48 20253->20289 20267 40a32b 20254->20267 20257 40a67b 20257->20247 20258 40a686 20258->20254 20259 40a68c 20258->20259 20293 410eea 20259->20293 20262 40a6b0 20262->20247 20263 40a69c 20298 40a5fe 20263->20298 20268 40a340 KiUserCallbackDispatcher 20267->20268 20269 40a334 20267->20269 20268->20257 20269->20268 20271 40f823 20270->20271 20272 40f8f6 20270->20272 20271->20272 20276 40f8d0 SendDlgItemMessageA 20271->20276 20308 408950 20271->20308 20274 40f910 20272->20274 20316 40d9f3 GetTopWindow 20272->20316 20274->20253 20276->20271 20277 40f88d SendDlgItemMessageA 20277->20271 20279 40fc90 20278->20279 20280 40fc5d 20278->20280 20281 40f804 152 API calls 20279->20281 20282 41053c ctype 100 API calls 20280->20282 20284 40fc98 20281->20284 20283 40fc62 FindResourceA 20282->20283 20283->20279 20285 40fc79 LoadResource 20283->20285 20286 40fca9 20284->20286 20288 40fca2 FreeResource 20284->20288 20285->20286 20287 40fc87 LockResource 20285->20287 20286->20253 20287->20279 20288->20286 20290 40ca54 __EH_prolog3_catch 20289->20290 20557 410010 20290->20557 20292 40ca69 ctype 20292->20258 20294 410ef0 GetDlgItem 20293->20294 20295 410f06 20293->20295 20296 40d0ff 101 API calls 20294->20296 20297 40a696 20296->20297 20297->20262 20297->20263 20299 41053c ctype 100 API calls 20298->20299 20300 40a609 20299->20300 20301 40a610 20300->20301 20302 407d24 100 API calls 20300->20302 20305 410f74 20301->20305 20304 40a61a 20302->20304 20303 41053c ctype 100 API calls 20303->20301 20304->20301 20304->20303 20306 410f8a 20305->20306 20307 410f7a ShowWindow 20305->20307 20307->20262 20309 40895c __EH_prolog3 20308->20309 20325 40805a 20309->20325 20314 40898a ctype 20314->20277 20317 40da05 20316->20317 20318 40da6a 20317->20318 20319 40da29 SendMessageA 20317->20319 20320 40d126 100 API calls 20317->20320 20321 40da5b GetWindow 20317->20321 20322 40da3f GetTopWindow 20317->20322 20324 40d9f3 140 API calls 20317->20324 20438 40d712 20317->20438 20318->20274 20319->20317 20320->20317 20321->20317 20322->20317 20322->20321 20324->20321 20326 408065 20325->20326 20328 40806f 20325->20328 20327 4076f0 ctype 80 API calls 20326->20327 20327->20328 20329 4086e8 20328->20329 20330 4086f2 20329->20330 20331 408703 20329->20331 20330->20331 20337 4086c8 20330->20337 20331->20314 20333 408708 20331->20333 20334 408714 _strlen 20333->20334 20403 40860e 20334->20403 20342 411d57 20337->20342 20340 4086e4 20340->20331 20343 41053c ctype 100 API calls 20342->20343 20344 4086d4 20343->20344 20344->20340 20345 4085b5 20344->20345 20356 407cdb FindResourceA 20345->20356 20347 4085c8 20348 408604 20347->20348 20361 407d79 20347->20361 20348->20340 20350 4085df 20363 4084b6 20350->20363 20354 4085f8 20369 407d53 20354->20369 20357 407cf7 20356->20357 20358 407cf8 20356->20358 20357->20347 20374 407c7f LoadResource 20358->20374 20360 407d06 20360->20347 20362 407d7f WideCharToMultiByte 20361->20362 20362->20350 20364 4084da 20363->20364 20365 4084cf 20363->20365 20367 407d96 20364->20367 20379 4080f1 20365->20379 20368 407db1 WideCharToMultiByte 20367->20368 20368->20354 20370 407d5b 20369->20370 20371 4076f0 ctype 80 API calls 20370->20371 20372 407d62 20370->20372 20373 407d78 20371->20373 20372->20348 20375 407c92 20374->20375 20376 407c94 LockResource 20374->20376 20375->20360 20377 407ca2 SizeofResource 20376->20377 20378 407cb8 20376->20378 20377->20378 20378->20360 20380 408102 20379->20380 20382 408110 20380->20382 20383 408089 20380->20383 20382->20364 20384 4080a6 20383->20384 20385 4080bc 20384->20385 20389 407db9 20384->20389 20394 41651e 20385->20394 20388 4080d5 20388->20382 20390 4076f0 ctype 80 API calls 20389->20390 20391 407dc3 20390->20391 20392 407db9 80 API calls 20391->20392 20393 407def 20391->20393 20392->20393 20393->20385 20395 416530 _memset 20394->20395 20400 41652c _realloc 20394->20400 20396 416535 20395->20396 20399 41657f 20395->20399 20395->20400 20397 4166fc __locking 67 API calls 20396->20397 20402 41653a 20397->20402 20398 4196b1 __locking 67 API calls 20398->20400 20399->20400 20401 4166fc __locking 67 API calls 20399->20401 20400->20388 20401->20402 20402->20398 20404 408621 20403->20404 20405 40861a 20403->20405 20407 408633 20404->20407 20408 4076f0 ctype 80 API calls 20404->20408 20418 408017 20405->20418 20409 4084b6 80 API calls 20407->20409 20408->20407 20411 408643 20409->20411 20410 40861f 20410->20314 20412 40865a 20411->20412 20413 40864b 20411->20413 20415 41651e _memcpy_s 67 API calls 20412->20415 20422 41662b 20413->20422 20416 408658 20415->20416 20417 407d53 80 API calls 20416->20417 20417->20410 20419 408029 20418->20419 20420 40803d 20418->20420 20419->20420 20421 4076f0 ctype 80 API calls 20419->20421 20420->20410 20421->20420 20423 416652 20422->20423 20424 416639 20422->20424 20423->20416 20425 41663e 20424->20425 20427 41665e 20424->20427 20426 4166fc __locking 67 API calls 20425->20426 20428 416643 20426->20428 20429 416671 20427->20429 20430 416663 20427->20430 20433 4196b1 __locking 67 API calls 20428->20433 20434 41db10 20429->20434 20431 4166fc __locking 67 API calls 20430->20431 20431->20428 20433->20423 20435 41db28 20434->20435 20436 41db4f __VEC_memcpy 20435->20436 20437 41db57 20435->20437 20436->20437 20437->20423 20439 40d71e __EH_prolog3_catch 20438->20439 20440 411bc7 ctype 94 API calls 20439->20440 20441 40d72d 20440->20441 20442 40d744 20441->20442 20443 411163 ctype RaiseException 20441->20443 20444 40d79b 20442->20444 20448 40be3c GetWindowRect 20442->20448 20443->20442 20446 40d7c4 ctype 20444->20446 20451 40d696 20444->20451 20446->20317 20449 410f40 GetWindowLongA 20448->20449 20450 40be55 20449->20450 20450->20444 20452 40d6a5 20451->20452 20453 40d70d 20451->20453 20454 410f40 GetWindowLongA 20452->20454 20453->20446 20455 40d6b0 20454->20455 20455->20453 20456 40d6b7 GetWindowRect 20455->20456 20456->20453 20457 40d6ce 20456->20457 20457->20453 20458 40d6d6 GetWindow 20457->20458 20459 40d0ff 101 API calls 20458->20459 20460 40d6e7 20459->20460 20461 410f95 ctype IsWindowEnabled 20460->20461 20462 40d6f2 20460->20462 20461->20462 20462->20453 20464 40cad3 20462->20464 20465 410f40 GetWindowLongA 20464->20465 20466 40cae5 20465->20466 20467 40caef 20466->20467 20469 40cb08 GetWindow 20466->20469 20470 40cafd GetParent 20466->20470 20468 40cb2f GetWindowRect 20467->20468 20471 40cbd7 GetParent GetClientRect GetClientRect MapWindowPoints 20468->20471 20472 40cb4c 20468->20472 20473 40cb13 20469->20473 20470->20473 20486 40cc04 20471->20486 20474 40cb50 GetWindowLongA 20472->20474 20477 40cb60 20472->20477 20473->20468 20475 40cb19 SendMessageA 20473->20475 20474->20477 20475->20468 20476 40cb2d 20475->20476 20476->20468 20478 40cb74 20477->20478 20479 40cbae GetWindowRect 20477->20479 20494 407d24 20478->20494 20480 40adde 21 API calls 20479->20480 20482 40cbc1 20480->20482 20484 40ae49 80 API calls 20482->20484 20487 40cbc7 CopyRect 20484->20487 20518 410ff2 20486->20518 20487->20486 20490 40cc8f 20490->20453 20495 408994 100 API calls 20494->20495 20496 407d29 20495->20496 20497 40adde 20496->20497 20522 40ac9d 20497->20522 20499 40ade9 20500 40adfb 20499->20500 20501 40aded MonitorFromWindow 20499->20501 20502 40ae01 20500->20502 20503 40ae08 IsIconic 20500->20503 20501->20502 20508 40ae49 20502->20508 20504 40ae24 GetWindowRect 20503->20504 20505 40ae15 GetWindowPlacement 20503->20505 20506 40ae31 20504->20506 20505->20506 20506->20502 20535 40ad92 20506->20535 20509 40ac9d 14 API calls 20508->20509 20510 40ae54 20509->20510 20511 40ae58 GetMonitorInfoA 20510->20511 20512 40ae66 20510->20512 20517 40aed3 CopyRect CopyRect 20511->20517 20513 40ae7f SystemParametersInfoA 20512->20513 20512->20517 20514 40ae91 GetSystemMetrics GetSystemMetrics 20513->20514 20513->20517 20515 40aec1 20514->20515 20514->20517 20548 41835c 20515->20548 20517->20486 20519 411022 20518->20519 20520 410ffb SetWindowPos 20518->20520 20520->20490 20523 40acb5 20522->20523 20524 40aca8 20522->20524 20543 40ac45 20523->20543 20524->20499 20527 40ad53 20527->20499 20528 40acd6 GetProcAddress 20528->20527 20529 40aced GetProcAddress 20528->20529 20529->20527 20530 40acfe GetProcAddress 20529->20530 20530->20527 20531 40ad0f GetProcAddress 20530->20531 20531->20527 20532 40ad20 GetProcAddress 20531->20532 20532->20527 20533 40ad31 GetProcAddress 20532->20533 20533->20527 20534 40ad42 GetProcAddress 20533->20534 20534->20527 20536 40ac9d 14 API calls 20535->20536 20537 40ad97 20536->20537 20538 40ada1 20537->20538 20539 40ad9b MonitorFromRect 20537->20539 20540 40add0 20538->20540 20541 40adba GetSystemMetrics 20538->20541 20539->20538 20540->20502 20541->20540 20542 40adc7 GetSystemMetrics 20541->20542 20542->20540 20544 416740 _memset 20543->20544 20545 40ac6b GetVersionExA 20544->20545 20546 414e70 _$I10_OUTPUT 5 API calls 20545->20546 20547 40ac9b GetModuleHandleA 20546->20547 20547->20527 20547->20528 20552 41836c 20548->20552 20549 418370 20550 418375 20549->20550 20551 4166fc __locking 67 API calls 20549->20551 20550->20517 20553 41838c 20551->20553 20552->20549 20552->20550 20555 4183b6 20552->20555 20554 4196b1 __locking 67 API calls 20553->20554 20554->20550 20555->20550 20556 4166fc __locking 67 API calls 20555->20556 20556->20553 20558 411bc7 ctype 94 API calls 20557->20558 20559 41001f 20558->20559 20559->20292 20560 40cde4 20561 40cdf2 PostMessageA 20560->20561 20562 40ce06 20560->20562 20561->20562 20563 40d805 20564 40d816 20563->20564 20565 40d811 20563->20565 20566 40d126 100 API calls 20564->20566 20567 40d820 20566->20567 20568 40d83b DefWindowProcA 20567->20568 20569 40d829 20567->20569 20568->20565 20570 40d712 140 API calls 20569->20570 20570->20565 20571 412529 8 API calls 20572 40798a 20573 407998 20572->20573 20576 4078c7 20573->20576 20577 407982 20576->20577 20581 4078fb 20576->20581 20578 4078fc RegOpenKeyExA 20578->20581 20579 407919 RegQueryValueExA 20579->20581 20580 40796b RegCloseKey 20580->20581 20581->20577 20581->20578 20581->20579 20581->20580 20582 41584d 20637 416904 20582->20637 20584 415859 GetStartupInfoA GetProcessHeap HeapAlloc 20585 415898 GetVersionExA 20584->20585 20586 41588b 20584->20586 20588 4158b6 GetProcessHeap HeapFree 20585->20588 20589 4158a8 GetProcessHeap HeapFree 20585->20589 20727 4157e8 20586->20727 20591 4158e2 20588->20591 20590 415892 CallUnexpected 20589->20590 20638 419809 HeapCreate 20591->20638 20593 415923 20594 41592f 20593->20594 20595 4157e8 _fast_error_exit 67 API calls 20593->20595 20735 419304 GetModuleHandleA 20594->20735 20595->20594 20597 415935 20598 415941 __RTC_Initialize 20597->20598 20599 415939 20597->20599 20648 41b0e5 20598->20648 20600 4157e8 _fast_error_exit 67 API calls 20599->20600 20601 415940 20600->20601 20601->20598 20603 41594e 20604 415952 20603->20604 20605 41595a GetCommandLineA 20603->20605 20606 415ec0 __amsg_exit 67 API calls 20604->20606 20663 41afb0 20605->20663 20608 415959 20606->20608 20608->20605 20611 415974 20612 415980 20611->20612 20613 415978 20611->20613 20688 41ac84 20612->20688 20614 415ec0 __amsg_exit 67 API calls 20613->20614 20616 41597f 20614->20616 20616->20612 20618 415991 20702 415fdc 20618->20702 20619 415989 20620 415ec0 __amsg_exit 67 API calls 20619->20620 20622 415990 20620->20622 20622->20618 20623 415997 20624 4159a3 20623->20624 20625 41599c 20623->20625 20708 41ac27 20624->20708 20627 415ec0 __amsg_exit 67 API calls 20625->20627 20629 4159a2 20627->20629 20628 4159a8 20630 4159ad 20628->20630 20714 4269b4 20628->20714 20629->20624 20630->20628 20637->20584 20639 419829 20638->20639 20640 41982c 20638->20640 20639->20593 20782 4197ae 20640->20782 20643 41983b 20791 419a0a HeapAlloc 20643->20791 20644 41985f 20644->20593 20647 41984a HeapDestroy 20647->20639 20814 416904 20648->20814 20650 41b0f1 GetStartupInfoA 20651 4194c8 __calloc_crt 67 API calls 20650->20651 20653 41b112 20651->20653 20652 41b31c CallUnexpected 20652->20603 20653->20652 20655 4194c8 __calloc_crt 67 API calls 20653->20655 20658 41b263 20653->20658 20659 41b1e6 20653->20659 20654 41b299 GetStdHandle 20654->20658 20655->20653 20656 41b2fe SetHandleCount 20656->20652 20657 41b2ab GetFileType 20657->20658 20658->20652 20658->20654 20658->20656 20658->20657 20660 41c503 ___crtInitCritSecAndSpinCount 67 API calls 20658->20660 20659->20652 20659->20658 20661 41b20f GetFileType 20659->20661 20815 41c503 20659->20815 20660->20658 20661->20659 20664 41afcc GetEnvironmentStringsW 20663->20664 20668 41afeb 20663->20668 20665 41afd4 20664->20665 20667 41afe0 GetLastError 20664->20667 20669 41b015 WideCharToMultiByte 20665->20669 20670 41b006 GetEnvironmentStringsW 20665->20670 20666 41b086 20671 41b08e GetEnvironmentStrings 20666->20671 20672 41596a 20666->20672 20667->20668 20668->20665 20668->20666 20675 41b049 20669->20675 20676 41b07b FreeEnvironmentStringsW 20669->20676 20670->20669 20670->20672 20671->20672 20673 41b09e 20671->20673 20768 41aef7 20672->20768 20677 419488 __malloc_crt 67 API calls 20673->20677 20843 419488 20675->20843 20676->20672 20679 41b0b7 20677->20679 20681 41b0ca _realloc 20679->20681 20682 41b0be FreeEnvironmentStringsA 20679->20682 20685 41b0d2 FreeEnvironmentStringsA 20681->20685 20682->20672 20683 41b058 WideCharToMultiByte 20684 41b069 20683->20684 20687 41b072 20683->20687 20686 415296 ___free_lc_time 67 API calls 20684->20686 20685->20672 20686->20687 20687->20676 20689 41ac91 20688->20689 20691 41ac96 _strlen 20688->20691 20848 41f51e 20689->20848 20692 4194c8 __calloc_crt 67 API calls 20691->20692 20696 415985 20691->20696 20693 41acc9 _strlen 20692->20693 20694 41ad24 20693->20694 20693->20696 20697 4194c8 __calloc_crt 67 API calls 20693->20697 20698 41ad49 20693->20698 20701 4195b5 __invoke_watson 10 API calls 20693->20701 20852 4164b9 20693->20852 20695 415296 ___free_lc_time 67 API calls 20694->20695 20695->20696 20696->20618 20696->20619 20697->20693 20699 415296 ___free_lc_time 67 API calls 20698->20699 20699->20696 20701->20693 20704 415fe5 __except_handler4 20702->20704 21046 41c16c 20704->21046 20705 416004 __initterm_e 20707 416025 __except_handler4 20705->20707 21050 414fa3 20705->21050 20707->20623 20709 41ac33 20708->20709 20711 41ac38 20708->20711 20710 41f51e ___initmbctable 111 API calls 20709->20710 20710->20711 20712 41ac74 20711->20712 20713 418582 _parse_cmdline 77 API calls 20711->20713 20712->20628 20713->20711 20715 4269ea 20714->20715 20716 408994 100 API calls 20715->20716 20728 4157f1 20727->20728 20729 4157f6 20727->20729 20728->20729 20730 41aa45 __FF_MSGBANNER 67 API calls 20728->20730 20731 41a8a5 _fast_error_exit 67 API calls 20729->20731 20730->20729 20732 4157ff 20731->20732 20733 415f0a _fast_error_exit 3 API calls 20732->20733 20734 415809 20733->20734 20734->20590 20736 419316 20735->20736 20737 41931f GetProcAddress GetProcAddress GetProcAddress GetProcAddress 20735->20737 21425 419058 20736->21425 20739 419369 TlsAlloc 20737->20739 20742 419483 20739->20742 20743 4193b7 TlsSetValue 20739->20743 20742->20597 20743->20742 20744 4193c8 20743->20744 21436 416190 20744->21436 20747 418f38 __init_pointers 67 API calls 20748 4193d8 20747->20748 20749 418f38 __init_pointers 67 API calls 20748->20749 20750 4193e8 20749->20750 20751 418f38 __init_pointers 67 API calls 20750->20751 20752 4193f8 20751->20752 20753 418f38 __init_pointers 67 API calls 20752->20753 20754 419408 20753->20754 21443 419863 20754->21443 20757 41947e 20759 419058 __mtterm 70 API calls 20757->20759 20758 418faf _raise 67 API calls 20760 419429 20758->20760 20759->20742 20760->20757 20761 4194c8 __calloc_crt 67 API calls 20760->20761 20762 419442 20761->20762 20762->20757 20763 418faf _raise 67 API calls 20762->20763 20764 41945c 20763->20764 20764->20757 20765 419463 20764->20765 20766 419095 _raise 67 API calls 20765->20766 20767 41946b GetCurrentThreadId 20766->20767 20767->20742 20769 41af0a 20768->20769 20770 41af0f GetModuleFileNameA 20768->20770 20772 41f51e ___initmbctable 111 API calls 20769->20772 20771 41af36 20770->20771 21450 41ad5f 20771->21450 20772->20770 20775 419488 __malloc_crt 67 API calls 20776 41af78 20775->20776 20777 41ad5f _parse_cmdline 77 API calls 20776->20777 20778 41af92 20776->20778 20777->20778 20778->20611 20793 415f69 20782->20793 20784 4197c5 20785 4197d4 20784->20785 20800 4195b5 20784->20800 20807 415fa0 20785->20807 20788 4197e0 20789 4197ef 20788->20789 20790 4195b5 __invoke_watson 10 API calls 20788->20790 20789->20643 20789->20644 20790->20789 20792 419845 20791->20792 20792->20644 20792->20647 20794 415f74 20793->20794 20795 4166fc __locking 67 API calls 20794->20795 20796 415f9a 20794->20796 20797 415f79 20795->20797 20796->20784 20798 4196b1 __locking 67 API calls 20797->20798 20799 415f89 20798->20799 20799->20784 20801 416740 _memset 20800->20801 20802 419646 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20801->20802 20803 419689 GetCurrentProcess TerminateProcess 20802->20803 20804 41967d __invoke_watson 20802->20804 20805 414e70 _$I10_OUTPUT 5 API calls 20803->20805 20804->20803 20806 4196a9 20805->20806 20806->20785 20808 415fab 20807->20808 20809 4166fc __locking 67 API calls 20808->20809 20810 415fd0 20808->20810 20811 415fb0 20809->20811 20810->20788 20812 4196b1 __locking 67 API calls 20811->20812 20813 415fc0 20812->20813 20813->20788 20814->20650 20816 41c50f CallUnexpected 20815->20816 20817 418faf _raise 65 API calls 20816->20817 20818 41c51f 20817->20818 20819 415f69 ___crtInitCritSecAndSpinCount 65 API calls 20818->20819 20827 41c573 CallUnexpected 20818->20827 20820 41c52f 20819->20820 20821 4195b5 __invoke_watson 10 API calls 20820->20821 20824 41c53e 20820->20824 20821->20824 20822 41c547 GetModuleHandleA 20823 41c568 20822->20823 20825 41c556 GetProcAddress 20822->20825 20828 418f38 TlsGetValue 20823->20828 20824->20822 20824->20823 20825->20823 20827->20659 20829 418f4b 20828->20829 20830 418f6c GetModuleHandleA 20828->20830 20829->20830 20832 418f55 TlsGetValue 20829->20832 20831 418f7d 20830->20831 20837 418f64 20830->20837 20838 418ecc 20831->20838 20835 418f60 20832->20835 20834 418f82 20836 418f86 GetProcAddress 20834->20836 20834->20837 20835->20830 20835->20837 20836->20837 20837->20827 20839 415fa0 _fast_error_exit 66 API calls 20838->20839 20840 418ee7 20839->20840 20841 418ef2 GetModuleHandleA 20840->20841 20842 418eee ___TypeMatch 20840->20842 20841->20842 20842->20834 20846 41948c 20843->20846 20844 415725 _malloc 66 API calls 20844->20846 20845 4194c3 20845->20676 20845->20683 20846->20844 20846->20845 20847 4194a4 Sleep 20846->20847 20847->20846 20849 41f527 20848->20849 20850 41f52e 20848->20850 20861 41f384 20849->20861 20850->20691 20853 4164c6 20852->20853 20854 4164ce 20852->20854 20853->20854 20859 4164f5 20853->20859 20855 4166fc __locking 67 API calls 20854->20855 20856 4164d3 20855->20856 20857 4196b1 __locking 67 API calls 20856->20857 20858 4164e2 20857->20858 20858->20693 20859->20858 20860 4166fc __locking 67 API calls 20859->20860 20860->20856 20862 41f390 CallUnexpected 20861->20862 20863 4191cb CallUnexpected 67 API calls 20862->20863 20864 41f399 20863->20864 20865 41f08d __setmbcp 69 API calls 20864->20865 20866 41f3a3 20865->20866 20892 41f131 20866->20892 20869 419488 __malloc_crt 67 API calls 20870 41f3c4 20869->20870 20871 41f4e3 CallUnexpected 20870->20871 20899 41f1ab 20870->20899 20871->20850 20893 4181ab __isspace_l 77 API calls 20892->20893 20894 41f143 20893->20894 20895 41f16c 20894->20895 20896 41f14e GetOEMCP 20894->20896 20897 41f171 GetACP 20895->20897 20898 41f15e 20895->20898 20896->20898 20897->20898 20898->20869 20898->20871 20900 41f131 getSystemCP 79 API calls 20899->20900 20901 41f1c9 20900->20901 21047 41c170 21046->21047 21048 418f38 __init_pointers 67 API calls 21047->21048 21049 41c188 21047->21049 21048->21047 21049->20705 21053 414f67 21050->21053 21054 414f73 CallUnexpected 21053->21054 21061 415f1f 21054->21061 21062 4199d9 __lock 67 API calls 21061->21062 21063 414f78 21062->21063 21064 414e7f 21063->21064 21065 418faf _raise 67 API calls 21064->21065 21066 414e8f 21065->21066 21067 418faf _raise 67 API calls 21066->21067 21426 419062 21425->21426 21427 41906e 21425->21427 21428 418faf _raise 67 API calls 21426->21428 21429 419090 21427->21429 21430 419082 TlsFree 21427->21430 21428->21427 21431 4198de 21429->21431 21432 4198c6 DeleteCriticalSection 21429->21432 21430->21429 21434 4198f0 DeleteCriticalSection 21431->21434 21435 41931b 21431->21435 21433 415296 ___free_lc_time 67 API calls 21432->21433 21433->21429 21434->21431 21435->20597 21437 418fa6 _raise 67 API calls 21436->21437 21438 416196 __init_pointers 21437->21438 21447 41c10e 21438->21447 21441 418f38 __init_pointers 67 API calls 21442 4161d2 21441->21442 21442->20747 21444 41986c 21443->21444 21445 41c503 ___crtInitCritSecAndSpinCount 67 API calls 21444->21445 21446 419415 21444->21446 21445->21444 21446->20757 21446->20758 21448 418f38 __init_pointers 67 API calls 21447->21448 21449 4161c8 21448->21449 21449->21441 21452 41ad7c 21450->21452 21451 418582 _parse_cmdline 77 API calls 21451->21452 21452->21451 21454 41ade9 21452->21454 21453 41aee7 21453->20775 21453->20778 21454->21453 21455 418582 77 API calls _parse_cmdline 21454->21455 21455->21454 21456 40842e GetModuleFileNameA 21457 40848e 21456->21457 21458 40845e 21456->21458 21460 414e70 _$I10_OUTPUT 5 API calls 21457->21460 21458->21457 21459 408462 PathFindExtensionA 21458->21459 21463 40813d 21459->21463 21462 4084a0 21460->21462 21494 415dfe 21463->21494 21465 408161 GetModuleHandleA GetProcAddress 21466 408261 GetVersion 21465->21466 21467 4081a1 ConvertDefaultLocale ConvertDefaultLocale GetProcAddress 21465->21467 21468 408320 GetModuleHandleA 21466->21468 21469 40826f RegOpenKeyExA 21466->21469 21479 40821f 21467->21479 21480 4081ef ConvertDefaultLocale ConvertDefaultLocale 21467->21480 21471 408221 GetModuleFileNameA 21468->21471 21473 40832f EnumResourceLanguagesA 21468->21473 21470 408290 RegQueryValueExA 21469->21470 21469->21471 21477 408312 RegCloseKey 21470->21477 21478 4082b5 21470->21478 21475 408388 _memset 21471->21475 21476 40825a 21471->21476 21473->21471 21474 408350 ConvertDefaultLocale ConvertDefaultLocale 21473->21474 21474->21471 21495 40778e 21475->21495 21482 414e70 _$I10_OUTPUT 5 API calls 21476->21482 21477->21471 21478->21477 21530 416822 21478->21530 21479->21471 21480->21479 21485 408426 21482->21485 21485->21457 21488 4082d8 ConvertDefaultLocale ConvertDefaultLocale 21488->21477 21490 4083f9 21533 407ece 21490->21533 21493 4083cc 21493->21490 21506 407dfe 21493->21506 21494->21465 21496 407836 21495->21496 21497 4077ab GetModuleHandleA 21495->21497 21502 40783e 21496->21502 21498 4077c1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 21497->21498 21499 4077bc 21497->21499 21498->21499 21500 411163 ctype RaiseException 21499->21500 21501 40782f 21499->21501 21500->21498 21501->21496 21503 40784a 21502->21503 21504 40784e 21502->21504 21503->21493 21504->21503 21505 40785e CreateActCtxA 21504->21505 21505->21503 21507 407e26 21506->21507 21508 407e3e GetLocaleInfoA 21506->21508 21509 4164b9 _strcpy_s 67 API calls 21507->21509 21510 407ebe 21508->21510 21514 407e33 ctype 21508->21514 21509->21514 21513 414e70 _$I10_OUTPUT 5 API calls 21510->21513 21511 4166fc __locking 67 API calls 21512 407e56 21511->21512 21515 4166fc __locking 67 API calls 21512->21515 21516 407ecc 21513->21516 21514->21511 21517 407e5d 21515->21517 21516->21493 21538 4166a2 21517->21538 21520 4166fc __locking 67 API calls 21521 407e8a 21520->21521 21522 407e9e 21521->21522 21523 407e8f 21521->21523 21525 4166fc __locking 67 API calls 21522->21525 21524 4166fc __locking 67 API calls 21523->21524 21526 407e94 21524->21526 21527 407e9b 21525->21527 21541 407c2f 21526->21541 21527->21510 21529 407eaf LoadLibraryA 21527->21529 21529->21510 21803 4167ba 21530->21803 21534 407eda 21533->21534 21535 407eec 21533->21535 21534->21535 21809 4078a1 21534->21809 21535->21476 21537 407ee4 ReleaseActCtx 21537->21535 21545 4163b4 21538->21545 21542 407c63 21541->21542 21543 407c37 21541->21543 21542->21527 21543->21542 21544 4076f0 ctype 80 API calls 21543->21544 21544->21543 21546 4163e0 21545->21546 21547 4163c0 21545->21547 21550 4163ee 21546->21550 21552 416415 21546->21552 21548 4166fc __locking 67 API calls 21547->21548 21549 4163c5 21548->21549 21551 4196b1 __locking 67 API calls 21549->21551 21553 4166fc __locking 67 API calls 21550->21553 21555 407e80 21550->21555 21551->21555 21554 4166fc __locking 67 API calls 21552->21554 21572 41640a 21553->21572 21556 41641a 21554->21556 21555->21520 21557 416455 21556->21557 21558 416428 21556->21558 21561 416249 __vsnprintf_helper 101 API calls 21557->21561 21575 416249 21558->21575 21559 4196b1 __locking 67 API calls 21559->21555 21563 416466 21561->21563 21564 41648e 21563->21564 21566 416478 21563->21566 21564->21555 21570 4166fc __locking 67 API calls 21564->21570 21565 416442 21567 4166fc __locking 67 API calls 21565->21567 21568 4166fc __locking 67 API calls 21566->21568 21569 416447 21567->21569 21571 41647d 21568->21571 21569->21555 21573 4166fc __locking 67 API calls 21569->21573 21570->21572 21571->21555 21574 4166fc __locking 67 API calls 21571->21574 21572->21559 21573->21555 21574->21555 21576 416277 21575->21576 21577 416257 21575->21577 21579 4162a4 21576->21579 21581 416287 21576->21581 21578 4166fc __locking 67 API calls 21577->21578 21580 41625c 21578->21580 21586 41626c 21579->21586 21588 41c5c8 21579->21588 21582 4196b1 __locking 67 API calls 21580->21582 21583 4166fc __locking 67 API calls 21581->21583 21582->21586 21584 41628c 21583->21584 21585 4196b1 __locking 67 API calls 21584->21585 21585->21586 21586->21564 21586->21565 21609 421c17 21588->21609 21590 41c5d6 21591 41c5e1 21590->21591 21592 41c5f8 21590->21592 21593 4166fc __locking 67 API calls 21591->21593 21594 41c5fc 21592->21594 21597 41c609 __flsbuf 21592->21597 21596 41c5e6 21593->21596 21595 4166fc __locking 67 API calls 21594->21595 21595->21596 21596->21586 21597->21596 21605 41c65e 21597->21605 21608 41c669 21597->21608 21616 421a18 21597->21616 21598 41c6f7 21600 4218f8 __locking 101 API calls 21598->21600 21599 41c677 21601 41c68e 21599->21601 21603 41c6ab 21599->21603 21600->21596 21629 4218f8 21601->21629 21603->21596 21654 421219 21603->21654 21605->21608 21626 4219d4 21605->21626 21608->21598 21608->21599 21610 421c22 21609->21610 21611 421c3f 21609->21611 21612 4166fc __locking 67 API calls 21610->21612 21611->21590 21613 421c27 21612->21613 21614 4196b1 __locking 67 API calls 21613->21614 21615 421c37 21614->21615 21615->21590 21617 421a21 21616->21617 21618 421a2f 21616->21618 21619 4166fc __locking 67 API calls 21617->21619 21621 421a5a 21618->21621 21622 4166fc __locking 67 API calls 21618->21622 21620 421a26 21619->21620 21620->21605 21621->21605 21623 421a43 21622->21623 21624 4196b1 __locking 67 API calls 21623->21624 21625 421a53 21624->21625 21625->21605 21627 419488 __malloc_crt 67 API calls 21626->21627 21628 4219e4 21627->21628 21628->21608 21630 421904 CallUnexpected 21629->21630 21631 421927 21630->21631 21632 42190c 21630->21632 21634 421935 21631->21634 21639 421976 21631->21639 21686 41670f 21632->21686 21636 41670f __locking 67 API calls 21634->21636 21638 42193a 21636->21638 21637 4166fc __locking 67 API calls 21649 421919 CallUnexpected 21637->21649 21641 4166fc __locking 67 API calls 21638->21641 21689 4232fb 21639->21689 21643 421941 21641->21643 21642 42197c 21644 421989 21642->21644 21645 42199f 21642->21645 21646 4196b1 __locking 67 API calls 21643->21646 21699 421332 21644->21699 21648 4166fc __locking 67 API calls 21645->21648 21646->21649 21651 4219a4 21648->21651 21649->21596 21650 421997 21756 4219ca 21650->21756 21652 41670f __locking 67 API calls 21651->21652 21652->21650 21655 421225 CallUnexpected 21654->21655 21656 421252 21655->21656 21657 421236 21655->21657 21658 421260 21656->21658 21660 421281 21656->21660 21659 41670f __locking 67 API calls 21657->21659 21661 41670f __locking 67 API calls 21658->21661 21662 42123b 21659->21662 21665 4212a1 21660->21665 21666 4212c7 21660->21666 21664 421265 21661->21664 21663 4166fc __locking 67 API calls 21662->21663 21678 421243 CallUnexpected 21663->21678 21668 4166fc __locking 67 API calls 21664->21668 21669 41670f __locking 67 API calls 21665->21669 21667 4232fb __locking 68 API calls 21666->21667 21670 4212cd 21667->21670 21671 42126c 21668->21671 21672 4212a6 21669->21672 21674 4212f6 21670->21674 21675 4212da 21670->21675 21676 4196b1 __locking 67 API calls 21671->21676 21673 4166fc __locking 67 API calls 21672->21673 21677 4212ad 21673->21677 21680 4166fc __locking 67 API calls 21674->21680 21679 421196 __lseeki64_nolock 69 API calls 21675->21679 21676->21678 21681 4196b1 __locking 67 API calls 21677->21681 21678->21596 21682 4212eb 21679->21682 21683 4212fb 21680->21683 21681->21678 21799 421328 21682->21799 21684 41670f __locking 67 API calls 21683->21684 21684->21682 21687 419154 _raise 67 API calls 21686->21687 21688 416714 21687->21688 21688->21637 21690 423307 CallUnexpected 21689->21690 21691 423362 21690->21691 21693 4199d9 __lock 67 API calls 21690->21693 21692 423367 EnterCriticalSection 21691->21692 21696 423384 CallUnexpected 21691->21696 21692->21696 21694 423333 21693->21694 21695 42334a 21694->21695 21697 41c503 ___crtInitCritSecAndSpinCount 67 API calls 21694->21697 21759 423392 21695->21759 21696->21642 21697->21695 21700 42136e 21699->21700 21726 421367 21699->21726 21701 421372 21700->21701 21702 421399 21700->21702 21703 41670f __locking 67 API calls 21701->21703 21705 421403 21702->21705 21706 4213dd 21702->21706 21707 421377 21703->21707 21704 414e70 _$I10_OUTPUT 5 API calls 21708 4218f0 21704->21708 21710 421415 21705->21710 21763 421196 21705->21763 21709 41670f __locking 67 API calls 21706->21709 21711 4166fc __locking 67 API calls 21707->21711 21708->21650 21712 4213e2 21709->21712 21715 421a18 __write_nolock 67 API calls 21710->21715 21726->21704 21798 42339b LeaveCriticalSection 21756->21798 21762 419901 LeaveCriticalSection 21759->21762 21761 423399 21761->21691 21762->21761 21781 42328a 21763->21781 21802 42339b LeaveCriticalSection 21799->21802 21801 421330 21801->21678 21802->21801 21804 4167c7 _strlen 21803->21804 21805 4166fc __locking 67 API calls 21804->21805 21808 4082d0 21804->21808 21806 4167d3 21805->21806 21807 4196b1 __locking 67 API calls 21806->21807 21807->21808 21808->21477 21808->21488 21810 4078c4 21809->21810 21811 4078ab 21809->21811 21810->21537 21811->21810 21812 4078b2 DeactivateActCtx 21811->21812 21812->21537 21813 401030 21824 407ef3 21813->21824 21819 401074 21845 40a9aa 21819->21845 21821 40108b 21890 40a267 21821->21890 21823 40109f 21826 407efc 21824->21826 21825 40105e 21829 40a09e 21825->21829 21826->21825 21827 41053c ctype 100 API calls 21826->21827 21828 407f14 InterlockedExchange 21827->21828 21828->21825 21830 415296 ___free_lc_time 67 API calls 21829->21830 21831 40a0a9 21830->21831 21832 4168b2 __strdup 67 API calls 21831->21832 21833 40a0b2 21832->21833 21834 415296 ___free_lc_time 67 API calls 21833->21834 21835 40a0bd 21834->21835 21836 4168b2 __strdup 67 API calls 21835->21836 21837 40106a 21836->21837 21838 4010e0 21837->21838 21896 40a2f2 21838->21896 21840 401110 21841 41053c ctype 100 API calls 21840->21841 21842 401123 21841->21842 21843 41053c ctype 100 API calls 21842->21843 21844 401128 LoadIconA 21843->21844 21844->21819 21846 40a9b6 __EH_prolog3_catch 21845->21846 21847 41053c ctype 100 API calls 21846->21847 21848 40a9cc 21847->21848 21849 40a9f5 21848->21849 21850 41053c ctype 100 API calls 21848->21850 21851 40aa06 21849->21851 21852 40a9fa LockResource 21849->21852 21853 40a9db FindResourceA LoadResource 21850->21853 21857 40aa0b ctype 21851->21857 21899 40a4da 21851->21899 21852->21851 21853->21849 21857->21821 21859 40aa30 GetDesktopWindow 21861 40aa3b IsWindowEnabled 21859->21861 21886 40aa8a 21859->21886 21863 40aa48 EnableWindow 21861->21863 21861->21886 21865 407d24 100 API calls 21863->21865 21864 40d0ff 101 API calls 21866 40aaa3 21864->21866 21870 40aa5f 21865->21870 21924 40a7b2 21866->21924 21873 410f95 ctype IsWindowEnabled 21870->21873 21870->21886 21878 40aa7d 21873->21878 21878->21886 21981 410fb0 21878->21981 21915 40eb30 21886->21915 21891 40a273 __EH_prolog3 21890->21891 21892 40a28d 21891->21892 21893 40d33e ctype 101 API calls 21891->21893 21894 40d850 ctype 101 API calls 21892->21894 21893->21892 21895 40a298 ctype 21894->21895 21895->21823 21897 40bdf9 100 API calls 21896->21897 21898 40a2fb _memset 21897->21898 21898->21840 21900 41053c ctype 100 API calls 21899->21900 21901 40a4e3 21900->21901 21902 40a4f3 21901->21902 22012 409812 21901->22012 21995 409774 21902->21995 21906 40eb30 96 API calls 21907 40a50f 21906->21907 21908 40d1a7 21907->21908 21909 411bc7 ctype 94 API calls 21908->21909 21910 40d1b7 21909->21910 21911 41053c ctype 100 API calls 21910->21911 21912 40d1c7 21911->21912 21913 40aa22 21912->21913 21914 40d1d4 UnhookWindowsHookEx 21912->21914 21913->21859 21913->21886 21914->21913 21916 411bc7 ctype 94 API calls 21915->21916 21917 40eb40 21916->21917 21918 40eb4b 21917->21918 21919 411163 ctype RaiseException 21917->21919 21920 40aa9b 21918->21920 21921 40eb5b GetCurrentThreadId SetWindowsHookExA 21918->21921 21919->21918 21920->21864 21921->21920 21922 40eb78 21921->21922 21923 41112f ctype RaiseException 21922->21923 21923->21920 21925 40a7be __EH_prolog3_catch 21924->21925 21926 40a7cf 21925->21926 21927 41053c ctype 100 API calls 21925->21927 21927->21926 21982 410fc6 21981->21982 21983 410fb6 EnableWindow 21981->21983 21983->21886 21996 4097a3 GetWindowLongA 21995->21996 21997 409788 21995->21997 21999 4097b3 GetParent 21996->21999 22010 40979a 21996->22010 22015 40969d 21997->22015 22008 409796 21999->22008 22001 4097c4 GetParent 22001->22001 22002 4097cd 22001->22002 22003 4097de 22002->22003 22004 4097d5 GetLastActivePopup 22002->22004 22006 409806 22003->22006 22007 4097ea IsWindowEnabled 22003->22007 22004->22003 22005 407d24 100 API calls 22005->22008 22006->21906 22007->22006 22009 4097f5 22007->22009 22008->21996 22008->22010 22009->22006 22011 4097f9 EnableWindow 22009->22011 22010->22001 22010->22002 22011->22006 22018 409740 22012->22018 22016 410010 94 API calls 22015->22016 22017 4096a2 22016->22017 22017->22005 22017->22008 22019 407d24 100 API calls 22018->22019 22020 409746 22019->22020 22020->21902 22327 427250 GetModuleHandleA GetProcAddress 22328 410113 22333 4100ef 22328->22333 22334 410107 22333->22334 22335 4100fe FreeLibrary 22333->22335 22335->22334 22336 40e793 22363 415e31 22336->22363 22338 40e79f GetPropA 22339 40e869 22338->22339 22340 40e7c9 22338->22340 22343 40d0ff 101 API calls 22339->22343 22341 40e848 22340->22341 22342 40e7ce 22340->22342 22344 40d0ff 101 API calls 22341->22344 22345 40e7d3 22342->22345 22346 40e824 SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 22342->22346 22347 40e871 22343->22347 22349 40e84e 22344->22349 22348 40e887 CallWindowProcA 22345->22348 22350 40e7de 22345->22350 22346->22348 22351 40d0ff 101 API calls 22347->22351 22352 40e819 ctype 22348->22352 22353 40e71d 109 API calls 22349->22353 22354 40d0ff 101 API calls 22350->22354 22355 40e879 22351->22355 22356 40e860 22353->22356 22357 40e7e4 22354->22357 22358 40e6a7 108 API calls 22355->22358 22359 40e883 22356->22359 22360 40be3c 2 API calls 22357->22360 22358->22359 22359->22348 22359->22352 22361 40e7f4 CallWindowProcA 22360->22361 22362 40d696 139 API calls 22361->22362 22362->22352 22363->22338 22364 411834 22365 407710 ctype 80 API calls 22364->22365 22366 41183c GlobalAlloc 22365->22366 22367 411870 22366->22367 22368 411874 22367->22368 22369 411898 GlobalLock 22367->22369 22371 411889 LeaveCriticalSection 22368->22371 22372 41187b GlobalHandle GlobalLock 22368->22372 22370 4118b7 _memset 22369->22370 22373 4118cb LeaveCriticalSection 22370->22373 22372->22371 22374 405678 22375 405680 22374->22375 22375->22375 22376 4056aa CopyFileA 22375->22376 22377 4056d0 22376->22377 22377->22377 22378 4056fa CopyFileA 22377->22378 22379 405740 22378->22379 22379->22379 22380 405755 RegCreateKeyExA 22379->22380 22381 4074f8 22380->22381 22382 40578a RegSetValueExA 22380->22382 22383 414e70 _$I10_OUTPUT 5 API calls 22381->22383 22384 4057e0 22382->22384 22385 40750a 22383->22385 22384->22384 22386 4057e9 RegSetValueExA 22384->22386 22387 405841 22386->22387 22387->22387 22388 40584a RegSetValueExA 22387->22388 22389 405877 22388->22389 22389->22389 22390 405880 RegSetValueExA 22389->22390 22391 4058f8 22390->22391 22391->22391 22392 405901 RegSetValueExA 22391->22392 22393 405960 22392->22393 22393->22393 22394 405969 RegSetValueExA RegSetValueExA RegSetValueExA 22393->22394 22395 405a37 22394->22395 22395->22395 22396 405a40 RegSetValueExA 22395->22396 22397 405a90 22396->22397 22397->22397 22398 405a99 RegSetValueExA 22397->22398 22399 405ad1 22398->22399 22399->22399 22400 405ada RegSetValueExA 22399->22400 22401 405b07 22400->22401 22401->22401 22402 405b10 RegSetValueExA 22401->22402 22403 405b40 22402->22403 22403->22403 22404 405b49 RegSetValueExA 22403->22404 22405 405ba2 22404->22405 22405->22405 22406 405bab RegSetValueExA 22405->22406 22407 405be6 22406->22407 22407->22407 22408 405bef RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 22407->22408 22409 405c70 22408->22409 22409->22409 22410 405c85 RegCreateKeyExA 22409->22410 22410->22381 22411 405cb9 RegSetValueExA RegSetValueExA RegSetValueExA 22410->22411 22412 405d24 22411->22412 22412->22412 22413 405d2d RegSetValueExA 22412->22413 22414 416740 _memset 22413->22414 22415 405d53 RegSetValueExA RegSetValueExA 22414->22415 22416 405f50 22415->22416 22416->22416 22417 405f59 RegSetValueExA RegSetValueExA RegSetValueExA RegSetValueExA 22416->22417 22418 405fd7 22417->22418 22418->22418 22419 405fe0 RegSetValueExA 22418->22419 22420 406046 22419->22420 22420->22420 22421 40604f RegSetValueExA 22420->22421 22422 406080 22421->22422 22422->22422 22423 406089 RegSetValueExA 22422->22423 22424 4060b5 22423->22424 22424->22424 22425 4060be RegSetValueExA 22424->22425 22426 406100 22425->22426 22426->22426 22427 406109 RegSetValueExA 22426->22427 22428 406153 22427->22428 22428->22428 22429 40615c RegSetValueExA 22428->22429 22430 4061c1 22429->22430 22430->22430 22431 4061ca RegSetValueExA RegSetValueExA 22430->22431 22432 416740 _memset 22431->22432 22433 40620e RegSetValueExA 22432->22433 22434 406420 22433->22434 22434->22434 22499 411cd9 22500 411cf8 22499->22500 22501 411ce9 22499->22501 22501->22500 22503 411c81 22501->22503 22504 411c9f 22503->22504 22510 411c8c 22503->22510 22505 411ca6 TlsFree 22504->22505 22506 411cad 22504->22506 22505->22506 22508 411cb4 GlobalHandle GlobalUnlock GlobalFree 22506->22508 22509 411ccb DeleteCriticalSection 22506->22509 22508->22509 22509->22500 22510->22504 22511 411ad9 22510->22511 22512 411b32 EnterCriticalSection 22511->22512 22515 411af0 22511->22515 22518 411776 22512->22518 22515->22512 22517 411b67 22515->22517 22516 411b5d TlsSetValue 22516->22517 22517->22510 22519 411784 22518->22519 22522 411780 LeaveCriticalSection LocalFree 22518->22522 22520 411790 22519->22520 22524 41179c 22519->22524 22521 411747 ctype RaiseException 22520->22521 22521->22522 22522->22516 22523 4117b6 22523->22522 22526 411747 ctype RaiseException 22523->22526 22524->22523 22525 411747 RaiseException ctype 22524->22525 22525->22524 22527 4117c2 22526->22527 22528 411747 ctype RaiseException 22527->22528 22528->22522 22529 4051f8 22530 405200 22529->22530 22530->22530 22531 40527a CopyFileA 22530->22531 22532 4074f8 22531->22532 22535 4052a7 22531->22535 22533 414e70 _$I10_OUTPUT 5 API calls 22532->22533 22534 40750a 22533->22534 22535->22535 22536 4052da CopyFileA 22535->22536 22536->22532 22537 405319 CopyFileA 22536->22537 22539 4053c0 22537->22539 22539->22539 22540 4053ea CopyFileA 22539->22540 22541 405420 22540->22541 22541->22541 22542 40549a CopyFileA 22541->22542 22543 4054c0 22542->22543 22543->22543 22544 4054ea CopyFileA 22543->22544 22545 405530 22544->22545 22545->22545 22546 4055aa CopyFileA 22545->22546 22547 4055d0 22546->22547 22547->22547 22548 4055fa CopyFileA 22547->22548 22549 405630 22548->22549 22549->22549 22550 4056aa CopyFileA 22549->22550 22551 4056d0 22550->22551 22551->22551 22552 4056fa CopyFileA 22551->22552 22553 405740 22552->22553 22553->22553 22554 405755 RegCreateKeyExA 22553->22554 22554->22532 22555 40578a RegSetValueExA 22554->22555 22556 4057e0 22555->22556 22556->22556 22557 4057e9 RegSetValueExA 22556->22557 22558 405841 22557->22558 22558->22558 22559 40584a RegSetValueExA 22558->22559 22560 405877 22559->22560 22560->22560 22561 405880 RegSetValueExA 22560->22561 22562 4058f8 22561->22562 22562->22562 22563 405901 RegSetValueExA 22562->22563 22564 405960 22563->22564 22564->22564 22565 405969 RegSetValueExA RegSetValueExA RegSetValueExA 22564->22565 22566 405a37 22565->22566 22566->22566 22567 405a40 RegSetValueExA 22566->22567 22568 405a90 22567->22568 22568->22568 22569 405a99 RegSetValueExA 22568->22569 22570 405ad1 22569->22570 22570->22570 22571 405ada RegSetValueExA 22570->22571 22572 405b07 22571->22572 22572->22572 22573 405b10 RegSetValueExA 22572->22573 22574 405b40 22573->22574 22574->22574 22575 405b49 RegSetValueExA 22574->22575 22576 405ba2 22575->22576 22576->22576 22577 405bab RegSetValueExA 22576->22577 22578 405be6 22577->22578 22578->22578 22579 405bef RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 22578->22579 22580 405c70 22579->22580 22580->22580 22581 405c85 RegCreateKeyExA 22580->22581 22581->22532 22582 405cb9 RegSetValueExA RegSetValueExA RegSetValueExA 22581->22582 22583 405d24 22582->22583 22583->22583 22584 405d2d RegSetValueExA 22583->22584 22585 416740 _memset 22584->22585 22586 405d53 RegSetValueExA RegSetValueExA 22585->22586 22587 405f50 22586->22587 22587->22587 22588 405f59 RegSetValueExA RegSetValueExA RegSetValueExA RegSetValueExA 22587->22588 22589 405fd7 22588->22589 22589->22589 22590 405fe0 RegSetValueExA 22589->22590 22670 407cdb FindResourceA 22671 407cf7 22670->22671 22672 407cf8 22670->22672 22673 407c7f 3 API calls 22672->22673 22674 407d06 22673->22674 22675 40ce5d 22676 40ce66 GetModuleHandleA 22675->22676 22677 40ce8a 22675->22677 22676->22677 22678 40ce76 LoadLibraryA 22676->22678 22678->22677 22679 40e8dd 22680 40e8ec __EH_prolog3_GS 22679->22680 22681 411bc7 ctype 94 API calls 22680->22681 22682 40e907 22681->22682 22683 40e91d 22682->22683 22684 411163 ctype RaiseException 22682->22684 22685 40e923 CallNextHookEx 22683->22685 22686 40e936 22683->22686 22684->22683 22688 40eb26 22685->22688 22687 41053c ctype 100 API calls 22686->22687 22689 40e940 22687->22689 22690 415eb1 5 API calls 22688->22690 22692 40eaf6 CallNextHookEx 22689->22692 22693 40e9ad 22689->22693 22694 40e96c GetClassLongA 22689->22694 22691 40eb2d 22690->22691 22692->22688 22696 40eb19 UnhookWindowsHookEx 22692->22696 22693->22692 22697 40e9bb 22693->22697 22707 40ea21 _memset 22693->22707 22694->22692 22695 40e980 22694->22695 22698 40e9a2 22695->22698 22699 40e98a GlobalGetAtomNameA 22695->22699 22696->22688 22720 410588 22697->22720 22719 407d37 CompareStringA 22698->22719 22699->22698 22700 40ea65 GetClassLongA 22702 40eaaa GetWindowLongA 22700->22702 22703 40e9f8 22700->22703 22702->22692 22706 40eaba GetPropA 22702->22706 22703->22692 22705 40e9c6 22723 40d140 22705->22723 22706->22692 22709 40eacd SetPropA GetPropA 22706->22709 22707->22700 22731 40bbb9 22707->22731 22709->22692 22711 40eae1 GlobalAddAtomA SetWindowLongA 22709->22711 22711->22692 22712 40ea57 22712->22700 22713 40ea7c GetClassNameA 22712->22713 22713->22702 22715 40ea93 22713->22715 22716 418349 77 API calls 22715->22716 22718 40eaa4 22716->22718 22718->22692 22718->22702 22719->22693 22721 41053c ctype 100 API calls 22720->22721 22722 410590 22721->22722 22722->22705 22724 40d150 22723->22724 22730 40d14c SetWindowLongA 22723->22730 22725 40d08b ctype 100 API calls 22724->22725 22726 40d158 22725->22726 22727 412fa0 68 API calls 22726->22727 22728 40d166 22727->22728 22729 41102e 2 API calls 22728->22729 22729->22730 22730->22703 22732 40bbc5 CallUnexpected 22731->22732 22733 41053c ctype 100 API calls 22732->22733 22734 40bbd3 22733->22734 22735 40fd64 RaiseException 22734->22735 22736 40bbde 22735->22736 22737 40bbec GetClassInfoExA 22736->22737 22739 40bbe8 CallUnexpected 22736->22739 22740 40bc18 22737->22740 22739->22712 22741 40bc4c 22740->22741 22742 40bc1e 22740->22742 22741->22739 22743 40bc2c GetLastError 22742->22743 22744 40bc36 22742->22744 22743->22744 22744->22741 22745 40bc45 SetLastError 22744->22745 22745->22741 22746 40d33e 22747 40d34b 22746->22747 22748 40d08b ctype 100 API calls 22747->22748 22749 40d372 22747->22749 22753 40d350 22747->22753 22750 40d35e 22748->22750 22752 40d383 KiUserCallbackDispatcher 22749->22752 22749->22753 22751 412dee ctype RaiseException 22750->22751 22751->22749 22752->22753

          Executed Functions

          Function 004011E0 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1100 4011e0-401205 IsIconic 1101 401285-401287 call 40a29e 1100->1101 1102 401207-401283 call 410b99 SendMessageA GetSystemMetrics * 2 GetClientRect DrawIcon call 410bed 1100->1102 1106 40128c-401292 1101->1106 1102->1106 1108 4012a4-4012ae 1106->1108 1109 401294-4012a2 1106->1109 1110 4012af-4012be PostMessageA call 414e70 1108->1110 1109->1110 1113 4012c3-4012c6 1110->1113
          APIs
          • IsIconic.USER32(?), ref: 004011FD
          • PostMessageA.USER32(?,00000111,00000001,00000000), ref: 004012AF
            • Part of subcall function 00410B99: __EH_prolog3.LIBCMT ref: 00410BA0
            • Part of subcall function 00410B99: BeginPaint.USER32(?,?,00000004,0040A2B5,?,00000058,0040128C), ref: 00410BCC
          • SendMessageA.USER32(?,00000027,?,00000000), ref: 0040121E
          • GetSystemMetrics.USER32(0000000B), ref: 0040122C
          • GetSystemMetrics.USER32(0000000C), ref: 00401232
          • GetClientRect.USER32(?,?), ref: 0040123F
          • DrawIcon.USER32(?,?,?,?), ref: 00401274
            • Part of subcall function 00410BED: __EH_prolog3.LIBCMT ref: 00410BF4
            • Part of subcall function 00410BED: EndPaint.USER32(?,?,00000004,0040A2DB,?,?,00000058,0040128C), ref: 00410C0F
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: H_prolog3MessageMetricsPaintSystem$BeginClientDrawIconIconicPostRectSend
          • String ID:
          • API String ID: 1198005924-0
          • Opcode ID: d957c43212098004ffa7a869256a3e9c38a637d00e5d600abb66fae77cbfdd81
          • Instruction ID: 2cb558998c9d2d8b9f87711dfcca98a20d6505e2e31cedd1218b1814a9bacb96
          • Opcode Fuzzy Hash: d957c43212098004ffa7a869256a3e9c38a637d00e5d600abb66fae77cbfdd81
          • Instruction Fuzzy Hash: 392182723147019BD320DB78DC89EAFB7E9BB88B00F040A2DBA85D72D0DA74E801CB55
          Function 00407DFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1253 407dfe-407e24 1254 407e26-407e3c call 4164b9 call 407660 1253->1254 1255 407e3e-407e4e GetLocaleInfoA 1253->1255 1257 407e50-407e8d call 4166fc * 2 call 4166a2 call 4166fc 1254->1257 1255->1257 1258 407ebe 1255->1258 1273 407e9e-407ea3 call 4166fc 1257->1273 1274 407e8f-407e9c call 4166fc call 407c2f 1257->1274 1260 407ec0-407ecd call 414e70 1258->1260 1279 407ea5-407ea9 1273->1279 1274->1279 1279->1258 1281 407eab-407ead 1279->1281 1281->1258 1283 407eaf-407ebc LoadLibraryA 1281->1283 1283->1260
          APIs
          • _strcpy_s.LIBCMT ref: 00407E2E
          • GetLocaleInfoA.KERNELBASE(00000800,00000003,?,00000004), ref: 00407E46
          • __snprintf_s.LIBCMT ref: 00407E7B
          • LoadLibraryA.KERNELBASE(?), ref: 00407EB6
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: InfoLibraryLoadLocale__snprintf_s_strcpy_s
          • String ID: LOC
          • API String ID: 2170468217-519433814
          • Opcode ID: 54238d3c5981796d45d7906c93773c0b668ae4a44977430decbf1fd035f55793
          • Instruction ID: 356791bd09c69834253bde8ead19dc6b58b81336efc313773f87872c2a8e969f
          • Opcode Fuzzy Hash: 54238d3c5981796d45d7906c93773c0b668ae4a44977430decbf1fd035f55793
          • Instruction Fuzzy Hash: 2A119071A05218AADB14AB65CC46BEB37AC9B01314F2004FBB605A71D1DA7DAD8186EE
          Function 0040ECDE Relevance: 1.9, APIs: 1, Instructions: 445COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID:
          • API String ID: 431132790-0
          • Opcode ID: 8ebabe68df96ef386d4cdfcbd1c94cfd64f70b5ead23ade6c0858d3b8d03fee3
          • Instruction ID: 6df47e771510460fe47ec51d90da2760da4555d72dc76d363398eb389f80cd40
          • Opcode Fuzzy Hash: 8ebabe68df96ef386d4cdfcbd1c94cfd64f70b5ead23ade6c0858d3b8d03fee3
          • Instruction Fuzzy Hash: D6F14C7050020AEFDB24DF55C880ABE77B9EF04314F10853AF819AA6D1DB39DD16DB69
          Function 004050B0 Relevance: 513.5, APIs: 129, Strings: 163, Instructions: 2495COMMON
          Download Yara Rule
          APIs
          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040515A
          • GetPrinterDriverDirectoryA.WINSPOOL.DRV(00000000,Windows x64,00000001,?,00000104,?), ref: 004051CB
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Directory$DriverPrinterSystem
          • String ID: "$"$#$#$,$0$0$16Meg$2$Action$Attributes$Automatically Select$C$ChangeID$Configuration File$DSCAPE$Data File$Datatype$Default DevMode$Default Priority$Dependent Files$DependentFiles$Description$Driver$DriverDate$DriverVersion$DsKeyUpdate$DsKeyUpdateForeground$FILE:$False$FeatureKeyword$FeatureKeywordSize$Forms?$FreeMem$G$G$HardwareID$Help File$I$InitDriverVersion$InstalledMemory$JobTimeOut$K$L$Letter$Letter$Location$Manufacturer$Monitor$Name$OEM URL$ObjectGUID$OptionalCassettel$P$PORTRAIT$PS5UI.DLL$PSCRIPT.HLP$PSCRIPT.NTF$PSCRIPT5.DLL$PSI PostScript$PSIPSCRP.PPD$PSI_PostScript_2004$PagesPerMinute$Parameters$Poly Software International$Port$PostScript$Previous Names$Print Processor$PrintAfterSpooled$Printer Driver$PrinterData$PrinterDataSize$Priority$Protocol$Provider$R$RAW$S$SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\PSI PostScript$SYSTEM\CurrentControlSet\Control\Print\Printers\PSI PostScript$Security$Separator File$Share Name$Software\Microsoft\Windows NT\CurrentVersion\Devices$Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts$SpoolDirectory$StartTime$Status$TempDir$UntilTime$V$Version$WinPrint$Windows x64$X$X$X$\$\DsDriver$\DsSpooler$\PnPData$\PrinterDriverData$\spool\drivers\x64\3\$\spool\drivers\x64\3\PS5UI.DLL$\spool\drivers\x64\3\PSCRIPT5.DLL$\spool\drivers\x64\3\PSIPSCRP.PPD$_$_$c$c$d$d$description$dnsTimeout$driverName$driverVersion$flags$h$k$k$location$n$n$o$portName$postscrp\WinEx\$printBinNames$printCollate$printColor$printDuplexSupported$printEndTime$printKeepPrintedJobs$printLanguage$printMaxResolutionSupported$printMaxXExtent$printMaxYExtent$printMediaReady$printMediaSupported$printMemory$printMinXExtent$printMinYExtent$printNumberUp$printOrientationsSupported$printPagesPerMinute$printRate$printRateUnit$printSeparatorFile$printShareName$printSpooling$printStaplingSupported$printStartTime$printerName$priority$r$t$t$t$t$txTimeout$versionNumber$winspool,FILE:$winspool,FILE:,15,45
          • API String ID: 2093594902-4210976597
          • Opcode ID: db329deae54e576afa2e223d5116baf396c9b24e65fd74ea5326c4380de0da96
          • Instruction ID: 52120960cda935a8e7c0ce2ee78a607104931f74c7628c6aa3158deb102812a9
          • Opcode Fuzzy Hash: db329deae54e576afa2e223d5116baf396c9b24e65fd74ea5326c4380de0da96
          • Instruction Fuzzy Hash: 333390702083809FD320CF28DC55FDBBBE4AF89704F54895DE9889B392D7B59509CB9A
          Function 004051F8 Relevance: 506.4, APIs: 127, Strings: 161, Instructions: 2407fileCOMMON
          Download Yara Rule
          APIs
          • CopyFileA.KERNEL32(?,?,00000000), ref: 0040529D
          • CopyFileA.KERNEL32(?,?,00000000), ref: 0040530F
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CopyFile
          • String ID: "$"$#$#$,$0$0$16Meg$2$Action$Attributes$Automatically Select$C$ChangeID$Configuration File$DSCAPE$Data File$Datatype$Default DevMode$Default Priority$Dependent Files$DependentFiles$Description$Driver$DriverDate$DriverVersion$DsKeyUpdate$DsKeyUpdateForeground$FILE:$False$FeatureKeyword$FeatureKeywordSize$Forms?$FreeMem$G$G$HardwareID$Help File$I$InitDriverVersion$InstalledMemory$JobTimeOut$K$L$Letter$Letter$Location$Manufacturer$Monitor$Name$OEM URL$ObjectGUID$OptionalCassettel$P$PORTRAIT$PS5UI.DLL$PSCRIPT.HLP$PSCRIPT.NTF$PSCRIPT5.DLL$PSI PostScript$PSIPSCRP.PPD$PSI_PostScript_2004$PagesPerMinute$Parameters$Poly Software International$Port$PostScript$Previous Names$Print Processor$PrintAfterSpooled$Printer Driver$PrinterData$PrinterDataSize$Priority$Protocol$Provider$R$RAW$S$SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\PSI PostScript$SYSTEM\CurrentControlSet\Control\Print\Printers\PSI PostScript$Security$Separator File$Share Name$Software\Microsoft\Windows NT\CurrentVersion\Devices$Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts$SpoolDirectory$StartTime$Status$TempDir$UntilTime$V$Version$WinPrint$Windows x64$X$X$X$\$\DsDriver$\DsSpooler$\PnPData$\PrinterDriverData$\spool\drivers\x64\3\PS5UI.DLL$\spool\drivers\x64\3\PSCRIPT5.DLL$\spool\drivers\x64\3\PSIPSCRP.PPD$_$_$c$c$d$d$description$dnsTimeout$driverName$driverVersion$flags$h$k$k$location$n$n$o$portName$printBinNames$printCollate$printColor$printDuplexSupported$printEndTime$printKeepPrintedJobs$printLanguage$printMaxResolutionSupported$printMaxXExtent$printMaxYExtent$printMediaReady$printMediaSupported$printMemory$printMinXExtent$printMinYExtent$printNumberUp$printOrientationsSupported$printPagesPerMinute$printRate$printRateUnit$printSeparatorFile$printShareName$printSpooling$printStaplingSupported$printStartTime$printerName$priority$r$t$t$t$t$txTimeout$versionNumber$winspool,FILE:$winspool,FILE:,15,45
          • API String ID: 1304948518-2994864886
          • Opcode ID: 57ab34039b0065c314a4f5afe774d8637201c2448be858b7ae451226f9647b91
          • Instruction ID: 80271bb0aaf97ee978e00ac9e428c37236e0aca3b1a888713b8f1e5b841920a0
          • Opcode Fuzzy Hash: 57ab34039b0065c314a4f5afe774d8637201c2448be858b7ae451226f9647b91
          • Instruction Fuzzy Hash: 8A239F702083809FD320CF28CC55FDBBBE4AF99704F54895DE9889B392D7B59509CB6A
          Function 00405578 Relevance: 495.7, APIs: 121, Strings: 161, Instructions: 2164fileCOMMON
          Download Yara Rule
          APIs
          • CopyFileA.KERNEL32(?,?,00000001), ref: 004055C4
          • CopyFileA.KERNEL32(?,?,00000001), ref: 00405626
          • CopyFileA.KERNEL32(?,?,00000001), ref: 004056C4
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CopyFile
          • String ID: "$"$#$#$,$0$0$16Meg$2$Action$Attributes$Automatically Select$C$ChangeID$Configuration File$DSCAPE$Data File$Datatype$Default DevMode$Default Priority$Dependent Files$DependentFiles$Description$Driver$DriverDate$DriverVersion$DsKeyUpdate$DsKeyUpdateForeground$FILE:$False$FeatureKeyword$FeatureKeywordSize$Forms?$FreeMem$G$G$HardwareID$Help File$I$InitDriverVersion$InstalledMemory$JobTimeOut$K$L$Letter$Letter$Location$Manufacturer$Monitor$Name$OEM URL$ObjectGUID$OptionalCassettel$P$PORTRAIT$PS5UI.DLL$PSCRIPT.HLP$PSCRIPT.NTF$PSCRIPT5.DLL$PSI PostScript$PSIPSCRP.PPD$PSI_PostScript_2004$PagesPerMinute$Parameters$Poly Software International$Port$PostScript$Previous Names$Print Processor$PrintAfterSpooled$Printer Driver$PrinterData$PrinterDataSize$Priority$Protocol$Provider$R$RAW$S$SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\PSI PostScript$SYSTEM\CurrentControlSet\Control\Print\Printers\PSI PostScript$Security$Separator File$Share Name$Software\Microsoft\Windows NT\CurrentVersion\Devices$Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts$SpoolDirectory$StartTime$Status$TempDir$UntilTime$V$Version$WinPrint$Windows x64$X$X$X$\$\DsDriver$\DsSpooler$\PnPData$\PrinterDriverData$\spool\drivers\x64\3\PS5UI.DLL$\spool\drivers\x64\3\PSCRIPT5.DLL$\spool\drivers\x64\3\PSIPSCRP.PPD$_$_$c$c$d$d$description$dnsTimeout$driverName$driverVersion$flags$h$k$k$location$n$n$o$portName$printBinNames$printCollate$printColor$printDuplexSupported$printEndTime$printKeepPrintedJobs$printLanguage$printMaxResolutionSupported$printMaxXExtent$printMaxYExtent$printMediaReady$printMediaSupported$printMemory$printMinXExtent$printMinYExtent$printNumberUp$printOrientationsSupported$printPagesPerMinute$printRate$printRateUnit$printSeparatorFile$printShareName$printSpooling$printStaplingSupported$printStartTime$printerName$priority$r$t$t$t$t$txTimeout$versionNumber$winspool,FILE:$winspool,FILE:,15,45
          • API String ID: 1304948518-2994864886
          • Opcode ID: 5a7ddd9c88f4f9850c14bda16c4c57326df0af19a845e897518f8fdab045c2fd
          • Instruction ID: 79603146fa99d37d6b80a88210e2a2fa914ce3bce67222c78089406a6457edaf
          • Opcode Fuzzy Hash: 5a7ddd9c88f4f9850c14bda16c4c57326df0af19a845e897518f8fdab045c2fd
          • Instruction Fuzzy Hash: 20137D702083809FD331CF28CC95FDBBBE4AF99704F54495DE9889B282D7B59509CB6A
          Function 00405678 Relevance: 492.1, APIs: 119, Strings: 161, Instructions: 2095registryfileCOMMON
          Download Yara Rule
          APIs
          • CopyFileA.KERNEL32(?,?,00000001), ref: 004056C4
          • CopyFileA.KERNEL32(?,?,00000001), ref: 00405726
          • RegCreateKeyExA.KERNELBASE(80000002,?,00000000,0042C6BD,00000000,000F003F,00000000,?,?), ref: 0040577C
          • RegSetValueExA.KERNELBASE ref: 004057AC
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CopyFile$CreateValue
          • String ID: "$"$#$#$,$0$0$16Meg$2$Action$Attributes$Automatically Select$C$ChangeID$Configuration File$DSCAPE$Data File$Datatype$Default DevMode$Default Priority$Dependent Files$DependentFiles$Description$Driver$DriverDate$DriverVersion$DsKeyUpdate$DsKeyUpdateForeground$FILE:$False$FeatureKeyword$FeatureKeywordSize$Forms?$FreeMem$G$G$HardwareID$Help File$I$InitDriverVersion$InstalledMemory$JobTimeOut$K$L$Letter$Letter$Location$Manufacturer$Monitor$Name$OEM URL$ObjectGUID$OptionalCassettel$P$PORTRAIT$PS5UI.DLL$PSCRIPT.HLP$PSCRIPT.NTF$PSCRIPT5.DLL$PSI PostScript$PSIPSCRP.PPD$PSI_PostScript_2004$PagesPerMinute$Parameters$Poly Software International$Port$PostScript$Previous Names$Print Processor$PrintAfterSpooled$Printer Driver$PrinterData$PrinterDataSize$Priority$Protocol$Provider$R$RAW$S$SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\PSI PostScript$SYSTEM\CurrentControlSet\Control\Print\Printers\PSI PostScript$Security$Separator File$Share Name$Software\Microsoft\Windows NT\CurrentVersion\Devices$Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts$SpoolDirectory$StartTime$Status$TempDir$UntilTime$V$Version$WinPrint$Windows x64$X$X$X$\$\DsDriver$\DsSpooler$\PnPData$\PrinterDriverData$\spool\drivers\x64\3\PS5UI.DLL$\spool\drivers\x64\3\PSCRIPT5.DLL$\spool\drivers\x64\3\PSIPSCRP.PPD$_$_$c$c$d$d$description$dnsTimeout$driverName$driverVersion$flags$h$k$k$location$n$n$o$portName$printBinNames$printCollate$printColor$printDuplexSupported$printEndTime$printKeepPrintedJobs$printLanguage$printMaxResolutionSupported$printMaxXExtent$printMaxYExtent$printMediaReady$printMediaSupported$printMemory$printMinXExtent$printMinYExtent$printNumberUp$printOrientationsSupported$printPagesPerMinute$printRate$printRateUnit$printSeparatorFile$printShareName$printSpooling$printStaplingSupported$printStartTime$printerName$priority$r$t$t$t$t$txTimeout$versionNumber$winspool,FILE:$winspool,FILE:,15,45
          • API String ID: 2075417184-2994864886
          • Opcode ID: 8ec53f102b56b785fb6ff66392d0df305f656415e73fd5023198ae5c45326b28
          • Instruction ID: e78c0fb21831088cfabfdedf00a439490a49f203709a927ade8787e54088f628
          • Opcode Fuzzy Hash: 8ec53f102b56b785fb6ff66392d0df305f656415e73fd5023198ae5c45326b28
          • Instruction Fuzzy Hash: 88137E702083809ED330CF28CC85FDBBBE4AF99704F54495DF9889B282D7B59509CB6A
          Function 0040813D Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 232registrylibraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • __EH_prolog3.LIBCMT ref: 0040815C
          • GetModuleHandleA.KERNEL32(kernel32.dll,0000005C), ref: 00408186
          • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00408197
          • ConvertDefaultLocale.KERNELBASE(?), ref: 004081CD
          • ConvertDefaultLocale.KERNELBASE(?), ref: 004081D5
          • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004081E9
          • ConvertDefaultLocale.KERNEL32(?), ref: 0040820D
          • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 00408213
          • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040824C
          • GetVersion.KERNEL32 ref: 00408261
          • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00408286
          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 004082AB
          • _sscanf.LIBCMT ref: 004082CB
          • ConvertDefaultLocale.KERNEL32(?), ref: 00408300
          • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 00408306
          • RegCloseKey.ADVAPI32(?), ref: 00408315
          • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00408325
          • EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,00407778,?), ref: 00408340
          • ConvertDefaultLocale.KERNEL32(?), ref: 00408371
          • ConvertDefaultLocale.KERNEL32(74DEF550), ref: 00408377
          • _memset.LIBCMT ref: 00408391
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
          • String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
          • API String ID: 434808117-483790700
          • Opcode ID: 4091190f9f0fbb077996a84ca952ad98317a5ebcf66638a79d616f5d58a2f214
          • Instruction ID: 6061191e2fa6f338e2168a0d9a4918118a4724795adc35a4a7787741727ec376
          • Opcode Fuzzy Hash: 4091190f9f0fbb077996a84ca952ad98317a5ebcf66638a79d616f5d58a2f214
          • Instruction Fuzzy Hash: 27813CB1D002199EDB20DFA5DD85AFEBBB4EB58304F50043EE945F3280DB789A45CB65
          Function 0040E8DD Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 179COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 744 40e8dd-40e916 call 415e67 call 411bc7 749 40e918 call 411163 744->749 750 40e91d-40e921 744->750 749->750 752 40e923-40e931 CallNextHookEx 750->752 753 40e936-40e94c call 41053c 750->753 755 40eb28-40eb2d call 415eb1 752->755 758 40e963-40e96a 753->758 759 40e94e-40e955 753->759 763 40e9b7-40e9b9 758->763 764 40e96c-40e97a GetClassLongA 758->764 761 40eaf6-40eb17 CallNextHookEx 759->761 762 40e95b-40e95d 759->762 766 40eb26 761->766 767 40eb19-40eb22 UnhookWindowsHookEx 761->767 762->758 762->761 768 40ea21-40ea29 763->768 769 40e9bb-40e9f6 call 410588 call 40d140 SetWindowLongA 763->769 764->761 765 40e980-40e988 764->765 770 40e9a2-40e9b1 call 407d37 765->770 771 40e98a-40e99f GlobalGetAtomNameA 765->771 766->755 767->766 772 40ea65-40ea78 GetClassLongA 768->772 773 40ea2b-40ea63 call 416740 call 40bbb9 768->773 795 40e9f8 769->795 796 40e9fa-40ea0c 769->796 770->761 770->763 771->770 775 40eaaa-40eab8 GetWindowLongA 772->775 776 40ea7a 772->776 773->772 789 40ea7c-40ea91 GetClassNameA 773->789 775->761 780 40eaba-40eacb GetPropA 775->780 776->761 780->761 785 40eacd-40eadf SetPropA GetPropA 780->785 785->761 787 40eae1-40eaf0 GlobalAddAtomA SetWindowLongA 785->787 787->761 789->775 791 40ea93-40eaa8 call 418349 789->791 791->761 791->775 795->796 796->761 797 40ea12-40ea1c call 40fd54 796->797 797->761
          APIs
          • __EH_prolog3_GS.LIBCMT ref: 0040E8E7
            • Part of subcall function 00411BC7: __EH_prolog3.LIBCMT ref: 00411BCE
          • CallNextHookEx.USER32(?,?,?,?), ref: 0040E92B
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          • GetClassLongA.USER32(?,000000E6), ref: 0040E96F
          • GlobalGetAtomNameA.KERNEL32(?,?,?,?,?,?,00000005), ref: 0040E999
          • SetWindowLongA.USER32(?,000000FC,Function_0000D805), ref: 0040E9EE
          • _memset.LIBCMT ref: 0040EA38
          • GetClassLongA.USER32(?,000000E0), ref: 0040EA68
          • GetClassNameA.USER32(?,?,00000100), ref: 0040EA89
          • GetWindowLongA.USER32(?,000000FC), ref: 0040EAAD
          • GetPropA.USER32(?,AfxOldWndProc423), ref: 0040EAC7
          • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 0040EAD2
          • GetPropA.USER32(?,AfxOldWndProc423), ref: 0040EADA
          • GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 0040EAE2
          • SetWindowLongA.USER32(?,000000FC,Function_0000E793), ref: 0040EAF0
          • CallNextHookEx.USER32(?,00000003,?,?), ref: 0040EB08
          • UnhookWindowsHookEx.USER32(?), ref: 0040EB1C
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
          • String ID: #32768$AfxOldWndProc423$TIC$ime
          • API String ID: 867647115-155515278
          • Opcode ID: b67ba74b26a4dda1633a841d9b7aa6a4a806781572c191a20e6ac175f8f634cb
          • Instruction ID: df8785d16cb0b0396623aae6911624b5cf3ccb6df331f72975e3a1ab13736cfb
          • Opcode Fuzzy Hash: b67ba74b26a4dda1633a841d9b7aa6a4a806781572c191a20e6ac175f8f634cb
          • Instruction Fuzzy Hash: 0461A571601225ABDB309B62DC45BEF7B78BF48311F10057AF505B22D1DB789951CFA8
          Function 0040CAD3 Relevance: 19.7, APIs: 13, Instructions: 176windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 800 40cad3-40caed call 410f40 803 40caf4-40cafb 800->803 804 40caef-40caf2 800->804 806 40cb08-40cb0d GetWindow 803->806 807 40cafd-40cb06 GetParent 803->807 805 40cb2f-40cb46 GetWindowRect 804->805 808 40cbd7-40cbfe GetParent GetClientRect * 2 MapWindowPoints 805->808 809 40cb4c-40cb4e 805->809 810 40cb13-40cb17 806->810 807->810 813 40cc04-40cc49 808->813 811 40cb50-40cb5e GetWindowLongA 809->811 812 40cb69-40cb72 809->812 810->805 814 40cb19-40cb2b SendMessageA 810->814 816 40cb60-40cb65 811->816 817 40cb67 811->817 818 40cb74-40cb7b call 407d24 812->818 819 40cbae-40cbd5 GetWindowRect call 40adde call 40ae49 CopyRect 812->819 820 40cc50-40cc55 813->820 821 40cc4b-40cc4e 813->821 814->805 815 40cb2d 814->815 815->805 816->812 816->817 817->812 831 40cb80-40cbac call 40adde call 40ae49 CopyRect * 2 818->831 832 40cb7d 818->832 819->813 824 40cc5f-40cc63 820->824 825 40cc57-40cc5d 820->825 821->824 828 40cc65-40cc68 824->828 829 40cc6a-40cc72 824->829 825->824 833 40cc7d-40cc8a call 410ff2 828->833 829->833 834 40cc74-40cc7a 829->834 831->813 832->831 838 40cc8f-40cc92 833->838 834->833
          APIs
            • Part of subcall function 00410F40: GetWindowLongA.USER32(?,000000F0), ref: 00410F4B
          • GetParent.USER32(?), ref: 0040CB00
          • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0040CB23
          • GetWindowRect.USER32(?,?), ref: 0040CB3D
          • GetWindowLongA.USER32(00000000,000000F0), ref: 0040CB53
          • CopyRect.USER32(?,?), ref: 0040CBA0
          • CopyRect.USER32(?,?), ref: 0040CBAA
          • GetWindowRect.USER32(00000000,?), ref: 0040CBB3
            • Part of subcall function 0040ADDE: MonitorFromWindow.USER32(00000002,00000000), ref: 0040ADF3
            • Part of subcall function 0040AE49: GetMonitorInfoA.USER32(00000002,00000000), ref: 0040AE5E
          • CopyRect.USER32(?,?), ref: 0040CBCF
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
          • String ID:
          • API String ID: 1450647913-0
          • Opcode ID: 9f55360319e41a82ddd6ef4d02b7f967fecafbd572db9dbd199cfdfa160c580d
          • Instruction ID: bcd0fe416ecb94a69a8959aff5a65d7f5514697d6ed63ed5434a7a42813613a5
          • Opcode Fuzzy Hash: 9f55360319e41a82ddd6ef4d02b7f967fecafbd572db9dbd199cfdfa160c580d
          • Instruction Fuzzy Hash: 9C516372A00219EBDB10DBA8DC85EEF77B9AF48714F15422AF905F3290DB34E945CB54
          Function 00413410 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 842 413410-41345b call 41053c GetModuleFileNameA 845 413461 call 41071c 842->845 846 41345d-41345f 842->846 847 413466-413478 PathFindExtensionA 845->847 846->845 846->847 849 41347a call 41071c 847->849 850 41347f-41349b call 4133d2 847->850 849->850 854 4134a2-4134a6 850->854 855 41349d call 41071c 850->855 857 4134c1-4134c6 854->857 858 4134a8-4134ba call 4168b2 854->858 855->854 860 4134f5-4134fc 857->860 861 4134c8-4134dd call 411d00 857->861 858->857 871 4134bc 858->871 863 41353f-413543 860->863 864 4134fe-41350b 860->864 872 4134e5 861->872 873 4134df-4134e3 861->873 867 413545-413571 call 416841 call 407660 call 4168b2 863->867 868 413577-41358e call 414e70 863->868 869 413514 864->869 870 41350d-413512 864->870 867->868 867->871 876 413519-413537 call 407c64 call 4168b2 869->876 870->876 871->857 877 4134e8-4134f3 call 4168b2 872->877 873->877 876->871 889 413539-41353c 876->889 877->860 877->871 889->863
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
          • String ID: .CHM$.HLP$.INI
          • API String ID: 1153805871-4017452060
          • Opcode ID: fd516aa29109104b9f003b752ed3b29be5510fed6697734e79867fb4014907fc
          • Instruction ID: 85b72f27256d41f5c39b9b18a29040ef169d0208148fb319c672ba0d35ecc162
          • Opcode Fuzzy Hash: fd516aa29109104b9f003b752ed3b29be5510fed6697734e79867fb4014907fc
          • Instruction Fuzzy Hash: 68413E71600208AEDB31EF75DD85BDA77ECAB04319F40482BE945D7241EB78EA848B68
          Function 0040A9AA Relevance: 16.6, APIs: 11, Instructions: 139COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 891 40a9aa-40a9d4 call 415e31 call 41053c 896 40a9f5-40a9f8 891->896 897 40a9d6-40a9f2 call 41053c FindResourceA LoadResource 891->897 899 40aa06-40aa09 896->899 900 40a9fa-40aa03 LockResource 896->900 897->896 902 40aa13-40aa2e call 40a4da call 40d1a7 899->902 903 40aa0b-40aa0e 899->903 900->899 911 40aa30-40aa39 GetDesktopWindow 902->911 912 40aa91-40aab3 call 40eb30 call 40d0ff call 40a7b2 902->912 904 40ab6f-40ab74 call 415e9d 903->904 911->912 914 40aa3b-40aa46 IsWindowEnabled 911->914 924 40aab5-40aab9 912->924 925 40aaee-40ab1c 912->925 914->912 916 40aa48-40aa66 EnableWindow call 407d24 914->916 916->912 922 40aa68-40aa74 916->922 922->912 930 40aa76-40aa7f call 410f95 922->930 928 40aad8-40aadb 924->928 929 40aabb-40aac9 call 410f40 924->929 932 40ab27-40ab2a 925->932 933 40ab1e-40ab22 call 410fb0 925->933 928->925 931 40aadd-40aae9 call 410ff2 928->931 945 40aacb-40aacd 929->945 946 40aace-40aad1 call 40cc95 929->946 930->912 942 40aa81-40aa8a call 410fb0 930->942 931->925 938 40ab37-40ab3a 932->938 939 40ab2c-40ab31 EnableWindow 932->939 933->932 943 40ab50-40ab61 call 40a514 938->943 944 40ab3c-40ab45 GetActiveWindow 938->944 939->938 942->912 955 40ab63-40ab66 FreeResource 943->955 956 40ab6c 943->956 944->943 949 40ab47-40ab4a SetActiveWindow 944->949 945->946 951 40aad6 946->951 949->943 951->928 955->956 956->904
          APIs
          • __EH_prolog3_catch.LIBCMT ref: 0040A9B1
          • FindResourceA.KERNEL32(?,?,00000005), ref: 0040A9E4
          • LoadResource.KERNEL32(?,00000000), ref: 0040A9EC
          • LockResource.KERNEL32(?,00000024,0040108B), ref: 0040A9FD
          • GetDesktopWindow.USER32 ref: 0040AA30
          • IsWindowEnabled.USER32(?), ref: 0040AA3E
          • EnableWindow.USER32(?,00000000), ref: 0040AA4D
            • Part of subcall function 00410F95: IsWindowEnabled.USER32(?), ref: 00410F9E
            • Part of subcall function 00410FB0: EnableWindow.USER32(?,?), ref: 00410FBD
          • EnableWindow.USER32(?,00000001), ref: 0040AB31
          • GetActiveWindow.USER32 ref: 0040AB3C
          • SetActiveWindow.USER32(?,?,00000024,0040108B), ref: 0040AB4A
          • FreeResource.KERNEL32(?,?,00000024,0040108B), ref: 0040AB66
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
          • String ID:
          • API String ID: 1509511306-0
          • Opcode ID: a8e6bcb425e1d2ec2310680d172936001cbcf3763b3c7d90c8151525b2816c9d
          • Instruction ID: d1cd03d171cc342a27a5658575f0b71dff1fdc6a01eb683dc7e1bb17f6a2a0e5
          • Opcode Fuzzy Hash: a8e6bcb425e1d2ec2310680d172936001cbcf3763b3c7d90c8151525b2816c9d
          • Instruction Fuzzy Hash: 3F518F30A007059FDF21EFA5C9496AEBAB1AF44705F14013FE501B62D1CB799992CF5E
          Function 0040E793 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • __EH_prolog3_catch.LIBCMT ref: 0040E79A
          • GetPropA.USER32(?,AfxOldWndProc423), ref: 0040E7A9
          • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0040E803
            • Part of subcall function 0040D696: GetWindowRect.USER32(?,10000000), ref: 0040D6BE
            • Part of subcall function 0040D696: GetWindow.USER32(?,00000004), ref: 0040D6DB
          • SetWindowLongA.USER32(?,000000FC,?), ref: 0040E82A
          • RemovePropA.USER32(?,AfxOldWndProc423), ref: 0040E832
          • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0040E839
          • GlobalDeleteAtom.KERNEL32(00000000), ref: 0040E840
            • Part of subcall function 0040BE3C: GetWindowRect.USER32(?,?), ref: 0040BE48
          • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0040E894
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
          • String ID: AfxOldWndProc423
          • API String ID: 2702501687-1060338832
          • Opcode ID: eaea662c7dd800adeacd400f5abcd59952bb92b971d328189b060cb4180bbefe
          • Instruction ID: 3ef06856741e9c76716936ddd89ae3305242d91dc734ea30ca630994296b6d39
          • Opcode Fuzzy Hash: eaea662c7dd800adeacd400f5abcd59952bb92b971d328189b060cb4180bbefe
          • Instruction Fuzzy Hash: 0731933290111AABCF15AFE5DD49EFF3A78EF44304F10453EF901B2191CB3989269B69
          Function 0040A7B2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 986 40a7b2-40a7c8 call 415e31 989 40a7d5-40a7f9 call 41053c call 40f95a * 2 986->989 990 40a7ca-40a7d2 call 41053c 986->990 999 40a826 989->999 1000 40a7fb-40a80b 989->1000 990->989 1001 40a829-40a82b 999->1001 1003 40a80d-40a80f 1000->1003 1005 40a814-40a824 1000->1005 1001->1003 1004 40a82d-40a862 call 411d62 call 40805a call 412b73 1001->1004 1006 40a9a2-40a9a7 call 415e9d 1003->1006 1016 40a864-40a866 1004->1016 1017 40a898-40a89a 1004->1017 1005->1001 1018 40a868-40a872 GetSystemMetrics 1016->1018 1019 40a89c-40a8ce call 412b3c call 412a9a call 4127b3 call 4127a5 1016->1019 1017->1019 1020 40a8db-40a8ee call 40eb30 1017->1020 1018->1020 1021 40a874-40a88c call 40a78a 1018->1021 1019->1020 1044 40a8d0-40a8d9 GlobalLock 1019->1044 1028 40a8f0-40a8f2 1020->1028 1029 40a8f4 1020->1029 1021->1020 1031 40a88e-40a893 1021->1031 1032 40a8f7-40a910 CreateDialogIndirectParamA call 407d0a 1028->1032 1029->1032 1031->1017 1034 40a895 1031->1034 1037 40a915-40a944 1032->1037 1034->1017 1042 40a946-40a948 1037->1042 1043 40a95e-40a965 call 40d1a7 1037->1043 1042->1043 1045 40a94a-40a956 1042->1045 1049 40a971-40a973 1043->1049 1050 40a967-40a969 1043->1050 1044->1020 1045->1043 1051 40a984-40a987 1049->1051 1052 40a975-40a979 1049->1052 1050->1049 1054 40a989-40a995 GlobalUnlock GlobalFree 1051->1054 1055 40a99b-40a99f 1051->1055 1052->1051 1053 40a97b-40a982 DestroyWindow 1052->1053 1053->1051 1054->1055 1055->1006
          APIs
          • __EH_prolog3_catch.LIBCMT ref: 0040A7B9
          • GetSystemMetrics.USER32(0000002A), ref: 0040A86A
          • GlobalLock.KERNEL32(?), ref: 0040A8D3
          • CreateDialogIndirectParamA.USER32(?,?,?,0040A22D,00000000), ref: 0040A902
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
          • String ID: MS Shell Dlg
          • API String ID: 1736106359-76309092
          • Opcode ID: 550d626c53a89f7207f54241e0cdb3e65de2bdc7191531ae86f8013fc33873dd
          • Instruction ID: fb72d335df5aef2b00842ff1d2f546dbb535b5d8c517d736f84a31d4b967b598
          • Opcode Fuzzy Hash: 550d626c53a89f7207f54241e0cdb3e65de2bdc7191531ae86f8013fc33873dd
          • Instruction Fuzzy Hash: 4351C372A002069FCF10EFA5C9859EE7BB0AF04314F55453EE511B72D1DB389D92CB9A
          Function 00412529 Relevance: 12.0, APIs: 8, Instructions: 38COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00412536
          • GetSystemMetrics.USER32(0000000C), ref: 0041253D
          • GetSystemMetrics.USER32(00000002), ref: 00412544
          • GetSystemMetrics.USER32(00000003), ref: 0041254E
          • GetDC.USER32(00000000), ref: 00412558
          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00412569
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00412571
          • ReleaseDC.USER32(00000000,00000000), ref: 00412579
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
          • String ID:
          • API String ID: 1031845853-0
          • Opcode ID: 6b7b0216b4313cc4c63d536976401ed3bd53db1a66c7db4c387e221c11a2dc80
          • Instruction ID: 96da91092ecdbe99d2390495c3617903e299c20242a0088fda9554a6f65b0f17
          • Opcode Fuzzy Hash: 6b7b0216b4313cc4c63d536976401ed3bd53db1a66c7db4c387e221c11a2dc80
          • Instruction Fuzzy Hash: 8EF03071A41704AFE730AF729C49F2B7BA4EBC1B51F11442EE6418B2D0DAB598028F64
          Function 0040CC95 Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1057 40cc95-40ccb0 1058 40ccb2-40ccbc call 410f40 1057->1058 1059 40ccbe 1057->1059 1058->1059 1061 40ccc0-40cce0 GetParent call 40899d 1058->1061 1059->1061 1065 40cd54-40cd58 1061->1065 1066 40cce2-40ccf2 PeekMessageA 1065->1066 1067 40cd5a call 408dc4 1065->1067 1066->1067 1069 40ccf4-40ccf6 1066->1069 1070 40cd5f-40cd61 1067->1070 1071 40cd08-40cd0d 1069->1071 1072 40ccf8-40cd06 call 410f74 UpdateWindow 1069->1072 1073 40cd63-40cd65 1070->1073 1074 40cdc8-40cdd1 call 407a60 1070->1074 1076 40cd2e-40cd33 1071->1076 1077 40cd0f-40cd13 1071->1077 1072->1071 1082 40cd67-40cd73 1073->1082 1083 40cd8c-40cd98 1073->1083 1090 40cdda-40cde1 1074->1090 1079 40cd50 1076->1079 1080 40cd35-40cd4e SendMessageA 1076->1080 1077->1076 1078 40cd15-40cd19 1077->1078 1078->1076 1085 40cd1b-40cd28 SendMessageA 1078->1085 1079->1065 1080->1065 1080->1079 1087 40cd75-40cd7a 1082->1087 1088 40cd7c-40cd8a call 410f74 UpdateWindow 1082->1088 1092 40cdd3-40cdd7 1083->1092 1093 40cd9a-40cda6 call 408cde 1083->1093 1085->1076 1087->1083 1087->1088 1088->1083 1092->1090 1097 40cdb4-40cdc4 PeekMessageA 1093->1097 1098 40cda8-40cdb0 1093->1098 1097->1067 1099 40cdc6 1097->1099 1098->1097 1099->1065
          APIs
          • GetParent.USER32(?), ref: 0040CCC3
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CCEA
          • UpdateWindow.USER32(?), ref: 0040CD04
          • SendMessageA.USER32(?,00000121,00000000,?), ref: 0040CD28
          • SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 0040CD42
          • UpdateWindow.USER32(?), ref: 0040CD88
          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CDBC
            • Part of subcall function 00410F40: GetWindowLongA.USER32(?,000000F0), ref: 00410F4B
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Message$Window$PeekSendUpdate$LongParent
          • String ID:
          • API String ID: 2853195852-0
          • Opcode ID: ba3d575e81675f6fa093e9c2fd320c6d17922563ed6f116a849d4d0f47f5c623
          • Instruction ID: dff2b77a716b1da47d70b977c108edf64ab04fc9ce7d5c358a9e485d7bade369
          • Opcode Fuzzy Hash: ba3d575e81675f6fa093e9c2fd320c6d17922563ed6f116a849d4d0f47f5c623
          • Instruction Fuzzy Hash: 32417D30204741DBD7219F25C884A2BBEF4FF84B04F000B3EF485A22E1DB7A9945DA5A
          Function 00407520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1114 407520-407551 EnumPrintersA LocalAlloc 1115 407553-407569 EnumPrintersA 1114->1115 1116 40756e-407574 1114->1116 1115->1116 1117 407584-40758f 1116->1117 1118 407576-407583 LocalFree 1116->1118 1119 407591-407592 1117->1119 1120 4075d5-4075e4 LocalFree 1117->1120 1121 407595-407598 1119->1121 1122 4075c8-4075d2 1121->1122 1123 40759a-4075ad call 415210 1121->1123 1122->1121 1124 4075d4 1122->1124 1127 4075c3 1123->1127 1128 4075af-4075c1 call 415210 1123->1128 1124->1120 1127->1122 1128->1122 1128->1127
          APIs
          • EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,0042C6BD,00000000,?,?), ref: 0040753B
          • LocalAlloc.KERNELBASE(00000040,?,00000002,00000000,00000002,0042C6BD,00000000,?,?), ref: 00407547
          • EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,?,?,?), ref: 00407569
          • LocalFree.KERNEL32(00000000), ref: 00407577
          • LocalFree.KERNEL32(00000000), ref: 004075D6
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Local$EnumFreePrinters$Alloc
          • String ID: PSI PostScript
          • API String ID: 1308648187-3279905418
          • Opcode ID: 600c4d0b8b706deae3e73b87a3284e7a6724f558302541a345c4f9f54f86129c
          • Instruction ID: 3b1a4358b7ca8abe527cf5ef31d9de01ed5f213e869c096ab639a0e2ee408975
          • Opcode Fuzzy Hash: 600c4d0b8b706deae3e73b87a3284e7a6724f558302541a345c4f9f54f86129c
          • Instruction Fuzzy Hash: 3911E472B44301BBE7109661EC46FEB739CDB84B04F80442EFD09A6181EA78F904866A
          Function 00411834 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1131 411834-411847 call 407710 GlobalAlloc 1134 411870-411872 1131->1134 1135 411874-411879 1134->1135 1136 411898-4118c3 GlobalLock call 416740 1134->1136 1138 411889-41188d LeaveCriticalSection 1135->1138 1139 41187b-411883 GlobalHandle GlobalLock 1135->1139 1141 4118c5-4118c8 1136->1141 1142 4118cb-4118eb LeaveCriticalSection 1136->1142 1139->1138 1141->1142
          APIs
          • GlobalAlloc.KERNELBASE(00000002,00000000), ref: 00411841
          • GlobalHandle.KERNEL32(?), ref: 0041187C
          • GlobalLock.KERNEL32(00000000), ref: 00411883
          • LeaveCriticalSection.KERNEL32(?), ref: 0041188D
          • GlobalLock.KERNEL32(00000000), ref: 00411899
          • _memset.LIBCMT ref: 004118B2
          • LeaveCriticalSection.KERNEL32(?), ref: 004118DE
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Global$CriticalLeaveLockSection$AllocHandle_memset
          • String ID:
          • API String ID: 2347636318-0
          • Opcode ID: ca0ab831b70a7de52ab8e3d2a00074cd6258de3d18388cde756d0c656872752b
          • Instruction ID: 90b4f9a065f011deef09d04585719689767ebb21a40eb2eab472f4faab04987c
          • Opcode Fuzzy Hash: ca0ab831b70a7de52ab8e3d2a00074cd6258de3d18388cde756d0c656872752b
          • Instruction Fuzzy Hash: 8B11CE35A017059FD7249F34D848A6AB7E8FB44301B408A2EE666C36A0DB34F8168B88
          Function 0041358F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1143 41358f-4135c2 SetErrorMode * 2 call 41053c call 40fd94 call 41053c 1150 4135c4-4135d7 call 413410 1143->1150 1151 4135dc-4135e6 call 41053c 1143->1151 1150->1151 1155 4135e8 call 408f6e 1151->1155 1156 4135ed-4135fa GetModuleHandleA 1151->1156 1155->1156 1158 41360d-413610 1156->1158 1159 4135fc-413608 GetProcAddress 1156->1159 1159->1158
          APIs
          • SetErrorMode.KERNELBASE(00000000), ref: 00413598
          • SetErrorMode.KERNELBASE(00000000), ref: 004135A0
            • Part of subcall function 0040FD94: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040FDD5
            • Part of subcall function 0040FD94: SetLastError.KERNEL32(0000006F), ref: 0040FDEF
          • GetModuleHandleA.KERNEL32(user32.dll), ref: 004135F2
          • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00413602
            • Part of subcall function 00413410: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00413453
            • Part of subcall function 00413410: PathFindExtensionA.KERNELBASE(?), ref: 0041346D
            • Part of subcall function 00413410: __strdup.LIBCMT ref: 004134AF
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
          • String ID: NotifyWinEvent$user32.dll
          • API String ID: 2454351968-597752486
          • Opcode ID: fa17d38a7ecd3239b716ddb0b0a883de09f687b9c510d3ce3ac6c493dbd7d290
          • Instruction ID: c1460d5ae057ff16c99148ca107e79096cd354def268f2e278a3b855a61ffc1f
          • Opcode Fuzzy Hash: fa17d38a7ecd3239b716ddb0b0a883de09f687b9c510d3ce3ac6c493dbd7d290
          • Instruction Fuzzy Hash: A8017C71B142109FC720EF66A905A5E3AD5AF08711F41846FF0449B3A2CF78D881CF6E
          Function 0040F95A Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1160 40f95a-40f970 call 41053c 1163 40f972-40f975 1160->1163 1164 40f97a-40f9b5 call 416740 call 41053c 1160->1164 1165 40fc29-40fc2a 1163->1165 1170 40f9d3-40f9d7 1164->1170 1171 40f9b7-40f9d0 call 40f776 1164->1171 1172 40f9f7-40f9fb 1170->1172 1173 40f9d9-40f9f2 call 40f776 1170->1173 1171->1170 1183 40f9d2 1171->1183 1176 40f9fd-40fa19 call 40f776 1172->1176 1177 40fa1e-40fa22 1172->1177 1173->1172 1186 40f9f4 1173->1186 1176->1177 1192 40fa1b 1176->1192 1181 40fa44-40fa47 1177->1181 1182 40fa24-40fa3f call 40f919 1177->1182 1184 40fa70-40fa74 1181->1184 1185 40fa49-40fa6c call 40f919 1181->1185 1182->1181 1198 40fa41 1182->1198 1183->1170 1190 40fa94-40fa98 1184->1190 1191 40fa76-40fa86 call 40d62a 1184->1191 1185->1184 1199 40fa6e 1185->1199 1186->1172 1196 40fa9a-40faac call 40d62a 1190->1196 1197 40faae-40fab2 1190->1197 1200 40fa8b-40fa8d 1191->1200 1192->1177 1196->1197 1202 40fab4-40fac9 call 40d62a 1197->1202 1203 40facb-40fad3 1197->1203 1198->1181 1199->1184 1200->1190 1202->1203 1204 40fae4-40faec 1203->1204 1205 40fad5-40fae2 call 40d62a 1203->1205 1209 40fb01-40fb09 1204->1209 1210 40faee-40faff call 40d62a 1204->1210 1205->1204 1214 40fb0b-40fb1c call 40d62a 1209->1214 1215 40fb1e-40fb26 1209->1215 1210->1209 1214->1215 1218 40fb28-40fb39 call 40d62a 1215->1218 1219 40fb3b-40fb43 1215->1219 1218->1219 1220 40fb45-40fb56 call 40d62a 1219->1220 1221 40fb58-40fb60 1219->1221 1220->1221 1225 40fb62-40fb73 call 40d62a 1221->1225 1226 40fb75-40fb7d 1221->1226 1225->1226 1230 40fb8e-40fb96 1226->1230 1231 40fb7f-40fb8c call 40d62a 1226->1231 1234 40fba7-40fbaf 1230->1234 1235 40fb98-40fba5 call 40d62a 1230->1235 1231->1230 1236 40fbb1-40fbc2 call 40d62a 1234->1236 1237 40fbc4-40fbcc 1234->1237 1235->1234 1236->1237 1241 40fbe1-40fbe9 1237->1241 1242 40fbce-40fbdf call 40d62a 1237->1242 1246 40fbfa-40fc0e 1241->1246 1247 40fbeb-40fbf8 call 40d62a 1241->1247 1242->1241 1250 40fc10-40fc16 1246->1250 1251 40fc19-40fc28 1246->1251 1247->1246 1250->1251 1251->1165
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: _memset
          • String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
          • API String ID: 2102423945-4122032997
          • Opcode ID: 99924daba344c4e841b1c42367cb4303c23402f032073568ecfe6512dd6f2f8b
          • Instruction ID: c9744077b39ebfdb1489b5b7e212d2aeef10a37906967b7f9a2cfc9988fc26fa
          • Opcode Fuzzy Hash: 99924daba344c4e841b1c42367cb4303c23402f032073568ecfe6512dd6f2f8b
          • Instruction Fuzzy Hash: 0A812272D10249AADB60DFE4D585BDEBBF8AF44344F14807AF908F61C1E7789A48CB94
          Function 00411C81 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
          Download Yara Rule
          APIs
          • TlsFree.KERNELBASE(?), ref: 00411CA7
          • GlobalHandle.KERNEL32(?), ref: 00411CB5
          • GlobalUnlock.KERNEL32(00000000), ref: 00411CBE
          • GlobalFree.KERNEL32(00000000), ref: 00411CC5
          • DeleteCriticalSection.KERNEL32 ref: 00411CCF
            • Part of subcall function 00411AD9: EnterCriticalSection.KERNEL32(?), ref: 00411B36
            • Part of subcall function 00411AD9: LeaveCriticalSection.KERNEL32(?,?), ref: 00411B46
            • Part of subcall function 00411AD9: LocalFree.KERNEL32(?), ref: 00411B4F
            • Part of subcall function 00411AD9: TlsSetValue.KERNEL32(?,00000000), ref: 00411B61
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
          • String ID:
          • API String ID: 1549993015-0
          • Opcode ID: 5b7ce078480e8e5cecf2c4dd7fcb37f58644b5b771142ccfc64409678e1eeb4a
          • Instruction ID: f1502ba63e80a335183b5ecd5bf62d4f7ccbc517f6078e31bb8122d016d8ddf5
          • Opcode Fuzzy Hash: 5b7ce078480e8e5cecf2c4dd7fcb37f58644b5b771142ccfc64409678e1eeb4a
          • Instruction Fuzzy Hash: 0DF09A313016005BD6219B28AD08ABF7BAD9F856607160A2AF905D33A0EB38DC4386AC
          Function 00427250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0042725A
          • GetProcAddress.KERNEL32(00000000), ref: 00427261
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: IsWow64Process$kernel32
          • API String ID: 1646373207-3789238822
          • Opcode ID: dc460d4b7b96ce8b67185a6500c82034f74a0011ec6610de14acf4fa8529d0f7
          • Instruction ID: a2384d106970e6165d1fc112147bff58a7ef84447edb799f9d420d37b50aa001
          • Opcode Fuzzy Hash: dc460d4b7b96ce8b67185a6500c82034f74a0011ec6610de14acf4fa8529d0f7
          • Instruction Fuzzy Hash: 03B092F0743B21DF87205BA0BD4DA2C3AA4AA687223A028BAB40591568CE7880018E2C
          Function 004010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040A2F2: _memset.LIBCMT ref: 0040A309
          • LoadIconA.USER32(?,00000080), ref: 00401131
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: IconLoad_memset
          • String ID: eDF$eDF
          • API String ID: 1883059454-151223039
          • Opcode ID: c2a45ed3e05d03163ebd876e5133fbfdc206d54725c22002b069cae190ec7fd2
          • Instruction ID: 9b78d55113b9d513ca2787d60c3d6c7d3e30de268031502bebabfc8286e16422
          • Opcode Fuzzy Hash: c2a45ed3e05d03163ebd876e5133fbfdc206d54725c22002b069cae190ec7fd2
          • Instruction Fuzzy Hash: B4F06272244751AFD311DF54D841B4A7BE4FF04B14F40492EF5818B790D7B9A4448B99
          Function 0040EB30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00411BC7: __EH_prolog3.LIBCMT ref: 00411BCE
          • GetCurrentThreadId.KERNEL32 ref: 0040EB5B
          • SetWindowsHookExA.USER32(00000005,0040E8DD,00000000,00000000), ref: 0040EB6B
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CurrentException@8H_prolog3HookThreadThrowWindows
          • String ID: TIC
          • API String ID: 1226552664-1520089880
          • Opcode ID: 719b64368e6151a18e03afa50e50367926f40dcc02ada651fc7415eef5d338ef
          • Instruction ID: 86569047c948b925c7197a1072e91594d1d365e2309a57527e572364f3ebe23a
          • Opcode Fuzzy Hash: 719b64368e6151a18e03afa50e50367926f40dcc02ada651fc7415eef5d338ef
          • Instruction Fuzzy Hash: 5CF020312007009AC330AB639801B5BB6B19F90B21F20093FF782A26D0CA78A850866E
          Function 00408F6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentThreadId.KERNEL32 ref: 00408F81
          • SetWindowsHookExA.USER32(000000FF,V\w,00000000,00000000), ref: 00408F91
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CurrentHookThreadWindows
          • String ID: V\w
          • API String ID: 1904029216-2439634703
          • Opcode ID: d852c92fb9958ca02c8f6358f4cb56564ae3493ddd0c10814041b25b1c7a1af7
          • Instruction ID: 1987207c6b1edda707732195a00993f8aac96d4d9a2ad13eebfffd4a84a88bd2
          • Opcode Fuzzy Hash: d852c92fb9958ca02c8f6358f4cb56564ae3493ddd0c10814041b25b1c7a1af7
          • Instruction Fuzzy Hash: 1FD0A7715053606EE720AB717D19B5A3E505F15334F10076EF491661D1CEB888C24B5D
          Function 004078C7 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExA.KERNELBASE(80000001,00431008,00000000,00000001,?), ref: 0040790A
          • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0040792A
          • RegCloseKey.ADVAPI32(?), ref: 0040796E
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CloseOpenQueryValue
          • String ID:
          • API String ID: 3677997916-0
          • Opcode ID: b64251b59670c21352e24f00d96ff4e0cd408dffd9b5ea459b0e74db37eabf7c
          • Instruction ID: 914f4bbea72f47d32ef781a6ca9c545298b4b1dbc1de12a515f94c47b4a37171
          • Opcode Fuzzy Hash: b64251b59670c21352e24f00d96ff4e0cd408dffd9b5ea459b0e74db37eabf7c
          • Instruction Fuzzy Hash: 592137B1E04208EFEF25CF95C884AAEBBB8FF91314F1140BBE441B6260D7746A44DB16
          Function 00408DC4 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
          Download Yara Rule
          APIs
          • GetMessageA.USER32(00000030,00000000,00000000,00000000), ref: 00408D92
          • TranslateMessage.USER32(00000030), ref: 00408DB1
          • DispatchMessageA.USER32(00000030), ref: 00408DB8
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Message$DispatchTranslate
          • String ID:
          • API String ID: 1706434739-0
          • Opcode ID: cf162f32fdc0cb081714b8771b7e1b26200d9494fbf215c040b79bc20ccc87e7
          • Instruction ID: 09893f0cf0587c4bcd01e1f134883d7da4a585cc1bfb2795d044c363f60367c2
          • Opcode Fuzzy Hash: cf162f32fdc0cb081714b8771b7e1b26200d9494fbf215c040b79bc20ccc87e7
          • Instruction Fuzzy Hash: 53F03A31306511AAD755AB21AA08ABB3769BE91715745003EF841E6190DF38C8428AA9
          Function 00401390 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004012E0: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00401306
            • Part of subcall function 004012E0: __makepath.LIBCMT ref: 00401338
            • Part of subcall function 004075F0: GetVersion.KERNEL32 ref: 00407602
            • Part of subcall function 004075F0: GetCurrentProcess.KERNEL32(00000000), ref: 00407620
            • Part of subcall function 004075F0: IsWow64Process.KERNEL32(00000000), ref: 00407627
          • GetDlgItem.USER32(?,00000001), ref: 004013C6
          • EnableWindow.USER32(00000000), ref: 004013CD
          • PostMessageA.USER32(?,00000111,00000001,00000000), ref: 004013E0
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Process$CurrentEnableFileItemMessageModuleNamePostVersionWindowWow64__makepath
          • String ID:
          • API String ID: 961411951-0
          • Opcode ID: 7d42f4e9daf613e997a42b9e8f255af9ede0cd3cc3553b1219a90b3f080be875
          • Instruction ID: b65b2b6db60bae86d07dce147d3d7f2adb254afa196762425ef5a5603954fc9d
          • Opcode Fuzzy Hash: 7d42f4e9daf613e997a42b9e8f255af9ede0cd3cc3553b1219a90b3f080be875
          • Instruction Fuzzy Hash: C8F05E71755300BBD764EB24DD86BDAB7A4BB48B00F40042CBA89A61D1DFB9A480CB85
          Function 0040D712 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
          Download Yara Rule
          APIs
          • __EH_prolog3_catch.LIBCMT ref: 0040D719
            • Part of subcall function 00411BC7: __EH_prolog3.LIBCMT ref: 00411BCE
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Exception@8H_prolog3H_prolog3_catchThrow
          • String ID: TIC
          • API String ID: 1377961577-1520089880
          • Opcode ID: fa38d098060624d74f0af2ce567d5aaba606be68d9f8cf71c0c06ad50d043697
          • Instruction ID: 1c03f1999faa979a4301008a4b3c8e94e29b7c167acb964ca59123aee127fd57
          • Opcode Fuzzy Hash: fa38d098060624d74f0af2ce567d5aaba606be68d9f8cf71c0c06ad50d043697
          • Instruction Fuzzy Hash: D5213C72E00209DFCF05DF95C481ADE7BB6EF98314F11846AFD05AB281D778A985CB94
          Function 0040FD94 Relevance: 3.1, APIs: 2, Instructions: 60COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040FCB7: GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040FCC5
          • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0040FDD5
          • SetLastError.KERNEL32(0000006F), ref: 0040FDEF
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Module$ErrorFileHandleLastName
          • String ID:
          • API String ID: 613274587-0
          • Opcode ID: e582df8a3c3a596c153f5b0ed6dbea1dae315916b4aff96d4263b27a83ae3740
          • Instruction ID: 5f9e51cd310c8f0f63e13d337cf29a76e0af5b6e3d385e082ddddc0ea2fa7835
          • Opcode Fuzzy Hash: e582df8a3c3a596c153f5b0ed6dbea1dae315916b4aff96d4263b27a83ae3740
          • Instruction Fuzzy Hash: 7621187190030C8EEB70DFA5D8487EEB7B8BF05318F10463EE4A9AA2D1DB785549CB95
          Function 0040D696 Relevance: 3.0, APIs: 2, Instructions: 44COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00410F40: GetWindowLongA.USER32(?,000000F0), ref: 00410F4B
          • GetWindowRect.USER32(?,10000000), ref: 0040D6BE
          • GetWindow.USER32(?,00000004), ref: 0040D6DB
            • Part of subcall function 00410F95: IsWindowEnabled.USER32(?), ref: 00410F9E
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$EnabledLongRect
          • String ID:
          • API String ID: 3170195891-0
          • Opcode ID: d98cb7d8e26971122482782d5dc576e4645ed772fa3974a0874ca32187162963
          • Instruction ID: 32cae1fdb93f57598f41c172e9744c112c577e48a295df2794a31f08608ed11d
          • Opcode Fuzzy Hash: d98cb7d8e26971122482782d5dc576e4645ed772fa3974a0874ca32187162963
          • Instruction Fuzzy Hash: FA017C30B002049BDF24EBE5C845BAF7BA9BF04714F00446AFD16A76D1EB78D9458A88
          Function 00419809 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
          Download Yara Rule
          APIs
          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00415923,00000001), ref: 0041981A
          • HeapDestroy.KERNEL32 ref: 00419850
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Heap$CreateDestroy
          • String ID:
          • API String ID: 3296620671-0
          • Opcode ID: 55050daa4d954211f5fd7c9e1bac0a303b8b3fa88c1b0381d792fe0f38950118
          • Instruction ID: c1f316759d4e9132407fb8f3666e3824bfb346260f1192569714d8499098e8e1
          • Opcode Fuzzy Hash: 55050daa4d954211f5fd7c9e1bac0a303b8b3fa88c1b0381d792fe0f38950118
          • Instruction Fuzzy Hash: E9E06D30629302EAEB547B31AC1A77A36A4AF01346F10D83AF000C50A0FB6988849A5C
          Function 0040B566 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
          Download Yara Rule
          APIs
          • DefWindowProcA.USER32(?,?,?,?), ref: 0040B58D
          • CallWindowProcA.USER32(?,?,?,?,?), ref: 0040B5A2
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ProcWindow$Call
          • String ID:
          • API String ID: 2316559721-0
          • Opcode ID: ac236626f5f6a2c98f6968b7560a5fa78e911ee6d42d2b647af9b429832b82b2
          • Instruction ID: b45f1a4fd5df6bbdc99df70253cba6f42e121a0dd5d1e32f1671dcf540fcffe5
          • Opcode Fuzzy Hash: ac236626f5f6a2c98f6968b7560a5fa78e911ee6d42d2b647af9b429832b82b2
          • Instruction Fuzzy Hash: 67F01C36100205FFCF228F94DC04D9A7BB9FF1C751B044469FA4996520E732D920AB88
          Function 004011A0 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageA.USER32(?,00000080,00000001,?), ref: 004011BE
          • SendMessageA.USER32(?,00000080,00000000,?), ref: 004011CF
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: 1ba0dd322be2f33eef745d005885ef1fefb717585e3a024858736f8587900b49
          • Instruction ID: 5e8697c803bba9ed2616c5b050f8631829fd6b31bbaf32d9b03d86cbde70e3a0
          • Opcode Fuzzy Hash: 1ba0dd322be2f33eef745d005885ef1fefb717585e3a024858736f8587900b49
          • Instruction Fuzzy Hash: 1CE04F7130070067E230A62A9C41F57B3E9AB94B10F010A1DF681972A0C9B5F8818A54
          Function 0040CE5D Relevance: 3.0, APIs: 2, Instructions: 18libraryCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNELBASE(?,?,0040CF40,InitCommonControlsEx,?,0040D644,?), ref: 0040CE69
          • LoadLibraryA.KERNELBASE(?,?,0040CF40,InitCommonControlsEx,?,0040D644,?), ref: 0040CE79
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: HandleLibraryLoadModule
          • String ID:
          • API String ID: 4133054770-0
          • Opcode ID: 408a1d2dc232faad86b6a4a556149719414fe57a1a3854cdb157109e1285b6f6
          • Instruction ID: 808e557f69f55ada431a1035be705466c6da3b50f70f2572350632b2add43e21
          • Opcode Fuzzy Hash: 408a1d2dc232faad86b6a4a556149719414fe57a1a3854cdb157109e1285b6f6
          • Instruction Fuzzy Hash: 6BE09231602B11CFD7708F25E944A47BBE4AB14A11B01CA7EA4ABD2A60DB35E855DB44
          Function 00415F0A Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • ___crtCorExitProcess.LIBCMT ref: 00415F0E
            • Part of subcall function 00415EE4: GetModuleHandleA.KERNEL32(mscoree.dll,00415F13,?,00419948,000000FF,0000001E,0042EA18,0000000C,004199F2,?,?,?,00415639,00000004,0042E8E8,0000000C), ref: 00415EE9
            • Part of subcall function 00415EE4: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00415EF9
          • ExitProcess.KERNEL32 ref: 00415F18
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ExitProcess$AddressHandleModuleProc___crt
          • String ID:
          • API String ID: 2427264223-0
          • Opcode ID: 8338c153fc0eb44a3c3a14aea4616bebc4924dae21aa855e99c58313f151be52
          • Instruction ID: fce059c6379efb08896099b933a26cd6ce3466f4b239b6f5ba578c911e8c064a
          • Opcode Fuzzy Hash: 8338c153fc0eb44a3c3a14aea4616bebc4924dae21aa855e99c58313f151be52
          • Instruction Fuzzy Hash: E5B01230104200EFD6012B10DD0B45E7BA1FF80700F01842EF044040308F314C50FA05
          Function 0041606E Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __lock.LIBCMT ref: 0041607C
            • Part of subcall function 004199D9: __mtinitlocknum.LIBCMT ref: 004199ED
            • Part of subcall function 004199D9: __amsg_exit.LIBCMT ref: 004199F9
            • Part of subcall function 004199D9: EnterCriticalSection.KERNEL32(?,?,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00419A01
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000000,0041A51E,004157D8,?,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057), ref: 00418FBC
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000005,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FD3
            • Part of subcall function 00418FAF: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FE8
            • Part of subcall function 00418FAF: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00419003
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Value$AddressCriticalEnterHandleModuleProcSection__amsg_exit__lock__mtinitlocknum
          • String ID:
          • API String ID: 669183598-0
          • Opcode ID: 09347b2cc302266b4a3c75843178ddc3af8b37366b0d6b78bebd74c947f6f092
          • Instruction ID: 87abab29aa859a9cc3e560d184bafdf926dab19ae0848d72afd065dcad6793e5
          • Opcode Fuzzy Hash: 09347b2cc302266b4a3c75843178ddc3af8b37366b0d6b78bebd74c947f6f092
          • Instruction Fuzzy Hash: 44116071901215AFDB10BFA6DC426DD7661EB84338F11802FF4552A292DF7C99C2CB5C
          Function 00410029 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID:
          • API String ID: 431132790-0
          • Opcode ID: eaa2d0f519003dd1fce212ef51ef2452d1b21b59fae9bc31893c618f2d36c026
          • Instruction ID: 78284c510ced2b850c5d30114d35ea23ed9214cd34365ec9b9877fd0859e1e03
          • Opcode Fuzzy Hash: eaa2d0f519003dd1fce212ef51ef2452d1b21b59fae9bc31893c618f2d36c026
          • Instruction Fuzzy Hash: 6F218E34200B01CFD725EF79C484A7A7BF1BF89710710455EE5668B7A1CB79E881CB14
          Function 0040A439 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Parent
          • String ID:
          • API String ID: 975332729-0
          • Opcode ID: 89577e704287928c819eae0ec23bde2d834a120fc64b092e06391aeb6412b57b
          • Instruction ID: 5a41a7c8bbf9ff1aca31f9bfeeacb31de6a283490678fbe3541e2f6de6f8b39d
          • Opcode Fuzzy Hash: 89577e704287928c819eae0ec23bde2d834a120fc64b092e06391aeb6412b57b
          • Instruction Fuzzy Hash: D501A5792003056FDF205E72DC48A6B7B69FF85350B004536FC16E22D2EA79D8309576
          Function 0040D33E Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,?,?,0040D896,00000004,0040DAFA), ref: 0040D384
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CallbackDispatcherUser
          • String ID:
          • API String ID: 2492992576-0
          • Opcode ID: 8d4c30b39cfef803bc15536ec89dcc07ca4f422b2ccb9317ff5c0ecbd6b0719a
          • Instruction ID: 907985510dc7bd8bcd17b92d3f6d2f21d831f3da8e832c24cf8a129825b18d65
          • Opcode Fuzzy Hash: 8d4c30b39cfef803bc15536ec89dcc07ca4f422b2ccb9317ff5c0ecbd6b0719a
          • Instruction Fuzzy Hash: D8F0F931A00B40CBCB36D664D84086B73A1FB84355324093FE886E3A54D775DC49C61B
          Function 0040D805 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1d4de885ab7765e6243c94f10f30dde0a5940f9e4e8a6203bc498cc75e2fc1bc
          • Instruction ID: e318c2737047292759d130edbe4b306651aa8de819ac015a44607af38a414e66
          • Opcode Fuzzy Hash: 1d4de885ab7765e6243c94f10f30dde0a5940f9e4e8a6203bc498cc75e2fc1bc
          • Instruction Fuzzy Hash: 7DF01233801119BBCF126ED19C018EB3B6DAF09751B00C436F965750A1C739D525EBA9
          Function 0040783E Relevance: 1.5, APIs: 1, Instructions: 22COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 54fc3c87bf282f1054a5b614ebd04f43a6ebd3c6b9ac0a154718cbd36cf443c8
          • Instruction ID: 21d7a2f2eed34303529220b39db2e5f64f6434af237bc63a2c558792a982d0c4
          • Opcode Fuzzy Hash: 54fc3c87bf282f1054a5b614ebd04f43a6ebd3c6b9ac0a154718cbd36cf443c8
          • Instruction Fuzzy Hash: D7E04F329182129BCA20AE3498046A677D45B21370F20E73FE0A1A22D0D374E892EA17
          Function 00407CDB Relevance: 1.5, APIs: 1, Instructions: 17COMMON
          Download Yara Rule
          APIs
          • FindResourceA.KERNEL32(?,?,00000006), ref: 00407CED
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: FindResource
          • String ID:
          • API String ID: 1635176832-0
          • Opcode ID: e120129de23e34bc6c9f514884d861a288ecbabf3d9f615d10984b7661aa93c5
          • Instruction ID: cba1dc2043e625c1cfdb8771f12a9925467b4f611725864a5929bd9da7c40c33
          • Opcode Fuzzy Hash: e120129de23e34bc6c9f514884d861a288ecbabf3d9f615d10984b7661aa93c5
          • Instruction Fuzzy Hash: 6AD05E345082017EEB105B05EC00A3B7BD5FB80244F90842CF895D00A0D739D922EA02
          Function 0040CDE4 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON
          Download Yara Rule
          APIs
          • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 0040CE00
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: MessagePost
          • String ID:
          • API String ID: 410705778-0
          • Opcode ID: cf86eb8d6ad576eacfbae023fb3b5efb5eba175b59787f748e03a1c64491f363
          • Instruction ID: c3da19198bd70eaa823853342e6cd9ca5566e00eca52284832144f9f85666a94
          • Opcode Fuzzy Hash: cf86eb8d6ad576eacfbae023fb3b5efb5eba175b59787f748e03a1c64491f363
          • Instruction Fuzzy Hash: 20D09EF2611100AFE790DF39CD44936B7A9EB54754355856DB854CA2A1D332DC13CB54
          Function 0040A32B Relevance: 1.5, APIs: 1, Instructions: 12COMMON
          Download Yara Rule
          APIs
          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040A347
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CallbackDispatcherUser
          • String ID:
          • API String ID: 2492992576-0
          • Opcode ID: 0fba4d03cc6642e4a66c4d120bf4e6c9783e33f8de0d7df85cfbaadd7d72012d
          • Instruction ID: 400a5c3b449732db2b183b9a1923b62c27c1053c0550cf4194e3bc30f131758e
          • Opcode Fuzzy Hash: 0fba4d03cc6642e4a66c4d120bf4e6c9783e33f8de0d7df85cfbaadd7d72012d
          • Instruction Fuzzy Hash: 06D05E360046019BC7614B14C808A86BFE0BF09350F04886DB9C541530CB72A8109B44
          Function 004100EF Relevance: 1.5, APIs: 1, Instructions: 11COMMON
          Download Yara Rule
          APIs
          • FreeLibrary.KERNELBASE(?), ref: 00410101
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID:
          • API String ID: 3664257935-0
          • Opcode ID: 66840656679c7b4783e730baadc87fa6a52522b49c2833cc49bc7d2466c13abb
          • Instruction ID: 4bb54850ef3dad767d122de643c1bfc846877d6f8cc518626cc59abd6c9b436b
          • Opcode Fuzzy Hash: 66840656679c7b4783e730baadc87fa6a52522b49c2833cc49bc7d2466c13abb
          • Instruction Fuzzy Hash: 2CD0A9304002208FD3258B28D40866ABBD0AF00300F00C82EC0CA02AA0CBB968808788

          Non-executed Functions

          Function 00414E70 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32 ref: 00418E81
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E96
          • UnhandledExceptionFilter.KERNEL32(00429D9C), ref: 00418EA1
          • GetCurrentProcess.KERNEL32(C0000409), ref: 00418EBD
          • TerminateProcess.KERNEL32(00000000), ref: 00418EC4
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
          • String ID:
          • API String ID: 2579439406-0
          • Opcode ID: 3c2eb1d34b0e570762367dcf2a04d2b8a3090566ced497e04df752a223ba07f3
          • Instruction ID: e00676eea815df2459d9e2c6956a8c1a1bab648b210e66c33d8475b94ddc80ee
          • Opcode Fuzzy Hash: 3c2eb1d34b0e570762367dcf2a04d2b8a3090566ced497e04df752a223ba07f3
          • Instruction Fuzzy Hash: E721CAB6916214DFC710DF69F8466883BB0BB98316F80653AE408873A1EBB569858F4D
          Function 0040D4FC Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00410F40: GetWindowLongA.USER32(?,000000F0), ref: 00410F4B
          • GetKeyState.USER32(00000010), ref: 0040D520
          • GetKeyState.USER32(00000011), ref: 0040D529
          • GetKeyState.USER32(00000012), ref: 0040D532
          • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0040D548
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: State$LongMessageSendWindow
          • String ID:
          • API String ID: 1063413437-0
          • Opcode ID: 76c53f3d56f4965a3949ea1fdefc5f070464564070bb06eca5fbaf554b71b7df
          • Instruction ID: 589fc56a5ccd7dc46f2ac6db7b8795157b051f254135c006c9f966c6e07b2b22
          • Opcode Fuzzy Hash: 76c53f3d56f4965a3949ea1fdefc5f070464564070bb06eca5fbaf554b71b7df
          • Instruction Fuzzy Hash: 15F0B472B4028A35FD2176F99C01FAA11144F40FDCF40453ABF05FA1D5C9B9C9079168
          Function 0040ADDE Relevance: 6.0, APIs: 4, Instructions: 37COMMON
          Download Yara Rule
          APIs
          • MonitorFromWindow.USER32(00000002,00000000), ref: 0040ADF3
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: FromMonitorWindow
          • String ID:
          • API String ID: 721739931-0
          • Opcode ID: 865eaaed10c3d59a82dc524e5328d727cc5149c0cada276e47b454acafa34637
          • Instruction ID: b8071ffe22e6dde09ee0da1aad497b6ff7b45b0f58ae020ce785dacd975e9791
          • Opcode Fuzzy Hash: 865eaaed10c3d59a82dc524e5328d727cc5149c0cada276e47b454acafa34637
          • Instruction Fuzzy Hash: F1F03631204209AFDF569F61CC089AF3B6DAF04344B44803AFC15B41A0DB39CA659B9A
          Function 00402818 Relevance: 87.9, APIs: 23, Strings: 27, Instructions: 375registryCOMMON
          Download Yara Rule
          APIs
          • RegSetValueExA.ADVAPI32(?,Printer Driver,00000000,00000001,?,-00000001), ref: 00402854
          • RegSetValueExA.ADVAPI32(?,Priority,00000000,00000004,?,00000004), ref: 00402872
          • RegSetValueExA.ADVAPI32(?,Separator File,00000000,00000001,?,-00000001), ref: 0040289E
          • RegSetValueExA.ADVAPI32(?,Share Name,00000000,00000001,?,-00000001), ref: 004028CE
          • RegSetValueExA.ADVAPI32(?,StartTime,00000000,00000004,?,00000004), ref: 004028E8
          • RegSetValueExA.ADVAPI32(?,Status,00000000,00000004,?,00000004), ref: 00402902
          • RegSetValueExA.ADVAPI32(?,UntilTime,00000000,00000004,?,00000004), ref: 0040291C
          • RegCloseKey.ADVAPI32(?), ref: 00402923
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Value$Close
          • String ID: |t$A$A$D$Devices$DriverDate$DriverDesc$InfPath$InfSection$Installed Memory$MSPRINT.INF$PSCRIPT,FILE:$PSCRIPT,FILE:,15,45$PSCRIPT1.SPD$Printer Driver$PrinterID$PrinterPorts$Priority$ProviderName$Separator File$Share Name$StartTime$Status$UntilTime$\PrinterDriverData$\System\CurrentControlSet\Control\Print\Printers\$\System\CurrentControlSet\Services\Class\Printer\0003
          • API String ID: 3391052094-4128901390
          • Opcode ID: 09b63b4acac3de97450d6724befc7278cf06119ddba13b3c51906864be86ebdc
          • Instruction ID: 6fbefb3e9517bcb00a8634d013c9ae02924f7dcb4ea0e915ed5de44afb592d02
          • Opcode Fuzzy Hash: 09b63b4acac3de97450d6724befc7278cf06119ddba13b3c51906864be86ebdc
          • Instruction Fuzzy Hash: 4AD18D71208340ABD320CB24DC55FABBBF9EBC9704F54495DFA8497291D7B5E808CB9A
          Function 0041A8A5 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 156fileCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • _strcpy_s.LIBCMT ref: 0041A911
          • __invoke_watson.LIBCMT ref: 0041A922
          • GetModuleFileNameA.KERNEL32(00000000,00435279,00000104), ref: 0041A93E
          • _strcpy_s.LIBCMT ref: 0041A953
          • __invoke_watson.LIBCMT ref: 0041A966
          • _strlen.LIBCMT ref: 0041A96F
          • _strlen.LIBCMT ref: 0041A97C
          • __invoke_watson.LIBCMT ref: 0041A9A9
          • _strcat_s.LIBCMT ref: 0041A9BC
          • __invoke_watson.LIBCMT ref: 0041A9CD
          • _strcat_s.LIBCMT ref: 0041A9DE
          • __invoke_watson.LIBCMT ref: 0041A9EF
          • GetStdHandle.KERNEL32(000000F4,?,00000001,?,00000000,00000003,0041AA71,000000FC,00419937,0042EA18,0000000C,004199F2,?,?,?,00415639), ref: 0041AA0E
          • _strlen.LIBCMT ref: 0041AA2F
          • WriteFile.KERNEL32(00000000,00000000,00000000,00000058,00000000,?,00000001,?,00000000,00000003,0041AA71,000000FC,00419937,0042EA18,0000000C,004199F2), ref: 0041AA39
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $`RC$tUC$yRC
          • API String ID: 1879448924-505519556
          • Opcode ID: 0c87e49ae37511c2fd3e5043a67712ab95068372531417dfda7090a79ef0a286
          • Instruction ID: b770a29ab21add0f92fef459091a094591c6a73cfd0412eaf5b3ef66bf7786db
          • Opcode Fuzzy Hash: 0c87e49ae37511c2fd3e5043a67712ab95068372531417dfda7090a79ef0a286
          • Instruction Fuzzy Hash: AF312BB2A122107AE61172215D06BFF360D9F11398F59012BFC0AA12D3FA5D9DE180BF
          Function 00419304 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00415935), ref: 0041930A
          • __mtterm.LIBCMT ref: 00419316
            • Part of subcall function 00419058: TlsFree.KERNEL32(00000004,00419483), ref: 00419083
            • Part of subcall function 00419058: DeleteCriticalSection.KERNEL32(00000000,00000000,74DEDFB0,00000001,00419483), ref: 004198C7
            • Part of subcall function 00419058: DeleteCriticalSection.KERNEL32(00000004,74DEDFB0,00000001,00419483), ref: 004198F1
          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041932C
          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00419339
          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00419346
          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00419353
          • TlsAlloc.KERNEL32 ref: 004193A3
          • TlsSetValue.KERNEL32(00000000), ref: 004193BE
          • __init_pointers.LIBCMT ref: 004193C8
          • __calloc_crt.LIBCMT ref: 0041943D
          • GetCurrentThreadId.KERNEL32 ref: 0041946D
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
          • API String ID: 2125014093-3819984048
          • Opcode ID: 521b00397bd7d64ded03df44544239094af6337da897d3d7db3277de3307f0cb
          • Instruction ID: f69fb393bc2f3a726e2733d47e9be024d036ffd549e52da0a2ad8d13958c20aa
          • Opcode Fuzzy Hash: 521b00397bd7d64ded03df44544239094af6337da897d3d7db3277de3307f0cb
          • Instruction Fuzzy Hash: 2F31C930504F159ADB24AF75BD1568A3AB5EB04350B60953FE415D62F0DF3E8882CBDC
          Function 0040AC9D Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,75C04A40,0040ADE9,?,?,?,?,?,?,?,0040CBC1,00000000,00000002,00000028), ref: 0040ACC6
          • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040ACE2
          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040ACF3
          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040AD04
          • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040AD15
          • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040AD26
          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040AD37
          • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040AD48
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$HandleModule
          • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
          • API String ID: 667068680-68207542
          • Opcode ID: 2ec7da70c8e978d58fb5efd197905eda0bffc9df6ba15d1c758f2d3014423a7d
          • Instruction ID: 5ff98688daa11d4d56740ecb6fe482ddd860ba966b35af6d08b6a4ea87cf4fae
          • Opcode Fuzzy Hash: 2ec7da70c8e978d58fb5efd197905eda0bffc9df6ba15d1c758f2d3014423a7d
          • Instruction Fuzzy Hash: A42181B1A053109EC3119F75BDC04AEBAE1FA8A7053A5643FD004E26E0CB3C6845CE5D
          Function 00420BD4 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00435260,0041AA07,00435260,Microsoft Visual C++ Runtime Library,00012010), ref: 00420C01
          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00420C1D
            • Part of subcall function 00418F38: TlsGetValue.KERNEL32(0041C4F3,0041C573,0041C4F3,00000014,00419993,00000000,00000FA0,0042EA18,0000000C,004199F2,?,?,?,00415639,00000004,0042E8E8), ref: 00418F45
            • Part of subcall function 00418F38: TlsGetValue.KERNEL32(00000005,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00418F5C
          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00420C3A
            • Part of subcall function 00418F38: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00418F71
            • Part of subcall function 00418F38: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00418F8C
          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00420C4F
          • __invoke_watson.LIBCMT ref: 00420C70
            • Part of subcall function 004195B5: _memset.LIBCMT ref: 00419641
            • Part of subcall function 004195B5: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0041965F
            • Part of subcall function 004195B5: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00419669
            • Part of subcall function 004195B5: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00419673
            • Part of subcall function 004195B5: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 0041968E
            • Part of subcall function 004195B5: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00419695
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000000,0041A51E,004157D8,?,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057), ref: 00418FBC
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000005,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FD3
            • Part of subcall function 00418FAF: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FE8
            • Part of subcall function 00418FAF: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00419003
          • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00420C84
          • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00420C9C
          • __invoke_watson.LIBCMT ref: 00420D0F
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
          • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
          • API String ID: 2940365033-1046234306
          • Opcode ID: 13b43ea2c5b0cc70e40b5eba73ef4144a6dcc2f3dbb351cdb5442227fc23d173
          • Instruction ID: 232f3f7092d3c782a911f7b0af3337586e031b9d740dcdb275b2b1285b8679aa
          • Opcode Fuzzy Hash: 13b43ea2c5b0cc70e40b5eba73ef4144a6dcc2f3dbb351cdb5442227fc23d173
          • Instruction Fuzzy Hash: 3241C571A11215AEDF24AFE5BC859AE7BE9EB04304F94053FE401E2252DF3C99818A1D
          Function 0040FCB8 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 28libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32), ref: 0040FCC5
          • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0040FCE6
          • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0040FCF8
          • GetProcAddress.KERNEL32(ActivateActCtx), ref: 0040FD0A
          • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0040FD1C
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$HandleModule
          • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$LIC$ReleaseActCtx
          • API String ID: 667068680-2358679209
          • Opcode ID: 263ab337652415ef88d097a87952258b525712c72f93a9b0b5fd5f448ea37e8f
          • Instruction ID: 0ab8ce372c1598f73aee534304cf2297b41b70b59c85d39e561f18a9da43c210
          • Opcode Fuzzy Hash: 263ab337652415ef88d097a87952258b525712c72f93a9b0b5fd5f448ea37e8f
          • Instruction Fuzzy Hash: 5FF0DAB0A47324AEDB20DFB1FC05A8B3EA4AF98720361547BE40493370DA786440CF4C
          Function 0040778E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32,00000020,?,00000000,004083BD,000000FF), ref: 004077B0
          • GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 004077CE
          • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 004077DB
          • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 004077E8
          • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 004077F5
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$HandleModule
          • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
          • API String ID: 667068680-3617302793
          • Opcode ID: e577d3c6ee9d3490cc4a82c6abf81b8bf716f8db91c008b0b4988cda4f9e64fb
          • Instruction ID: 5139adea8317c11f4a876ca0edc7635deb9ebe2fa319c673bffab637c85c8020
          • Opcode Fuzzy Hash: e577d3c6ee9d3490cc4a82c6abf81b8bf716f8db91c008b0b4988cda4f9e64fb
          • Instruction Fuzzy Hash: 4E11E971E05225AFCB21AF65BD8551BBAF4A664754310903FE10893260DBF86880DF7E
          Function 00419095 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,0042E9D0,0000000C,004191A6,00000000,00000000,?,?,?,00418FF9,?,00407762,?,?,00000000,0041128A), ref: 004190A6
          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004190DA
          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004190EA
          • InterlockedIncrement.KERNEL32(00431F90), ref: 0041910C
          • __lock.LIBCMT ref: 00419114
          • ___addlocaleref.LIBCMT ref: 00419133
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
          • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
          • API String ID: 1036688887-2843748187
          • Opcode ID: 7847be3feab9a40a164b2ea1db58d25b3a274c633c1a2d7d36dfd0d7073f71c4
          • Instruction ID: 2530a3881f0e796ecab464c33fe3d611c3438a5a5b5883a9118a4a121aadcc63
          • Opcode Fuzzy Hash: 7847be3feab9a40a164b2ea1db58d25b3a274c633c1a2d7d36dfd0d7073f71c4
          • Instruction Fuzzy Hash: BA1142719007119FD720AF76D855BAABBF0AF08318F50892FE895923A1CB78D981CF58
          Function 00412A9A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63COMMON
          Download Yara Rule
          APIs
          • GetStockObject.GDI32(00000011), ref: 00412AC0
          • GetStockObject.GDI32(0000000D), ref: 00412AC8
          • GetObjectA.GDI32(00000000,0000003C,?), ref: 00412AD5
          • GetDC.USER32(00000000), ref: 00412AE4
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00412AF8
          • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00412B04
          • ReleaseDC.USER32(00000000,00000000), ref: 00412B10
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Object$Stock$CapsDeviceRelease
          • String ID: System
          • API String ID: 46613423-3470857405
          • Opcode ID: 427fbe5e592866b8d79d3d1f2a911a300cfa0079ed6e718b06694647859f56fa
          • Instruction ID: 17f5a274647f802995f24ea639d1b33c55a7a725df42b0146bd59350f88bdf84
          • Opcode Fuzzy Hash: 427fbe5e592866b8d79d3d1f2a911a300cfa0079ed6e718b06694647859f56fa
          • Instruction Fuzzy Hash: 71116071B01218EBEB209FA1ED45FEE7B68BB54781F44002AF601E6180DBB49D06C778
          Function 0041B0E5 Relevance: 13.7, APIs: 9, Instructions: 186COMMON
          Download Yara Rule
          APIs
          • GetStartupInfoA.KERNEL32(?), ref: 0041B0FA
          • __calloc_crt.LIBCMT ref: 0041B10D
            • Part of subcall function 004194C8: __calloc_impl.LIBCMT ref: 004194D6
            • Part of subcall function 004194C8: Sleep.KERNEL32(00000000), ref: 004194ED
          • __calloc_crt.LIBCMT ref: 0041B190
          • GetFileType.KERNEL32(00000038), ref: 0041B210
          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 0041B244
          • GetStdHandle.KERNEL32(-000000F6), ref: 0041B29A
          • GetFileType.KERNEL32(00000000), ref: 0041B2AC
          • ___crtInitCritSecAndSpinCount.LIBCMT ref: 0041B2DA
          • SetHandleCount.KERNEL32 ref: 0041B304
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
          • String ID:
          • API String ID: 1318386821-0
          • Opcode ID: add23797984aaeb127dc7bd9bf3a3e4d80a980b2ed7d428d6c0d3e8173020413
          • Instruction ID: c31e0502afe3ac111dc13462d2ffa739ed35a0ab8e44e0ecfebdc1004ecf75f4
          • Opcode Fuzzy Hash: add23797984aaeb127dc7bd9bf3a3e4d80a980b2ed7d428d6c0d3e8173020413
          • Instruction Fuzzy Hash: D26138715047418FD7218B78CC4879A7BE0EF16330F2A839AD4659B3E1D738D88ACB99
          Function 00426828 Relevance: 13.6, APIs: 9, Instructions: 146librarymemoryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(?), ref: 0042686D
          • GetLastError.KERNEL32 ref: 00426879
          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 004268AC
          • InterlockedExchange.KERNEL32(?,00000000), ref: 004268BE
          • LocalAlloc.KERNEL32(00000040,00000008), ref: 004268D2
          • FreeLibrary.KERNEL32(00000000), ref: 004268EF
          • GetProcAddress.KERNEL32(?,?), ref: 00426944
          • GetLastError.KERNEL32(?,?), ref: 00426950
          • RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 00426982
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
          • String ID:
          • API String ID: 991255547-0
          • Opcode ID: daa55f2c65075c90af9df61c06c0438144368c70bcbe95059311bd89390926c8
          • Instruction ID: b8959c7aecbda37847a3c3c9d93d1db7b319ad7ac28845b3bdd6d5a59a5ec04f
          • Opcode Fuzzy Hash: daa55f2c65075c90af9df61c06c0438144368c70bcbe95059311bd89390926c8
          • Instruction Fuzzy Hash: 8A5179717016159FEB24DF95E884BAEB7F4EB58300F95402AE904D7350EB74ED41CB28
          Function 0041198E Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __EH_prolog3_catch.LIBCMT ref: 00411995
          • EnterCriticalSection.KERNEL32(?,00000010,00411C47,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA), ref: 004119A6
          • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA,00000000), ref: 004119C4
          • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004119F8
          • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA,00000000), ref: 00411A64
          • _memset.LIBCMT ref: 00411A83
          • TlsSetValue.KERNEL32(?,00000000), ref: 00411A94
          • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA,00000000), ref: 00411AB5
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
          • String ID:
          • API String ID: 1891723912-0
          • Opcode ID: 3e3ffc7c6db53314af17a8179a292c3e29d486d2d54c79255f92a94b468e98a2
          • Instruction ID: 49590becee686056d98f9376eb9a292429a4e7d7873e8b9d1101d1e2fff2b67f
          • Opcode Fuzzy Hash: 3e3ffc7c6db53314af17a8179a292c3e29d486d2d54c79255f92a94b468e98a2
          • Instruction Fuzzy Hash: 4931A370501605EFDB20AF11D885CAEBBA5FF04354B60C52FE616976A0CB38ADD1CF89
          Function 00407B5F Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
          Download Yara Rule
          APIs
          • GlobalLock.KERNEL32(?), ref: 00407B7C
          • lstrcmpA.KERNEL32(?,?), ref: 00407B88
          • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00407B9A
          • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00407BBA
          • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00407BC2
          • GlobalLock.KERNEL32(00000000), ref: 00407BCC
          • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00407BD9
          • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00407BF1
            • Part of subcall function 0041150B: GlobalFlags.KERNEL32(?), ref: 00411516
            • Part of subcall function 0041150B: GlobalUnlock.KERNEL32(?), ref: 00411528
            • Part of subcall function 0041150B: GlobalFree.KERNEL32(?), ref: 00411533
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
          • String ID:
          • API String ID: 168474834-0
          • Opcode ID: dc21f672fb24da92fea5aa7a7c05492faab5746219c886462db2327e03e5b6c7
          • Instruction ID: ada615cc7b3e60a4107c2d97f2a3f14245ece8957aba89aabf8e892eb957b222
          • Opcode Fuzzy Hash: dc21f672fb24da92fea5aa7a7c05492faab5746219c886462db2327e03e5b6c7
          • Instruction Fuzzy Hash: 27119471A00604BBDB216F66DC49D7F7ABDFB84B08750042EFA01D2161DA79E951972C
          Function 0041F1AB Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • getSystemCP.LIBCMT ref: 0041F1C4
            • Part of subcall function 0041F131: GetOEMCP.KERNEL32(00000000,?,0041AF0F), ref: 0041F158
          • setSBCS.LIBCMT ref: 0041F1D6
            • Part of subcall function 0041EEAE: _memset.LIBCMT ref: 0041EEC1
          • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,0042EC70), ref: 0041F21C
          • GetCPInfo.KERNEL32(00000000,0041F52E), ref: 0041F22F
          • _memset.LIBCMT ref: 0041F247
          • setSBUpLow.LIBCMT ref: 0041F31A
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: _memset$CodeInfoPageSystemValid
          • String ID:
          • API String ID: 1927818438-0
          • Opcode ID: 6a3c1cc34a6a76655d412feb3f2f08053be992258db38b9291ae84f72b9aca40
          • Instruction ID: 1f2ce2b4eb554001232013fed1ece6382c867d756cff50d10a33e2f5f733babb
          • Opcode Fuzzy Hash: 6a3c1cc34a6a76655d412feb3f2f08053be992258db38b9291ae84f72b9aca40
          • Instruction Fuzzy Hash: BE51D5359042599BDF158F65C8841FEBBA4EF45304F14807BDC969B242D73DC98BCB98
          Function 0040D22D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
          Download Yara Rule
          APIs
          • _memset.LIBCMT ref: 0040D2BA
          • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0040D2E3
          • GetWindowLongA.USER32(?,000000FC), ref: 0040D2F5
          • GetWindowLongA.USER32(?,000000FC), ref: 0040D306
          • SetWindowLongA.USER32(?,000000FC,?), ref: 0040D322
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: LongWindow$MessageSend_memset
          • String ID: (
          • API String ID: 2997958587-3887548279
          • Opcode ID: b657a3f0787c105aecbace95300a4c52ec2b686f36d7f9b90b5a7ebdce5b1f5d
          • Instruction ID: 02788e397e8b5c88b91177666012dcad0fdbf97cc10a0b133627e78819c6e1f3
          • Opcode Fuzzy Hash: b657a3f0787c105aecbace95300a4c52ec2b686f36d7f9b90b5a7ebdce5b1f5d
          • Instruction Fuzzy Hash: 63318E71A007149FCB21EFB5D884A6EB7A4BF08314F14067EE941A76D1DB39E848CF59
          Function 0040A0CF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 0040A0FD
          • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0040A120
          • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0040A13C
          • RegCloseKey.ADVAPI32(?), ref: 0040A14C
          • RegCloseKey.ADVAPI32(?), ref: 0040A156
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CloseCreate$Open
          • String ID: software
          • API String ID: 1740278721-2010147023
          • Opcode ID: 410e664e35b4006b751a06ed68c63319cfaa896f377416da3a50e31cbc0549cc
          • Instruction ID: c812bd40180efa7cbd4917f2ffc5fc6d05c22dc6018c05b7ef724780fe14ae55
          • Opcode Fuzzy Hash: 410e664e35b4006b751a06ed68c63319cfaa896f377416da3a50e31cbc0549cc
          • Instruction Fuzzy Hash: C211F572D01258FBCB21DF9ACC88CDFBFBCEF89710F1000AAA500B2121D6709A15DBA4
          Function 00411A2F Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
          Download Yara Rule
          APIs
          • LeaveCriticalSection.KERNEL32(?), ref: 00411A36
          • __CxxThrowException@8.LIBCMT ref: 00411A40
            • Part of subcall function 0041840F: RaiseException.KERNEL32(00410BDA,00000000,0040128C,?,00410BDA,00000000,?,00000058,0040128C), ref: 0041844F
          • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31), ref: 00411A57
          • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA,00000000), ref: 00411A64
            • Part of subcall function 0041112F: __CxxThrowException@8.LIBCMT ref: 00411143
          • _memset.LIBCMT ref: 00411A83
          • TlsSetValue.KERNEL32(?,00000000), ref: 00411A94
          • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA,00000000), ref: 00411AB5
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
          • String ID:
          • API String ID: 356813703-0
          • Opcode ID: f5b3debfeee96101e8ef5fcee63d311ed2305ce408dfd1c117646eb06446fd7b
          • Instruction ID: a1416f9e6a7f16b8595a08b387acd98a0a0faba673e163763b8eaf7be8a3d83f
          • Opcode Fuzzy Hash: f5b3debfeee96101e8ef5fcee63d311ed2305ce408dfd1c117646eb06446fd7b
          • Instruction Fuzzy Hash: 56118270600605AFE720AF64DC85CAFBBAAFF44354760C42EF555921A1CF34ACA1CB58
          Function 00418F38 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • TlsGetValue.KERNEL32(0041C4F3,0041C573,0041C4F3,00000014,00419993,00000000,00000FA0,0042EA18,0000000C,004199F2,?,?,?,00415639,00000004,0042E8E8), ref: 00418F45
          • TlsGetValue.KERNEL32(00000005,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00418F5C
          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00418F71
          • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00418F8C
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Value$AddressHandleModuleProc
          • String ID: EncodePointer$KERNEL32.DLL
          • API String ID: 1929421221-3682587211
          • Opcode ID: 271ed7cca89d0bc92974d142a22f4a2c2aa3c35f6f412dce4e6ad9bfa95f01ce
          • Instruction ID: dda61166ca93e3023600fc9cca442450f16342bc78a5e55e8612cd598b7da013
          • Opcode Fuzzy Hash: 271ed7cca89d0bc92974d142a22f4a2c2aa3c35f6f412dce4e6ad9bfa95f01ce
          • Instruction Fuzzy Hash: 53F06D30A056229E96615B34EC44BEB3AE5AF44760B58056EF818D22B4CF38DC938A6D
          Function 00418FAF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • TlsGetValue.KERNEL32(00000000,0041A51E,004157D8,?,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057), ref: 00418FBC
          • TlsGetValue.KERNEL32(00000005,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FD3
          • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FE8
          • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00419003
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Value$AddressHandleModuleProc
          • String ID: DecodePointer$KERNEL32.DLL
          • API String ID: 1929421221-629428536
          • Opcode ID: 966b0e334f08a210d7659bb2dc6b9e7f91120e9b1beb812262e0d300c57c2eb6
          • Instruction ID: 3b5cc4d5440b5c3f789ab2897d060ae0052f5441d89394c5e8481985b3a51947
          • Opcode Fuzzy Hash: 966b0e334f08a210d7659bb2dc6b9e7f91120e9b1beb812262e0d300c57c2eb6
          • Instruction Fuzzy Hash: 86F036307056129BD7215B34EC58EEF3EE59F08350B49057AF814D22B0DF24CC92DA9D
          Function 004124E5 Relevance: 10.5, APIs: 7, Instructions: 29COMMON
          Download Yara Rule
          APIs
          • GetSysColor.USER32(0000000F), ref: 004124F1
          • GetSysColor.USER32(00000010), ref: 004124F8
          • GetSysColor.USER32(00000014), ref: 004124FF
          • GetSysColor.USER32(00000012), ref: 00412506
          • GetSysColor.USER32(00000006), ref: 0041250D
          • GetSysColorBrush.USER32(0000000F), ref: 0041251A
          • GetSysColorBrush.USER32(00000006), ref: 00412521
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Color$Brush
          • String ID:
          • API String ID: 2798902688-0
          • Opcode ID: ac6258dbd162c9ddd2da854c3f64bd3ca0a0cec11a2d83fedf949f478313e3ce
          • Instruction ID: 099df3d9b419b1f99dbb036897e24304aa9a85f2e71bf6db9b8c5597f55f28c2
          • Opcode Fuzzy Hash: ac6258dbd162c9ddd2da854c3f64bd3ca0a0cec11a2d83fedf949f478313e3ce
          • Instruction Fuzzy Hash: 4BF01271A417449BD730BF725D09B47BAD1FFC4B10F02092ED2418B990D6B6E041DF44
          Function 00427511 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registrywindowCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Version$MessageRegisterWindow
          • String ID: MSWHEEL_ROLLMSG
          • API String ID: 303823969-2485103130
          • Opcode ID: c47c49f457d446c2bbb9b7cac95a49e2987d98f50f01ba46efc14f6a59fa9635
          • Instruction ID: c7c016069accdcd48b633fe2d6f657184548507126372c79635df5a123f989a7
          • Opcode Fuzzy Hash: c47c49f457d446c2bbb9b7cac95a49e2987d98f50f01ba46efc14f6a59fa9635
          • Instruction Fuzzy Hash: CAE08075B16132D5D7112768BC403AED6D45BC4394FD55077D900426509E3C08C34E7D
          Function 0040981F Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00409774: GetParent.USER32(?), ref: 004097C7
            • Part of subcall function 00409774: GetLastActivePopup.USER32(?), ref: 004097D6
            • Part of subcall function 00409774: IsWindowEnabled.USER32(?), ref: 004097EB
            • Part of subcall function 00409774: EnableWindow.USER32(?,00000000), ref: 004097FE
          • EnableWindow.USER32(?,00000001), ref: 0040986C
          • GetWindowThreadProcessId.USER32(?,?), ref: 0040987A
          • GetCurrentProcessId.KERNEL32 ref: 00409884
          • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00409899
          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00409916
          • EnableWindow.USER32(?,00000001), ref: 00409952
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
          • String ID:
          • API String ID: 1877664794-0
          • Opcode ID: 893a931873d251d3d550951430456656dd7ad8e5b500c9a6e948c91ddbe21ba8
          • Instruction ID: 162663f56885457dc179b536801ac0429721260b37945fe4d302fa9cb83b8e3b
          • Opcode Fuzzy Hash: 893a931873d251d3d550951430456656dd7ad8e5b500c9a6e948c91ddbe21ba8
          • Instruction Fuzzy Hash: 9B41AE72A103489BEB309F65CC85BDEBBA4AF05704F24402EE949A73C2DB798D448B58
          Function 00409774 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
          Download Yara Rule
          APIs
          • GetWindowLongA.USER32(?,000000F0), ref: 004097A6
          • GetParent.USER32(?), ref: 004097B4
          • GetParent.USER32(?), ref: 004097C7
          • GetLastActivePopup.USER32(?), ref: 004097D6
          • IsWindowEnabled.USER32(?), ref: 004097EB
          • EnableWindow.USER32(?,00000000), ref: 004097FE
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
          • String ID:
          • API String ID: 670545878-0
          • Opcode ID: 2fb733a61f9d81bb407e25d3218fe4c1b934dac11301306e1720a80121c898ef
          • Instruction ID: 6264a0e9823cc40be086814042e8f241a234e06f4ec1576e02dc69a6e388e200
          • Opcode Fuzzy Hash: 2fb733a61f9d81bb407e25d3218fe4c1b934dac11301306e1720a80121c898ef
          • Instruction Fuzzy Hash: 52114F7362522197D6326E6A488472BB29C5F95F50F19413BEC01F73D2EB79CC0282AD
          Function 004115CF Relevance: 9.0, APIs: 6, Instructions: 45COMMON
          Download Yara Rule
          APIs
          • ClientToScreen.USER32(?,?), ref: 004115DE
          • GetDlgCtrlID.USER32(00000000), ref: 004115F2
          • GetWindowLongA.USER32(00000000,000000F0), ref: 00411600
          • GetWindowRect.USER32(00000000,?), ref: 00411612
          • PtInRect.USER32(?,?,?), ref: 00411622
          • GetWindow.USER32(?,00000005), ref: 0041162F
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$Rect$ClientCtrlLongScreen
          • String ID:
          • API String ID: 1315500227-0
          • Opcode ID: 7b2a6692232bb235d60294412369d624402db41e809d4c46628d84df226a0034
          • Instruction ID: 9abc1b68a7f0dfd5f59e6d0f9d88089f2db94a29aa285cf3fbd206a185eecca3
          • Opcode Fuzzy Hash: 7b2a6692232bb235d60294412369d624402db41e809d4c46628d84df226a0034
          • Instruction Fuzzy Hash: 5C01A735201519B7CB219F549C08FEF372CEF05B50F444029FE11A2160DB3AD54287AD
          Function 00411849 Relevance: 9.0, APIs: 6, Instructions: 26memoryCOMMON
          Download Yara Rule
          APIs
          • GlobalHandle.KERNEL32 ref: 0041184A
          • GlobalUnlock.KERNEL32(00000000), ref: 00411853
          • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0041186A
          • GlobalHandle.KERNEL32(?), ref: 0041187C
          • GlobalLock.KERNEL32(00000000), ref: 00411883
          • LeaveCriticalSection.KERNEL32(?), ref: 0041188D
          • GlobalLock.KERNEL32(00000000), ref: 00411899
          • _memset.LIBCMT ref: 004118B2
          • LeaveCriticalSection.KERNEL32(?), ref: 004118DE
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Global$CriticalHandleLeaveLockSection$AllocUnlock_memset
          • String ID:
          • API String ID: 3803186603-0
          • Opcode ID: 4f6417d7b28bc37ed68938ae88dd927746bf45714e88f2d1f8eb7366bd7dcb45
          • Instruction ID: ae09a9c0bb8a46ec5769ecdd616a3f6020c857835b7f98359dd315e2abd54afd
          • Opcode Fuzzy Hash: 4f6417d7b28bc37ed68938ae88dd927746bf45714e88f2d1f8eb7366bd7dcb45
          • Instruction Fuzzy Hash: D9E0ED71A06311AFE6202B709C4DA7F776CBB15701B80882DBA42961E1DF78AC53875D
          Function 0041294B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON
          Download Yara Rule
          APIs
          • GlobalLock.KERNEL32 ref: 00412975
          • lstrlenA.KERNEL32(?), ref: 004129BD
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004129D7
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ByteCharGlobalLockMultiWidelstrlen
          • String ID: @
          • API String ID: 1529587224-2766056989
          • Opcode ID: 734c14fd2f0f776bb9e0ecb94fa07e1faf60088b272dee7760cefbbc57524b95
          • Instruction ID: 3499cc9264d39419ba4970d00d297b166cb9f91db28127399532838489832ea5
          • Opcode Fuzzy Hash: 734c14fd2f0f776bb9e0ecb94fa07e1faf60088b272dee7760cefbbc57524b95
          • Instruction Fuzzy Hash: CB412A71A00215DFCF14DFA4C985AEEB7B5FF04304F14822AE412E7285D7B89996CB58
          Function 00412124 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __msize_malloc
          • String ID: TIC
          • API String ID: 1288803200-1520089880
          • Opcode ID: 8675a0941465ad999d18e9f783ccf37fd6272e86334f226172f911ff24a543e7
          • Instruction ID: 10afd41ac44df9465c97aa7043fe0d0ad70055dd719086c4ffd521069a8b00fe
          • Opcode Fuzzy Hash: 8675a0941465ad999d18e9f783ccf37fd6272e86334f226172f911ff24a543e7
          • Instruction Fuzzy Hash: 4821B1311006019FCB24EF25DA81ADF77A1AF45314B10856FED29DA295DBB8DDE1CB8C
          Function 00421A7C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __calloc_crt
          • String ID: X'C$`YC$h)C
          • API String ID: 3494438863-3812351033
          • Opcode ID: c4660a41b45dd8613b24ca935d8d7f09e3af359953f8b177dc4308f86385ead4
          • Instruction ID: 5cc6cba8c1634f9ac13222d34f176135d367f50fd9ca8d99f31bf26d81d69cc8
          • Opcode Fuzzy Hash: c4660a41b45dd8613b24ca935d8d7f09e3af359953f8b177dc4308f86385ead4
          • Instruction Fuzzy Hash: 451127B13062215AF7248A2EBD413663791EFA4334F65912BE505C73B0E7789C82468C
          Function 0040AE49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON
          Download Yara Rule
          APIs
          • GetMonitorInfoA.USER32(00000002,00000000), ref: 0040AE5E
          • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040AE87
          • GetSystemMetrics.USER32(00000000), ref: 0040AE9F
          • GetSystemMetrics.USER32(00000001), ref: 0040AEA6
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: System$InfoMetrics$MonitorParameters
          • String ID: DISPLAY
          • API String ID: 1842416757-865373369
          • Opcode ID: ef17007eac61e321a03604c5a5b3d3607328d5ca59113edac8bdd3b45b81c2a4
          • Instruction ID: 84fa5a3baa3d446f9dac95694b04d1c78ba201bf510139235b6f609d7a2b4080
          • Opcode Fuzzy Hash: ef17007eac61e321a03604c5a5b3d3607328d5ca59113edac8bdd3b45b81c2a4
          • Instruction Fuzzy Hash: EE112771641324ABCF219F64DC80A5BBBA8EF05B80B018036FC05BF181D675D911CBE6
          Function 0040A39E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID:
          • String ID: Edit
          • API String ID: 0-554135844
          • Opcode ID: c4e1dab91480d0ed5c95ce65d8faa100448634416509e48efd8566dca0b4adbe
          • Instruction ID: be06ba449fc631cf7d58c92a130ec8d1771c22c1a04e24e7d2d2b5e6d9a2654b
          • Opcode Fuzzy Hash: c4e1dab91480d0ed5c95ce65d8faa100448634416509e48efd8566dca0b4adbe
          • Instruction Fuzzy Hash: D501A535310301A6EA3466368C49B5FB6A9AF44755F50443BE901F12E2CBB9CC61C65E
          Function 0040E1BF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39libraryloaderCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00412458: EnterCriticalSection.KERNEL32(00434C78,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 00412494
            • Part of subcall function 00412458: InitializeCriticalSection.KERNEL32(?,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124A3
            • Part of subcall function 00412458: LeaveCriticalSection.KERNEL32(00434C78,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124B0
            • Part of subcall function 00412458: EnterCriticalSection.KERNEL32(?,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124BC
            • Part of subcall function 004116D0: __EH_prolog3_catch.LIBCMT ref: 004116D7
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0040E203
          • FreeLibrary.KERNEL32(?), ref: 0040E213
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
          • String ID: 8IC$HtmlHelpA$hhctrl.ocx
          • API String ID: 3274081130-342747736
          • Opcode ID: c52f68699cf1d5476f939404ed6b5979f73686e451c87a653ce5346f4fe196c7
          • Instruction ID: 04df323c46f63d30191d7356d9afabc21cd1256267de6a1173b31c6c531e2cce
          • Opcode Fuzzy Hash: c52f68699cf1d5476f939404ed6b5979f73686e451c87a653ce5346f4fe196c7
          • Instruction Fuzzy Hash: 7A01D630644312EBD7206F62E905B5B76D09F64B45F008C7FF18AB41E1CB798861966E
          Function 00414FB5 Relevance: 7.7, APIs: 5, Instructions: 209COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: _wctomb_s
          • String ID:
          • API String ID: 2865277502-0
          • Opcode ID: a93caea7bdf5a7f6f23f5885df3f9b46a51e3735d5b51e0037d07f2f605503d6
          • Instruction ID: 647c952f22892b638a07e84b23bda9cfc3efcc3405b0d12dd0ca02c8f8cea45a
          • Opcode Fuzzy Hash: a93caea7bdf5a7f6f23f5885df3f9b46a51e3735d5b51e0037d07f2f605503d6
          • Instruction Fuzzy Hash: F2619D3290068AEFCF229E94C8805EE3F61AB99354B65066FE9545A341D3388DC1CBDE
          Function 0040929F Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog3_catch.LIBCMT ref: 004092BE
          • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 004092DD
          • RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 004092FB
          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00409376
          • RegCloseKey.ADVAPI32(?), ref: 00409381
            • Part of subcall function 00408950: __EH_prolog3.LIBCMT ref: 00408957
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CloseDeleteEnumH_prolog3H_prolog3_catchOpen
          • String ID:
          • API String ID: 301487041-0
          • Opcode ID: 46b820354141886e47e4a8ecc8f2f5c054d0789a9a31567b790ba3cd1cffa5bc
          • Instruction ID: 317424ba022be117829117ce5f7c5353456ed02cb3d13987188c627a9c4bdfce
          • Opcode Fuzzy Hash: 46b820354141886e47e4a8ecc8f2f5c054d0789a9a31567b790ba3cd1cffa5bc
          • Instruction Fuzzy Hash: AB219E72D042199BDB21DBA4D841AFEB7B4FF08314F10413AED41B72D1DB385E448B95
          Function 00411453 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(?), ref: 0041147D
          • _memset.LIBCMT ref: 0041149A
          • GetWindowTextA.USER32(?,00000000,00000100), ref: 004114B4
          • lstrcmpA.KERNEL32(00000000,?), ref: 004114C6
          • SetWindowTextA.USER32(?,?), ref: 004114D2
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
          • String ID:
          • API String ID: 289641511-0
          • Opcode ID: 92e9a6484d542989bde9b5abc781176b9dd5508561a1e35064bf210765636fc0
          • Instruction ID: 725ad23ed14d9e1c9c4de5963adaf9c06c94390e6c17a773d68b625b09011a3c
          • Opcode Fuzzy Hash: 92e9a6484d542989bde9b5abc781176b9dd5508561a1e35064bf210765636fc0
          • Instruction Fuzzy Hash: 3D014976601208A7DB20AF25DC84BEF736CEF24744F0000BAF645D3140DA789E8487B8
          Function 00415296 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __lock.LIBCMT ref: 004152B4
            • Part of subcall function 004199D9: __mtinitlocknum.LIBCMT ref: 004199ED
            • Part of subcall function 004199D9: __amsg_exit.LIBCMT ref: 004199F9
            • Part of subcall function 004199D9: EnterCriticalSection.KERNEL32(?,?,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00419A01
          • ___sbh_find_block.LIBCMT ref: 004152BF
          • ___sbh_free_block.LIBCMT ref: 004152CE
          • HeapFree.KERNEL32(00000000,?,0042E8A8,0000000C,004199BA,00000000,0042EA18,0000000C,004199F2,?,?,?,00415639,00000004,0042E8E8,0000000C), ref: 004152FE
          • GetLastError.KERNEL32(?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 0041530F
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
          • String ID:
          • API String ID: 2714421763-0
          • Opcode ID: 288d0f1db7af32e32e0e1347d6782a7e008b7ca543fbad96c66c23ff8b7fa8dd
          • Instruction ID: 9559076ab3c055ddf1cbbaf6d1b3f604edf31635bd52e61f84247a1288c1c03c
          • Opcode Fuzzy Hash: 288d0f1db7af32e32e0e1347d6782a7e008b7ca543fbad96c66c23ff8b7fa8dd
          • Instruction Fuzzy Hash: 3C016772901605EADB247B72AC0A7DE3B649F40764F21405FF414A7191DF7D89C09AAC
          Function 00412458 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 37COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(00434C78,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 00412494
          • InitializeCriticalSection.KERNEL32(?,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124A3
          • LeaveCriticalSection.KERNEL32(00434C78,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124B0
          • EnterCriticalSection.KERNEL32(?,?,?,?,?,004116EB,00000010,00000008,0041056A,0041050D,00408BA1,00410574,00410AAB,00000000,00410B31,00000001), ref: 004124BC
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
          • String ID: JC
          • API String ID: 3253506028-24257337
          • Opcode ID: 82ff294211480636f2ee6e861e2e8e3cac2c94d6a376cacf8b84d2850aed6c81
          • Instruction ID: e4d17c426c236e9ae5311bc609f3124c2b11923620b00d13474fca3db2fef862
          • Opcode Fuzzy Hash: 82ff294211480636f2ee6e861e2e8e3cac2c94d6a376cacf8b84d2850aed6c81
          • Instruction Fuzzy Hash: 53F08B336011045FC6105F58EC847AAF769FBD6301F82202FE180C2191CBBD54D2CA2C
          Function 00425DE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __close__flush__freebuf
          • String ID: @0B
          • API String ID: 3722736141-2518420291
          • Opcode ID: fa56ad7a49448fa7d3b76bc9ad158b9e60079ec52f93991aeffcf55ebf71a4cf
          • Instruction ID: 946f3286963896880b4bfddf3fafd463fcccdc7187fc4ea6660e3ce7c148ed82
          • Opcode Fuzzy Hash: fa56ad7a49448fa7d3b76bc9ad158b9e60079ec52f93991aeffcf55ebf71a4cf
          • Instruction Fuzzy Hash: B0F02272B00F205E82203B7B2C4045BA6DC5E82338796462FF5B9D3292D67CDA01467D
          Function 00412413 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
          Download Yara Rule
          APIs
          • DeleteCriticalSection.KERNEL32(00434C78), ref: 00412430
          • DeleteCriticalSection.KERNEL32(00434AE0), ref: 00412442
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalDeleteSection
          • String ID: xLC$JC
          • API String ID: 166494926-4258160161
          • Opcode ID: e6ec61db0bfd780edf6d138243840adaea56f66edd80e77cb434615e9035504d
          • Instruction ID: c839bc589e46c8dc20d2d358233f2c7f6d60929db7ec274758b515afd62eaee2
          • Opcode Fuzzy Hash: e6ec61db0bfd780edf6d138243840adaea56f66edd80e77cb434615e9035504d
          • Instruction Fuzzy Hash: 92E04F725411509BC6202B8AEC847C76268EBC5365F56643BD540812A183BD28A1CAAC
          Function 00412414 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
          Download Yara Rule
          APIs
          • DeleteCriticalSection.KERNEL32(00434C78), ref: 00412430
          • DeleteCriticalSection.KERNEL32(00434AE0), ref: 00412442
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalDeleteSection
          • String ID: xLC$JC
          • API String ID: 166494926-4258160161
          • Opcode ID: e8d8a90fa08c48c01acc90620af0df20803cfabcda8391ba9d34f6db984e64a5
          • Instruction ID: 86fad9f7cb8adc81c9481c2127d3d9d09a7915cc49ae4fe1c4ec991b607c057b
          • Opcode Fuzzy Hash: e8d8a90fa08c48c01acc90620af0df20803cfabcda8391ba9d34f6db984e64a5
          • Instruction Fuzzy Hash: FDE07D729452501FC7302B8DECC02CB6B48DBC9360F57B43BD540C1251C3EC789082AC
          Function 00421B4D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __lock.LIBCMT ref: 00421B6E
            • Part of subcall function 004199D9: __mtinitlocknum.LIBCMT ref: 004199ED
            • Part of subcall function 004199D9: __amsg_exit.LIBCMT ref: 004199F9
            • Part of subcall function 004199D9: EnterCriticalSection.KERNEL32(?,?,?,00415639,00000004,0042E8E8,0000000C,004194DB,00000058,00000058,00000000,00000000,00000000,0041917D,00000001,00000214), ref: 00419A01
          • EnterCriticalSection.KERNEL32(?,?,00425EAA,?,0042ED98,0000000C,004234C7,?,0042ED30,00000010,00421B40), ref: 00421B81
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
          • String ID: H)C$`YC
          • API String ID: 3996875869-911447929
          • Opcode ID: 99a000794fede16d5a1214d0a9d82aa83865c85beb1b6989afdea18c54dc8b7e
          • Instruction ID: 38d6fed887ec856c9cd2f1efe2b7ffb53af09546894fbd4ce49e55abc0b52752
          • Opcode Fuzzy Hash: 99a000794fede16d5a1214d0a9d82aa83865c85beb1b6989afdea18c54dc8b7e
          • Instruction Fuzzy Hash: ECD0CD7370563007DB74313879591DD7694DB042A0B46D55FE886622E4D6696C820ACC
          Function 00420979 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(KERNEL32,00418A0B), ref: 0042097E
          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0042098E
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: IsProcessorFeaturePresent$KERNEL32
          • API String ID: 1646373207-3105848591
          • Opcode ID: 4216606d46c5b1316a5d04c5f1edad8403d9b61e0f84fb5c923a5b0fc98fd6f0
          • Instruction ID: d3c00f1bbf32cb747abd88a5656d4f54c7302f32f2312c196111e69eab0ea4d1
          • Opcode Fuzzy Hash: 4216606d46c5b1316a5d04c5f1edad8403d9b61e0f84fb5c923a5b0fc98fd6f0
          • Instruction Fuzzy Hash: 54C012B0343722A2FA202BA43D49F1A21C80F08B02FD4086AB40AD00A6DE68D481D83E
          Function 00411277 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • __EH_prolog3.LIBCMT ref: 0041127E
            • Part of subcall function 00407743: _malloc.LIBCMT ref: 0040775D
          • __CxxThrowException@8.LIBCMT ref: 004112B4
          • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,0040128C,00000000,00000000,00000000,?,?,0042E3D8,00000004,00407706,?,0040772B,80070057), ref: 004112DD
            • Part of subcall function 00410EAD: _wctomb_s.LIBCMT ref: 00410EBD
          • LocalFree.KERNEL32(0040128C,0040128C), ref: 00411306
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
          • String ID:
          • API String ID: 1615547351-0
          • Opcode ID: 7ee1e2bf7d461c3ac19c1ca2cfbccadc707a8327554cc62520dc894093c3d465
          • Instruction ID: 61622fc379d76cf1847b37313fe4944c80f8883eea8ffeb134bf211c36d15524
          • Opcode Fuzzy Hash: 7ee1e2bf7d461c3ac19c1ca2cfbccadc707a8327554cc62520dc894093c3d465
          • Instruction Fuzzy Hash: 8C11A771604249FFDB00DFA4DC419EE37A9EB04354F10857AFA15DA1E1DB359950C758
          Function 0040A6B5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
          Download Yara Rule
          APIs
          • FindResourceA.KERNEL32(?,00000000,00000005), ref: 0040A6DB
          • LoadResource.KERNEL32(?,00000000), ref: 0040A6E3
          • LockResource.KERNEL32(00000000), ref: 0040A6F5
          • FreeResource.KERNEL32(00000000), ref: 0040A73F
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Resource$FindFreeLoadLock
          • String ID:
          • API String ID: 1078018258-0
          • Opcode ID: c8b5db1c67d237ffd20c57a9280316caf2a6033d4707f2fe69377112eebb0be7
          • Instruction ID: 5fd375e47cb8cc04421b3d620d164d7c012cebdc674f29004501625cfa0d91ec
          • Opcode Fuzzy Hash: c8b5db1c67d237ffd20c57a9280316caf2a6033d4707f2fe69377112eebb0be7
          • Instruction Fuzzy Hash: 2D11BF31601714EFDB249F55C888ABBB3B4FF00355F10803AE88263690E778ED61DB55
          Function 004084E0 Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMON
          Download Yara Rule
          APIs
          • __EH_prolog3.LIBCMT ref: 004084E7
            • Part of subcall function 00408D15: __EH_prolog3.LIBCMT ref: 00408D1C
          • __strdup.LIBCMT ref: 00408509
          • GetCurrentThread.KERNEL32 ref: 00408536
          • GetCurrentThreadId.KERNEL32 ref: 0040853F
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CurrentH_prolog3Thread$__strdup
          • String ID:
          • API String ID: 4206445780-0
          • Opcode ID: a8729ddc2fa3c9d429f45478c49200bc37491d121351ccc1975273192b31c1fc
          • Instruction ID: 7cbb11a77e63be202eed344771f19c3b2460b8a9e8cc035da5afe5560a9b8616
          • Opcode Fuzzy Hash: a8729ddc2fa3c9d429f45478c49200bc37491d121351ccc1975273192b31c1fc
          • Instruction Fuzzy Hash: 6F219EB0901B50DFC7219F2A854529AFBF8BFA4704F10892FD19A87761DBB8A441CF49
          Function 0040A1A6 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON
          Download Yara Rule
          APIs
          • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 0040A1DF
          • RegCloseKey.ADVAPI32(00000000), ref: 0040A1E8
          • _swprintf.LIBCMT ref: 0040A205
          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040A216
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ClosePrivateProfileStringValueWrite_swprintf
          • String ID:
          • API String ID: 4210924919-0
          • Opcode ID: 71e3b85b5cde49ca0a00935e9288bfe3b0d429a5d4cba11c22e28018522bcabe
          • Instruction ID: eb27abc63018104b5107d0708c312a238f760046908498067fe3e9974f28de1a
          • Opcode Fuzzy Hash: 71e3b85b5cde49ca0a00935e9288bfe3b0d429a5d4cba11c22e28018522bcabe
          • Instruction Fuzzy Hash: 1401C072641309BBDB10AF648C45FAF77ACAF48714F41042EB601E7281DA78ED1587AA
          Function 0040EC62 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040EC8C
          • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0040ECB7
            • Part of subcall function 0040D9F3: GetTopWindow.USER32(?), ref: 0040DA01
          • GetCapture.USER32 ref: 0040ECC9
          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0040ECD8
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: MessageSend$CaptureWindow
          • String ID:
          • API String ID: 729421689-0
          • Opcode ID: 35608185104c431c1e83f7ae40c56ae0ee1949b607162cc326f985aedc82cd1b
          • Instruction ID: 44fbea8bbf0f9cea84be121a4102fcae8fdf5b58c9feef3d379976de2c97be6f
          • Opcode Fuzzy Hash: 35608185104c431c1e83f7ae40c56ae0ee1949b607162cc326f985aedc82cd1b
          • Instruction Fuzzy Hash: 290184B1310208BFF6302B618CC9FBF76ADFF48788F010539F381AA1E2C6A64C515664
          Function 00409DD2 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
          Download Yara Rule
          APIs
          • EnableMenuItem.USER32(?,00000000,?), ref: 00409E0A
            • Part of subcall function 00411163: __CxxThrowException@8.LIBCMT ref: 00411177
          • GetFocus.USER32 ref: 00409E21
          • GetParent.USER32(?), ref: 00409E2F
          • SendMessageA.USER32(?,00000028,00000000,00000000), ref: 00409E42
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: EnableException@8FocusItemMenuMessageParentSendThrow
          • String ID:
          • API String ID: 4211600527-0
          • Opcode ID: 98277abc8c8eea4972adbb0f2013c1f41c55b2c842388f8e9bd811d9ae56cdc0
          • Instruction ID: 517d343138059fdcf588013ae186e674298860eb0816b35dc797a98d33465f57
          • Opcode Fuzzy Hash: 98277abc8c8eea4972adbb0f2013c1f41c55b2c842388f8e9bd811d9ae56cdc0
          • Instruction Fuzzy Hash: CA118E71100600AFCB34EF20CC8596BB7B6FF84715B14863EF156629A1CB75AC45CB98
          Function 0040D9F3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
          Download Yara Rule
          APIs
          • GetTopWindow.USER32(?), ref: 0040DA01
          • GetTopWindow.USER32(00000000), ref: 0040DA40
          • GetWindow.USER32(00000000,00000002), ref: 0040DA5E
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window
          • String ID:
          • API String ID: 2353593579-0
          • Opcode ID: d2381fc974b8ca50f5d57e6e368de8210fb3637db5ef1d87ac8bfad60f27f065
          • Instruction ID: 19d2d01c6a9528bffc36cfa3bbe3f0ac0d65276aff12f2bb83484b891e8d20aa
          • Opcode Fuzzy Hash: d2381fc974b8ca50f5d57e6e368de8210fb3637db5ef1d87ac8bfad60f27f065
          • Instruction Fuzzy Hash: 3A01403660561ABBCF12AFD59C04EDF3B26AF49750F044025FA00611A0C73AC576EFA9
          Function 0042086D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
          • String ID:
          • API String ID: 3016257755-0
          • Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
          • Instruction ID: 14b4bfa6345d7add77aa061407e26fbdb92db3f330685655b363bccf1bda6575
          • Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
          • Instruction Fuzzy Hash: AF01437210015DFBCF166E84EC05CEE3FA3BB19354B948556FA1895132D33AC9B1EB89
          Function 0040D3EA Relevance: 6.0, APIs: 4, Instructions: 48COMMON
          Download Yara Rule
          APIs
          • GetDlgItem.USER32(?,?), ref: 0040D3F5
          • GetTopWindow.USER32(00000000), ref: 0040D408
            • Part of subcall function 0040D3EA: GetWindow.USER32(00000000,00000002), ref: 0040D44F
          • GetTopWindow.USER32(?), ref: 0040D438
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$Item
          • String ID:
          • API String ID: 369458955-0
          • Opcode ID: fed67843897a93016c194c4668359f95818ffdfc51164405dc2749532b5f2a83
          • Instruction ID: 4b323c97baf06d5d620ee94b28e6a2a1b02a65ce7c15909388185babb27614a0
          • Opcode Fuzzy Hash: fed67843897a93016c194c4668359f95818ffdfc51164405dc2749532b5f2a83
          • Instruction Fuzzy Hash: AA018F36901616A7CF226FE18C04AAF3B19AF657A0F008036FD00752D5DB39D91A96A9
          Function 0041F08D Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
          Download Yara Rule
          APIs
            • Part of subcall function 004191CB: __amsg_exit.LIBCMT ref: 004191D9
          • __amsg_exit.LIBCMT ref: 0041F0B9
          • __lock.LIBCMT ref: 0041F0C9
          • InterlockedDecrement.KERNEL32(?), ref: 0041F0E6
          • InterlockedIncrement.KERNEL32(005514A8), ref: 0041F111
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
          • String ID:
          • API String ID: 4129207761-0
          • Opcode ID: ffffc4f38aacdfcb1f1da1794ca4fbcff12dffeeee1a11f17c1f59c7e984f3a8
          • Instruction ID: 8628aac4bed066251c805454d028213a2c4baee77b840916a357a3762b7c20b4
          • Opcode Fuzzy Hash: ffffc4f38aacdfcb1f1da1794ca4fbcff12dffeeee1a11f17c1f59c7e984f3a8
          • Instruction Fuzzy Hash: EF018432901711ABD720AB66A9067DE7BA0AB04725F14412FE800A7392CB3C9DC7CBDD
          Function 00419154 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32(?,00000000,00416701,00415FB0,00000001,00418EE7,?,00000000,00000000,?,?,?,00418FF9,?,00407762,?), ref: 00419156
            • Part of subcall function 00419026: TlsGetValue.KERNEL32(00000000,00419169,?,?,?,00418FF9,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?), ref: 0041902D
            • Part of subcall function 00419026: TlsSetValue.KERNEL32(00000000,?,?,00418FF9,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057), ref: 0041904E
          • __calloc_crt.LIBCMT ref: 00419178
            • Part of subcall function 004194C8: __calloc_impl.LIBCMT ref: 004194D6
            • Part of subcall function 004194C8: Sleep.KERNEL32(00000000), ref: 004194ED
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000000,0041A51E,004157D8,?,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057), ref: 00418FBC
            • Part of subcall function 00418FAF: TlsGetValue.KERNEL32(00000005,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B,80070057,?,00411A51,?), ref: 00418FD3
            • Part of subcall function 00419095: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0042E9D0,0000000C,004191A6,00000000,00000000,?,?,?,00418FF9,?,00407762,?,?,00000000,0041128A), ref: 004190A6
            • Part of subcall function 00419095: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004190DA
            • Part of subcall function 00419095: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 004190EA
            • Part of subcall function 00419095: InterlockedIncrement.KERNEL32(00431F90), ref: 0041910C
            • Part of subcall function 00419095: __lock.LIBCMT ref: 00419114
            • Part of subcall function 00419095: ___addlocaleref.LIBCMT ref: 00419133
          • GetCurrentThreadId.KERNEL32 ref: 004191A8
          • SetLastError.KERNEL32(00000000,?,?,?,00418FF9,?,00407762,?,?,00000000,0041128A,0000000C,00000004,00407706,?,0040772B), ref: 004191C0
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
          • String ID:
          • API String ID: 1081334783-0
          • Opcode ID: a77ea4b5a239dbcb7a2516542bc17ae0f177a84a52dcd73d70e4f434a9628cb2
          • Instruction ID: 3f3d5cb3a97c751f217117a9b573bce725e626d5735aecaff6db6f8b31c4d289
          • Opcode Fuzzy Hash: a77ea4b5a239dbcb7a2516542bc17ae0f177a84a52dcd73d70e4f434a9628cb2
          • Instruction Fuzzy Hash: FDF0C8325057226AE23537757C1D6DE3BA59F417B0718012FF809A62E0CF2ACCC286AD
          Function 0040FC4D Relevance: 6.0, APIs: 4, Instructions: 42COMMON
          Download Yara Rule
          APIs
          • FindResourceA.KERNEL32(?,?,000000F0), ref: 0040FC6F
          • LoadResource.KERNEL32(?,00000000,?,?,?,?,0040A66E,?,?,004011A9), ref: 0040FC7B
          • LockResource.KERNEL32(00000000,?,?,?,?,0040A66E,?,?,004011A9), ref: 0040FC88
          • FreeResource.KERNEL32(00000000,?,?,?,?,0040A66E,?,?,004011A9), ref: 0040FCA3
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Resource$FindFreeLoadLock
          • String ID:
          • API String ID: 1078018258-0
          • Opcode ID: ae70bd6a3d3c98b39f5aaa544bc328fc86d4a8e44cc71b6ffa6e9d9f8d85502d
          • Instruction ID: efc844d9304bcad775a78147affda30186cb66e13647162f4bafccdfb5d058ad
          • Opcode Fuzzy Hash: ae70bd6a3d3c98b39f5aaa544bc328fc86d4a8e44cc71b6ffa6e9d9f8d85502d
          • Instruction Fuzzy Hash: E7F0CD363052056FE3305B669C4997FB6ACAF85661744003EFE04E2A91CE398C0AC669
          Function 0040AB11 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
          Download Yara Rule
          APIs
          • EnableWindow.USER32(?,00000001), ref: 0040AB31
          • GetActiveWindow.USER32 ref: 0040AB3C
          • SetActiveWindow.USER32(?,?,00000024,0040108B), ref: 0040AB4A
          • FreeResource.KERNEL32(?,?,00000024,0040108B), ref: 0040AB66
            • Part of subcall function 00410FB0: EnableWindow.USER32(?,?), ref: 00410FBD
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: Window$ActiveEnable$FreeResource
          • String ID:
          • API String ID: 253586258-0
          • Opcode ID: 25ec028221ba6a818e7ca1cb88c198f6094525c5b8f226b273301207e29871a7
          • Instruction ID: 6b1b7bd5860b3d09d2b6e66bcd3e5d1fab54806610f3e0bfcdfe98f3d0c7e963
          • Opcode Fuzzy Hash: 25ec028221ba6a818e7ca1cb88c198f6094525c5b8f226b273301207e29871a7
          • Instruction Fuzzy Hash: 7BF0CD30A00714CFCF21AB64C9459AEB7B2BF48705F64042AE54172291CB7A6D91CA5A
          Function 0040842E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00408454
          • PathFindExtensionA.SHLWAPI(?), ref: 0040846A
            • Part of subcall function 0040813D: __EH_prolog3.LIBCMT ref: 0040815C
            • Part of subcall function 0040813D: GetModuleHandleA.KERNEL32(kernel32.dll,0000005C), ref: 00408186
            • Part of subcall function 0040813D: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00408197
            • Part of subcall function 0040813D: ConvertDefaultLocale.KERNELBASE(?), ref: 004081CD
            • Part of subcall function 0040813D: ConvertDefaultLocale.KERNELBASE(?), ref: 004081D5
            • Part of subcall function 0040813D: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 004081E9
            • Part of subcall function 0040813D: ConvertDefaultLocale.KERNEL32(?), ref: 0040820D
            • Part of subcall function 0040813D: ConvertDefaultLocale.KERNEL32(74DEF550), ref: 00408213
            • Part of subcall function 0040813D: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040824C
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath
          • String ID: %s%s.dll
          • API String ID: 2355367764-1649984862
          • Opcode ID: bc32de3aad7523f28fc3a1baaff7a2f496d7c4476a8c0735739c4a01d9f011ab
          • Instruction ID: 92de80021881e6e1195ced57f413c289d84b7594141d94c7db519e084ca490c9
          • Opcode Fuzzy Hash: bc32de3aad7523f28fc3a1baaff7a2f496d7c4476a8c0735739c4a01d9f011ab
          • Instruction Fuzzy Hash: B50186726051189FDB14DB54ED41AEF77E8AB45700F1004BEE541E7190EE749A058BB9
          Function 0040D850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID: 0HC$HC
          • API String ID: 431132790-788042566
          • Opcode ID: 3b3e1668c650fcff13dede50a58850612eb19b6ae5517f5646bf61a25dcdd2af
          • Instruction ID: 2bc4a94cbe3116c778d2c21c4035acc667629baf3c2212d4d7949dd8c07f6883
          • Opcode Fuzzy Hash: 3b3e1668c650fcff13dede50a58850612eb19b6ae5517f5646bf61a25dcdd2af
          • Instruction Fuzzy Hash: 65F08636D002209BDB38BB9C814939EB2A06F44714F09C13F94A5672E1D77C5D44C64D
          Function 00411AD9 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(?), ref: 00411B36
          • LeaveCriticalSection.KERNEL32(?,?), ref: 00411B46
          • LocalFree.KERNEL32(?), ref: 00411B4F
          • TlsSetValue.KERNEL32(?,00000000), ref: 00411B61
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalSection$EnterFreeLeaveLocalValue
          • String ID:
          • API String ID: 2949335588-0
          • Opcode ID: 63ec2a97ca46aa3441137259c74b55a3c04787e5baf2893c341be3d5060f7eb4
          • Instruction ID: d5ccd15f141143dc277bdd5169cd5c61a7cc87bd5ae2ce0bdf2d3d4e7cdad5e4
          • Opcode Fuzzy Hash: 63ec2a97ca46aa3441137259c74b55a3c04787e5baf2893c341be3d5060f7eb4
          • Instruction Fuzzy Hash: FF118831601604EFD720DF68D889BAAB7B5FF05356F10806EE6428B2B1DB75BC91CB18
          Function 00411669 Relevance: 5.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(0000001C,?,?,?,00411C2E,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA), ref: 00411672
          • TlsGetValue.KERNEL32(00000000,?,?,?,00411C2E,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA), ref: 00411687
          • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,00411C2E,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA), ref: 0041169D
          • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,00411C2E,?,00000004,0041054B,00408BA1,00410574,00410AAB,00000000,00410B31,00000001,?,00410BDA), ref: 004116A8
          Memory Dump Source
          • Source File: 00000007.00000002.1968262594.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000007.00000002.1968243098.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968290163.0000000000428000.00000002.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000431000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968311135.0000000000434000.00000004.00000001.01000000.00000006.sdmpDownload File
          • Associated: 00000007.00000002.1968349278.0000000000437000.00000002.00000001.01000000.00000006.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_400000_InstPost.jbxd
          Similarity
          • API ID: CriticalSection$Leave$EnterValue
          • String ID:
          • API String ID: 3969253408-0
          • Opcode ID: 9b6a5132c5010b922df4f78c1b5c5270af8d347dccab19ae5b6ea82a78d869cb
          • Instruction ID: 5117da97fa7ab119c1d8b77f804ab9f034b1efd9381a1da8e4363bfd9ec43ecf
          • Opcode Fuzzy Hash: 9b6a5132c5010b922df4f78c1b5c5270af8d347dccab19ae5b6ea82a78d869cb
          • Instruction Fuzzy Hash: A2F05E363005008FD2208F24EC88D6AB3A9EE8535135A856FE54693221CB3AF8668A58