Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Photoshop_x64_en-us.exe

Overview

General Information

Sample name:Photoshop_x64_en-us.exe
Analysis ID:1532243
MD5:62044b7de91afa1c39d5312428957c44
SHA1:5ad2964db98cafa09ea71f2a790959a0ed67ff2a
SHA256:a1af62c4cae7eb01939beb0adb4adc83296d85a49462b399d14cf814d50627d3
Tags:exeuser-aachum
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE file does not import any functions
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • Photoshop_x64_en-us.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe" MD5: 62044B7DE91AFA1C39D5312428957C44)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Photoshop_x64_en-us.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\LICENSE.txtJump to behavior
Source: Photoshop_x64_en-us.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Net.Sockets.ni.pdb source: System.Net.Sockets.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: System.Text.Json.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: System.Private.Xml.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdbSHA2560 source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: hostpolicy.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Metadata\Release\net8.0\System.Reflection.Metadata.pdb source: System.Reflection.Metadata.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Microsoft.Win32.Registry.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net8.0\System.Collections.Immutable.pdb source: System.Collections.Immutable.dll.0.dr
Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.0.dr
Source: Binary string: System.Reflection.Metadata.ni.pdb source: System.Reflection.Metadata.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: coreclr.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: System.Collections.Concurrent.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Formatters\Release\net8.0\System.Runtime.Serialization.Formatters.pdbSHA256 source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: System.Private.Xml.Linq.ni.pdb source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Text.Json.ni.pdb source: System.Text.Json.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: System.Net.Http.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: System.Private.Uri.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.0.dr
Source: Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.0.dr
Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.0.dr
Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.0.dr
Source: Binary string: System.Net.Mail.ni.pdb source: System.Net.Mail.dll.0.dr
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: System.Text.RegularExpressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebClient\Release\net8.0\System.Net.WebClient.pdb source: System.Net.WebClient.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Parallel\Release\net8.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.0.dr
Source: Binary string: System.Collections.Immutable.ni.pdb source: System.Collections.Immutable.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: hostpolicy.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Formatters\Release\net8.0\System.Runtime.Serialization.Formatters.pdb source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb source: clretwrc.dll.0.dr
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: System.Threading.Tasks.Parallel.ni.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: System.Linq.Expressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.0.dr
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Mail\Release\net8.0-windows\System.Net.Mail.pdb source: System.Net.Mail.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.0.dr
Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.0.dr
Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: System.Net.WebClient.ni.pdb source: System.Net.WebClient.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: System.IO.Compression.dll.0.dr
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.0.dr
Source: Binary string: System.Collections.Concurrent.ni.pdb source: System.Collections.Concurrent.dll.0.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.0.dr
Source: Binary string: System.Linq.Parallel.ni.pdb source: System.Linq.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Mail\Release\net8.0-windows\System.Net.Mail.pdbSHA256 source: System.Net.Mail.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.0.dr
Source: Binary string: System.Private.Uri.ni.pdb source: System.Private.Uri.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.0.dr
Source: Binary string: System.Runtime.Serialization.Formatters.ni.pdb source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: System.Console.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: mscordaccore.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdb source: System.Formats.Asn1.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Microsoft.Win32.Registry.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: System.Linq.Expressions.ni.pdb source: System.Linq.Expressions.dll.0.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: System.Linq.Expressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.CodePages\Release\net8.0-windows\System.Text.Encoding.CodePages.pdb source: System.Text.Encoding.CodePages.dll.0.dr
Source: Binary string: System.IO.Compression.ni.pdb source: System.IO.Compression.dll.0.dr
Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.0.dr
Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdbSHA256 source: System.Formats.Asn1.dll.0.dr
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: System.Runtime.InteropServices.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.0.dr
Source: Binary string: System.Formats.Asn1.ni.pdb source: System.Formats.Asn1.dll.0.dr
Source: Binary string: System.Text.Encoding.CodePages.ni.pdb source: System.Text.Encoding.CodePages.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.0.dr
Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: clrjit.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml.Linq\Release\net8.0\System.Private.Xml.Linq.pdbSHA256 source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Console.ni.pdb source: System.Console.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: System.Net.Sockets.dll.0.dr
Source: Binary string: System.Net.Http.ni.pdb source: System.Net.Http.dll.0.dr
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml.Linq\Release\net8.0\System.Private.Xml.Linq.pdb source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: System.Text.RegularExpressions.dll.0.dr
Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.0.dr
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
Source: Photoshop_x64_en-us.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Photoshop_x64_en-us.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: System.Runtime.Serialization.Formatters.dll.0.drString found in binary or memory: https://aka.ms/binaryformatter
Source: System.Security.Cryptography.dll.0.dr, Microsoft.VisualBasic.Core.dll.0.dr, System.Net.WebClient.dll.0.dr, System.Net.Primitives.dll.0.dr, System.Runtime.Serialization.Formatters.dll.0.dr, System.Data.Common.dll.0.dr, System.Linq.Expressions.dll.0.dr, System.Net.Http.dll.0.dr, System.Formats.Asn1.dll.0.dr, System.Collections.Specialized.dll.0.drString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: System.Reflection.Metadata.dll.0.dr, System.Data.Common.dll.0.drString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: System.Text.RegularExpressions.dll.0.drString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
Source: System.Threading.Tasks.Parallel.dll.0.dr, System.Text.Encodings.Web.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Diagnostics.DiagnosticSource.dll.0.dr, System.Net.WebSockets.dll.0.dr, Microsoft.Win32.Registry.dll.0.dr, Microsoft.CSharp.dll.0.dr, System.Private.Uri.dll.0.dr, System.Security.AccessControl.dll.0.dr, System.Net.WebSockets.Client.dll.0.dr, System.Net.Requests.dll.0.dr, System.Net.Sockets.dll.0.dr, System.Diagnostics.TraceSource.dll.0.dr, System.Net.Mail.dll.0.dr, System.Reflection.Metadata.dll.0.dr, System.Private.Xml.Linq.dll.0.dr, System.Collections.Immutable.dll.0.dr, System.Linq.Parallel.dll.0.dr, System.Text.Json.dll.0.dr, System.Net.NetworkInformation.dll.0.dr, System.Text.Encoding.CodePages.dll.0.drString found in binary or memory: https://github.com/dotnet/runtime
Source: System.Data.Common.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1187
Source: Microsoft.CSharp.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: Microsoft.VisualBasic.Core.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1731
Source: Microsoft.CSharp.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1906.
Source: System.Data.Common.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/1981
Source: Microsoft.VisualBasic.Core.dll.0.drString found in binary or memory: https://github.com/mono/linker/issues/378
Source: System.Linq.Expressions.dll.0.drString found in binary or memory: https://github.com/mono/linker/pull/2125.
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405205
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_00404A440_2_00404A44
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_00406F540_2_00406F54
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_0040677D0_2_0040677D
Source: System.Private.Xml.Linq.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Private.Xml.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Runtime.InteropServices.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Runtime.Numerics.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Reflection.Metadata.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Reflection.Emit.dll.0.drStatic PE information: No import functions for PE file found
Source: System.Private.Uri.dll.0.drStatic PE information: No import functions for PE file found
Source: Photoshop_x64_en-us.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@1/74@0/0
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004044D1
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,0_2_004020D1
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2Jump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Temp\nswCFF4.tmpJump to behavior
Source: Photoshop_x64_en-us.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile read: C:\Users\user\Desktop\Photoshop_x64_en-us.exeJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Photoshop_x64_en-us.exeStatic file information: File size 24276144 > 1048576
Source: Photoshop_x64_en-us.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Net.Sockets.ni.pdb source: System.Net.Sockets.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Json\Release\net8.0\System.Text.Json.pdb source: System.Text.Json.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: System.Private.Xml.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdbSHA2560 source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: hostpolicy.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Metadata\Release\net8.0\System.Reflection.Metadata.pdb source: System.Reflection.Metadata.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Microsoft.Win32.Registry.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net8.0\System.Collections.Immutable.pdb source: System.Collections.Immutable.dll.0.dr
Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.0.dr
Source: Binary string: System.Reflection.Metadata.ni.pdb source: System.Reflection.Metadata.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: coreclr.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: System.Collections.Concurrent.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Formatters\Release\net8.0\System.Runtime.Serialization.Formatters.pdbSHA256 source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: System.Private.Xml.Linq.ni.pdb source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Text.Json.ni.pdb source: System.Text.Json.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: System.Net.Http.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: System.Private.Uri.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.0.dr
Source: Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.0.dr
Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.0.dr
Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.0.dr
Source: Binary string: System.Net.Mail.ni.pdb source: System.Net.Mail.dll.0.dr
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: System.Text.RegularExpressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebClient\Release\net8.0\System.Net.WebClient.pdb source: System.Net.WebClient.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Parallel\Release\net8.0\System.Linq.Parallel.pdb source: System.Linq.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.0.dr
Source: Binary string: System.Collections.Immutable.ni.pdb source: System.Collections.Immutable.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: hostpolicy.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Formatters\Release\net8.0\System.Runtime.Serialization.Formatters.pdb source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb source: clretwrc.dll.0.dr
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: System.Threading.Tasks.Parallel.ni.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: System.Linq.Expressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.0.dr
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Mail\Release\net8.0-windows\System.Net.Mail.pdb source: System.Net.Mail.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Tasks.Parallel\Release\net8.0\System.Threading.Tasks.Parallel.pdb source: System.Threading.Tasks.Parallel.dll.0.dr
Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.0.dr
Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.0.dr
Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: System.Net.WebClient.ni.pdb source: System.Net.WebClient.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: System.IO.Compression.dll.0.dr
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.0.dr
Source: Binary string: System.Collections.Concurrent.ni.pdb source: System.Collections.Concurrent.dll.0.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.0.dr
Source: Binary string: System.Linq.Parallel.ni.pdb source: System.Linq.Parallel.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Mail\Release\net8.0-windows\System.Net.Mail.pdbSHA256 source: System.Net.Mail.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.0.dr
Source: Binary string: System.Private.Uri.ni.pdb source: System.Private.Uri.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.0.dr
Source: Binary string: System.Runtime.Serialization.Formatters.ni.pdb source: System.Runtime.Serialization.Formatters.dll.0.dr
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: System.Console.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: mscordaccore.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdb source: System.Formats.Asn1.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Microsoft.Win32.Registry.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.0.dr
Source: Binary string: System.Linq.Expressions.ni.pdb source: System.Linq.Expressions.dll.0.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: System.Linq.Expressions.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.CodePages\Release\net8.0-windows\System.Text.Encoding.CodePages.pdb source: System.Text.Encoding.CodePages.dll.0.dr
Source: Binary string: System.IO.Compression.ni.pdb source: System.IO.Compression.dll.0.dr
Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.0.dr
Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdbSHA256 source: System.Formats.Asn1.dll.0.dr
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: System.Runtime.InteropServices.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.0.dr
Source: Binary string: System.Formats.Asn1.ni.pdb source: System.Formats.Asn1.dll.0.dr
Source: Binary string: System.Text.Encoding.CodePages.ni.pdb source: System.Text.Encoding.CodePages.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: System.Net.Http.dll.0.dr
Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.0.dr
Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: clrjit.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml.Linq\Release\net8.0\System.Private.Xml.Linq.pdbSHA256 source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Console.ni.pdb source: System.Console.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: System.Net.Sockets.dll.0.dr
Source: Binary string: System.Net.Http.ni.pdb source: System.Net.Http.dll.0.dr
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml.Linq\Release\net8.0\System.Private.Xml.Linq.pdb source: System.Private.Xml.Linq.dll.0.dr
Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: System.Text.RegularExpressions.dll.0.dr
Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.0.dr
Source: System.Private.Uri.dll.0.drStatic PE information: 0xAB53918A [Mon Jan 31 07:04:42 2061 UTC]
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\host\fxr\8.0.8\hostfxr.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile created: C:\Users\user\AppData\Local\Release_1.7.5.2\LICENSE.txtJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrgc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\host\fxr\8.0.8\hostfxr.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrjit.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\coreclr.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Console.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dllJump to dropped file
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeAPI call chain: ExitProcess graph end nodegraph_0-3340
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeAPI call chain: ExitProcess graph end nodegraph_0-3333
Source: C:\Users\user\Desktop\Photoshop_x64_en-us.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Access Token Manipulation		LSASS Memory4
System Information Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Timestomp		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Photoshop_x64_en-us.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Release_1.7.5.2\host\fxr\8.0.8\hostfxr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll0%ReversingLabs
C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/mono/linker/issues/1731Microsoft.VisualBasic.Core.dll.0.drfalse
    		unknown
    https://github.com/mono/linker/issues/1981System.Data.Common.dll.0.drfalse
      		unknown
      https://github.com/mono/linker/pull/2125.System.Linq.Expressions.dll.0.drfalse
        		unknown
        http://nsis.sf.net/NSIS_ErrorPhotoshop_x64_en-us.exefalse
        • URL Reputation: safe
        		unknown
        https://aka.ms/dotnet-warnings/System.Security.Cryptography.dll.0.dr, Microsoft.VisualBasic.Core.dll.0.dr, System.Net.WebClient.dll.0.dr, System.Net.Primitives.dll.0.dr, System.Runtime.Serialization.Formatters.dll.0.dr, System.Data.Common.dll.0.dr, System.Linq.Expressions.dll.0.dr, System.Net.Http.dll.0.dr, System.Formats.Asn1.dll.0.dr, System.Collections.Specialized.dll.0.drfalse
          		unknown
          https://github.com/mono/linker/issues/1416.Microsoft.CSharp.dll.0.drfalse
            		unknown
            https://github.com/mono/linker/issues/1906.Microsoft.CSharp.dll.0.drfalse
              		unknown
              https://aka.ms/serializationformat-binary-obsoleteSystem.Reflection.Metadata.dll.0.dr, System.Data.Common.dll.0.drfalse
                		unknown
                https://aka.ms/binaryformatterSystem.Runtime.Serialization.Formatters.dll.0.drfalse
                  		unknown
                  https://github.com/dotnet/linker/issues/2715.System.Text.RegularExpressions.dll.0.drfalse
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorPhotoshop_x64_en-us.exefalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mono/linker/issues/1187System.Data.Common.dll.0.drfalse
                      		unknown
                      https://github.com/dotnet/runtimeSystem.Threading.Tasks.Parallel.dll.0.dr, System.Text.Encodings.Web.dll.0.dr, System.Runtime.InteropServices.dll.0.dr, System.Diagnostics.DiagnosticSource.dll.0.dr, System.Net.WebSockets.dll.0.dr, Microsoft.Win32.Registry.dll.0.dr, Microsoft.CSharp.dll.0.dr, System.Private.Uri.dll.0.dr, System.Security.AccessControl.dll.0.dr, System.Net.WebSockets.Client.dll.0.dr, System.Net.Requests.dll.0.dr, System.Net.Sockets.dll.0.dr, System.Diagnostics.TraceSource.dll.0.dr, System.Net.Mail.dll.0.dr, System.Reflection.Metadata.dll.0.dr, System.Private.Xml.Linq.dll.0.dr, System.Collections.Immutable.dll.0.dr, System.Linq.Parallel.dll.0.dr, System.Text.Json.dll.0.dr, System.Net.NetworkInformation.dll.0.dr, System.Text.Encoding.CodePages.dll.0.drfalse
                        		unknown
                        https://github.com/mono/linker/issues/378Microsoft.VisualBasic.Core.dll.0.drfalse
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1532243
                          Start date and time:2024-10-12 22:37:12 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 20s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Photoshop_x64_en-us.exe
                          Detection:CLEAN
                          Classification:clean4.winEXE@1/74@0/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 31
                          • Number of non-executed functions: 27
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • VT rate limit hit for: Photoshop_x64_en-us.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Release_1.7.5.2\host\fxr\8.0.8\hostfxr.dllEtEskr.exeGet hashmaliciousBabadedaBrowse
                            EtEskr.exeGet hashmaliciousBabadedaBrowse
                              EtEskr.exeGet hashmaliciousBabadedaBrowse
                                C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dllEtEskr.exeGet hashmaliciousBabadedaBrowse
                                  EtEskr.exeGet hashmaliciousBabadedaBrowse
                                    EtEskr.exeGet hashmaliciousBabadedaBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\LICENSE.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):9519
                                      Entropy (8bit):4.902271147017698
                                      Encrypted:false
                                      SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                      MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                      SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                      SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                      SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\host\fxr\8.0.8\hostfxr.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):350472
                                      Entropy (8bit):6.298019612811869
                                      Encrypted:false
                                      SSDEEP:6144:s3oCq7D6qYvWzxP5tsWaag28fxfIUmtd3+:9+1Wzbtsftvmdu
                                      MD5:D078EA59CAE2F77F8794A632DD0809BC
                                      SHA1:843A780E62B4F2C85E17DE2E87B2C3CF233D9571
                                      SHA-256:F451A4839BD27A10FD03E751C843F2389E71E76A2F7BF418A650A53844D21D1F
                                      SHA-512:A9B9B223286170CADCFCA8F2E125791B817301B6464F0EC839990696D743986634563E2CE8080D540CDACC0FD725C0FA17C40CF6668A8A59FFC2DF17FBEDC7B9
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%...D.L.D.L.D.LA..M.D.LA..M.D.LA..M.D.L.<uL.D.L.<.M.D.L.D.L=D.L...M.D.L...M.D.L...L.D.L...M.D.LRich.D.L........................PE..d...z..f.........." ...(.............8.......................................p......F.....`A................................................L........P....... ...+...0...)...`.......z..p....................}..(....y..@...............`............................text............................... ..`.rdata...L.......N..................@..@.data...H...........................@....pdata...+... ...,..................@..@.rsrc........P.......$..............@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1005832
                                      Entropy (8bit):6.717630206703801
                                      Encrypted:false
                                      SSDEEP:24576:Wuz94uYWl+9whtbSp1HVu9yH+sChDUD3IX+:v54uZ++tbQHVu9yHugrH
                                      MD5:AC45B05C090E28DDE2BDD3E6D460330F
                                      SHA1:54A64B5C41A365E4F03974E620D9227582E0B6B1
                                      SHA-256:FBA4224E5DEABCCD781BD7E0371C16A9765F7BE0EA165F8BB499F5D62F4531BF
                                      SHA-512:6DCDB591E85C9F2C241ED2BCFAFA214B7F1B75E6D681BB40F76CC3B121FCE41CE9455FA3C44D455A4E4F2FF4BA4F159F0DE51C0EA74FFC73837B342794AB7389
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      • Filename: EtEskr.exe, Detection: malicious, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...o............" ..... ...................................................0............`...@......@............... ..................................`....*..TQ...0...)...........;..p...........................................................`...H............text............ .................. ..`.data........0.......0..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):2309152
                                      Entropy (8bit):6.414576855139372
                                      Encrypted:false
                                      SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                      MD5:A71CD05C01F0FC603C0BD782516F806D
                                      SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                      SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                      SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1247520
                                      Entropy (8bit):6.749192841590639
                                      Encrypted:false
                                      SSDEEP:24576:NsvtzOPj/l89Sk2f+/eOUCxRepC36Rk3i+XFqUn:NsvtzOP7ymf+/TZd3ie
                                      MD5:5A0F40B6899F9BD7E43A5425DA58DE25
                                      SHA1:BDFF3CBF31FA86709309D92667C285F9F2C6D40B
                                      SHA-256:EEA806D40BE4C2FB909072DF32DE259EC476E9A7CC749C37447994FFC340F1AD
                                      SHA-512:F99971B7C6B3F3A02F99FD40DA655326D6BCF1060FFB2E5E49A6BDA6E09C05557B15F0951C1560E1ACDB4B2CDF0B63ECEF45E6745C1D562AE286AA3D53529850
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q............" .................................................................^....`...@......@............... ..........................................d_...... )...........>..p...............................................................H............text............................... ..`.data...............................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):120992
                                      Entropy (8bit):6.141095686333107
                                      Encrypted:false
                                      SSDEEP:3072:HY1NwrxWkbGKzcNqJSvEVcULVii1i81SFUt:Dl6KYqJSvEVz7/iO
                                      MD5:4FD4616455D07E7252B50B565A2E75C5
                                      SHA1:CD6DB5A8DCA0D94AA5E48717E32F3EC3E1B17998
                                      SHA-256:853DA3E1E5BA29DECFC91A39FA1B70955BDC63E18F034AE119635DF53704E9D9
                                      SHA-512:1E37902F3B4AFCC08ACD7C8450E72DE11CA16D1D338B8E076BF4940BDE832866D410900ED6513B1D6BA67E7FCF579336998D7B2A2AC9483404B3FA2C6866EE2D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M.)..........." .....p...0......................................................NX....`...@......@............... .......................................4...........(..........0...p...............................................................H............text...Kh.......p.................. ..`.data...a........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):276744
                                      Entropy (8bit):6.735103537020919
                                      Encrypted:false
                                      SSDEEP:6144:zH8+KHhcm1xa3ZvGFehyhyO28ibc8wXD6GK:zPChcm1xachD2PbVE+GK
                                      MD5:34E8718BED9FFCB954586F833672F548
                                      SHA1:EE3D827879373D2AE7708D90C6916EFDE84B98BD
                                      SHA-256:635D3192EBC262DCEAFB679C30D63A06375D686E9E9BAD9E43B1914B4ACE483E
                                      SHA-512:A406540C34C699BDC6EA69635047EA206E295CB1E6C2EF80EC9C0374B74F2FE4C3754B309ADB2BD173D8F4D6261DB6BE6570B518A7FD7D2CBBC4304921A38923
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d6(..........." .........P............................................................`...@......@............... .......................................n...........)..............p...............................................................H............text.............................. ..`.data...h=.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):837896
                                      Entropy (8bit):6.723078162409922
                                      Encrypted:false
                                      SSDEEP:12288:crJR+uRoPwK6eN8/98vTU4dQEE3k0T9YLVgHr4lucvMgllgg9n:w+uM8abw+CMlFDll/n
                                      MD5:E8D86E48D55490F58ACC8DDDCEF458CC
                                      SHA1:DCDB9C0D60B300467962E58602A82BBE6EC77AAC
                                      SHA-256:FC48AA677A344F912C1A9160115DAFD396B4F69EEDD27F4B53B14C2B512E92D2
                                      SHA-512:18F993F4C7899856AA0C6AD200863D2444FDFA4745ED4CB961AA38DB9F7E6DCB5576665CC1D487A9D1EA7C3B526A95710734AA65049410CBC2E58FD7C3DEFD15
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f............." .....@...P...........................................................`...@......@............... ..........................................Hr.......)..........( ..p...............................................................H............text...P0.......@.................. ..`.data...L$...P...0...P..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):104712
                                      Entropy (8bit):5.9531643262406995
                                      Encrypted:false
                                      SSDEEP:1536:4QoktJ1UcLZmsYAZwmkXjhXVrMZREnZWzUdhiszMO:4jk9vZ7I1GZKZPHoO
                                      MD5:7DFE9C0A526E8BE845FDF94C77A40215
                                      SHA1:C3C84D477A91F553167C88D7DC77EC77723138B4
                                      SHA-256:4F96E191302A84C970545AADB2FC53FA9B5455B1DE54187A5373E0E3B5C90991
                                      SHA-512:61971E48894E92832ED76967B06E0D8AB57B8748096159852BF2F6AD8C74F8B6DC759EC3FA868AE91F1F08D4F9ECB15CC3A8DF697452DD17972A96715B0C73A3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....n............" .....0...0...............................................p............`...@......@............... ......................................@0.......p...)...`..........p...............................................................H............text...*+.......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):104608
                                      Entropy (8bit):6.019621325219264
                                      Encrypted:false
                                      SSDEEP:1536:Nx/tht+6AWhqlJH5MC+W06201CTBUsqEiONocgw50ad01IODi0zmG:Nx/Q6AqiT+WFPaiONocgwaaOhDzl
                                      MD5:7B967ABA7A1321AF17A04576DE32CC50
                                      SHA1:DC2F05B710D21733BEFB5066FA99BFB3AE1B7C4F
                                      SHA-256:C3D7055A0C71A9E8641C7883DBBDFFEBDBB27D2350DE43BA925D947662533DAF
                                      SHA-512:4B8ABBE1101EA2CB7B257198E2DCB353CCA151C4BEBD4697A128FFD69D27E1DE64FE19FCBDC79636414B01B15B7848E2C16E6B9BDE24688D1794A7334AEAA9A4
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............." .....0...0...............................................p......}e....`...@......@............... ......................................p1.......p...(...`......8...p...............................................................H............text...!).......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):260272
                                      Entropy (8bit):6.618737529882049
                                      Encrypted:false
                                      SSDEEP:6144:nXiJoXLKgtvcp1M5eRWAbQW0ryS1woXh3m3x:XYCKgtEzweMiD0rGqJmB
                                      MD5:C755E2D819F1462687BA99F28D7FB638
                                      SHA1:1758E9E47D46C3B1D4F71520D09F3FA80E40C9D6
                                      SHA-256:7EE67CDC969F5BD5BA1A4E99A17ED8A67C2DD835537A982CB41A7EBE3AD025FE
                                      SHA-512:060610E7C30AB2625C85315E0AC105E08888BD2B37A9ABCFA33566565C632E7397FC5DB5EDF03054FECA2B2F46CB73F54E2CDB258CCD470D1947A27BC7DE997D
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...77............" .....p...P.......................................................e....`...@......@............... ..................................p....Z..8........(..............p...........................................................p...H............text....g.......p.................. ..`.data....>.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):203024
                                      Entropy (8bit):6.207298456243025
                                      Encrypted:false
                                      SSDEEP:3072:ADzcvTHdJdCe4dCLLe+Yfn3gwmMWQArD5/oE5bF65eUV/uuTG:AQT9WDvgwzWQArHUV/uui
                                      MD5:2B2EBCE91DD24647BA64032AFF474EEA
                                      SHA1:633B37C3F8ED3E2E036A6301E3A99AE2382F9BE6
                                      SHA-256:CE51C0A016E0D830BB2325B917DE3B959E42DF82C47A681287C97F0C27846AF4
                                      SHA-512:9718A8E686CA2F7E27DB887AB94E0C5578CDA23170C27E97BEA1D0F95A30F29A4D742BDBC791C1E2F91D9AD5D2BE383701DBBA3D0AD054DA06D30863CD5DA1F4
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P............................................................`...@......@............... ......................................0I..p........)......L....!..p...............................................................H............text............................... ..`.data...M9.......@..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):743696
                                      Entropy (8bit):6.6621018055827355
                                      Encrypted:false
                                      SSDEEP:12288:EwTQLZPFIwJ04TS1jMoubC+hfzF89TwM/BiXtDaCPzFPaOL8j0ecA:TTQd9IwJ0B1jMoubC+hbO9TwM/BiwCPE
                                      MD5:E10561CCC3B6C7D0AC9705A411803DEA
                                      SHA1:558A8054F0ED9F680DD20561FD9811F3C818B716
                                      SHA-256:E5D98E1ABE75C19B49952C9D5D4E28B54D336A73B9C14773FB4E7197BAE00E3A
                                      SHA-512:77C60173B7037A9E3AC714AAF5778281BDC4AFCA9166314051D4784E53000AA33FAE46E90B4DD56701AC8C28558C252E0C04564CB5C8704F09BC6D3F3A732041
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....q..........." .....@...................................................0............`...@......@............... ...........................................X...0...)... ......`<..p...............................................................H............text....<.......@.................. ..`.data........P.......P..............@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):174240
                                      Entropy (8bit):6.276884758080206
                                      Encrypted:false
                                      SSDEEP:3072:ioeEmXYzdfd6+Vfz5mDVVdwF6xARZvcKZzxuR1BB1GwRV:Ve1X4fd6qwVdC6x2ZvcK14B73
                                      MD5:60BE3B0FE0CE54306E547728C541616F
                                      SHA1:505519153734F9B58FB37DC4E86740FF7D057896
                                      SHA-256:577D62369B948EC8DAC8D01403987007EDEF6409A8FAE7DF733FBBC068086A75
                                      SHA-512:AB770C4882396808EA49D216367853D0041A63F20CEE3F6BB64A06417D7A5AF07FC1C19BB60948B04D411D0B27B45B1B3C5C316F1D06E623A34B54E79512D055
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<r............" .....0...@......................................................H:....`...@......@............... ..................................P....<...........(...p......X...p...........................................................P...H............text...}!.......0.................. ..`.data...."...@...0...@..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2861216
                                      Entropy (8bit):6.795350514221502
                                      Encrypted:false
                                      SSDEEP:49152:/LlMm2mf+ncGZUm3k+mywJOHPxIyiNMZ62YGkO3egTxiZsc5hBhB0X1v:DOOQZYyZ62YGkO3egTxiZs209
                                      MD5:D9A6328A389DAD8E4A5C9BF9EFD8FA77
                                      SHA1:05C93E421CFA10B7504E867E8EDEB3E68C4EBE8D
                                      SHA-256:1BB6848E76A1AC2966515EE04B80FFF63A1566CC086F267B184040E9F681E808
                                      SHA-512:052CF47E55E025A03E7E0B92FFE49B8131BF7E7A0E46A4244598077601AD01B72D4060A393E8214CC4045435D930F9516B740D0DB666FF1207D7D0E7BCCC50A6
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........." .....@)..0................................................+.....0.+...`...@......@............... ..................................p.............+..(...P+..-.....p...........................................................p...H............text....8)......@)................. ..`.data........P)......P).............@....reloc...-...P+..0...P+.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):415904
                                      Entropy (8bit):6.6490929239322965
                                      Encrypted:false
                                      SSDEEP:6144:zsUTEcoc/FGzasNt2l4ru2jKw6xtQ7/tvjETqeZ03EdoUj4MKD/6:oUTf/FGGsNtM4q2jStgjH+4Me/6
                                      MD5:19296608F2A3075C08B531122BC525BC
                                      SHA1:1F07C37BAEE61A8C4C7590F35B36721758F08D9A
                                      SHA-256:9A8F55961A23B981F489AE6F7FBC7B5919A60CC181CAAD9B9C248D3E3E542D43
                                      SHA-512:2F4BDE70E85ED6320CE94C5D64DB5247A052992648042785CCCA0A73E186825F98CAC9EB4EA9B126F2DC0A773053F763CC6539D12BC30209AEB65DB6527E7221
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....q..........." .........................................................0............`...@......@............... ...........................................)...0...(... ...... )..p...............................................................H............text............................... ..`.data...............................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):338080
                                      Entropy (8bit):6.5467859190265045
                                      Encrypted:false
                                      SSDEEP:6144:KXlZtqaP75HL9eEIdkh+T9jb3b41PlmF6YZTdiX2JWb:KXlZtqweDdmMy8Wb
                                      MD5:A19AEDFEB37A15AFCCE8BCC5D4D78EC3
                                      SHA1:E0805A04BC3F3B6AF99DCB066A49940E64F2F2E7
                                      SHA-256:3468B4717F086423052FCBD305CD3151CC555EF0045B9269D43CCEDCA838E47A
                                      SHA-512:C2D939074F5EA4C28770556CEA5C5DCD2A173BC6D0A0BFBA43A7A29965DCB907B2390C1D0DAF74F07BDBBD572DAEB55A85FA15C87A81730AC84ED151526660EB
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........p.......................................................^....`...@......@............... .......................................w...".......(...........%..p...............................................................H............text...+s.......................... ..`.data....S.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):145680
                                      Entropy (8bit):6.213889260140082
                                      Encrypted:false
                                      SSDEEP:3072:HXvuCBgDTeY0dpwQn60x7cftbgZyeI7XT5DFEj3C:xBgOY6aQn60x7cftbgfalCjy
                                      MD5:B5B5534716E8115775DAE499811D0AA4
                                      SHA1:A34F5CB79DCA9F2821E276979A72BE3A093764CA
                                      SHA-256:0F2701EA7067203F84D6E8D3E5E6D45C00434B41175C3CF4F7ADD5B17D7F437A
                                      SHA-512:BDBBAD128B3464B3C80C777560BA53E3297145309F53778D12A9285D469B4D79216F9BE07096F8F884251BBFA91274944F4E6E2345FE92A274F526013F637E75
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........0......................................................:p....`...@......@............... .......................................B...........)......|.......p...............................................................H............text...g........................... ..`.data............ ..................@....reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):133392
                                      Entropy (8bit):6.080206645595261
                                      Encrypted:false
                                      SSDEEP:3072:LQz5724yeP4Sy2vmH00N6no5WkCIJJoRc0onc:y57O6mpMSoZB
                                      MD5:4E55F8E2CD309634892AC4E34D78D1C7
                                      SHA1:B96BF1860E415BDB99BCD94AF0973F31D0CCAD7A
                                      SHA-256:E8A06462CDFB428C9ACFC5ACA4BB97AB6D2C715E8029A6CD8FD5760F831A3D92
                                      SHA-512:C4F154AFA33991A3F2494F92AE0A0F2866A21C55DBC86DFD789DB143A72C241589553E433B8C86B8EBC2FDA8A756E20AE4BD59FE368200A5F094C29208DC81F9
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....D..........." .........0......................................................Rn....`...@......@............... .......................................-...........)......<...@...p...............................................................H............text............................... ..`.data............ ..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):243872
                                      Entropy (8bit):6.50591783119501
                                      Encrypted:false
                                      SSDEEP:3072:mfSRUsXJHsqVpPq+Pu1Nr7tXAjsEpN0Qif+j7kgiuG4krZAuZAt0/+JvyQ4UjIPl:27s5Hsq7Pq+67qjhp+QifuvtzJ4TwM
                                      MD5:2AB51F750E3B9C69CC2EBC9ABE2EF369
                                      SHA1:3D19ABE16F55A9366780C2056210B87E9A78838D
                                      SHA-256:D563C1EAF08DFDA8FD1860BF00FCAB903C85C91A299379D6EF73C3AECA2B7A9A
                                      SHA-512:13633EDFE2C14117BB77AC7D94D3A2E27C19660F73A8E751F9D73B75C6AACD066954E7EBCD7B11F39A627EA9FD2F2B3455FF90947156AAA1DC664D5387699947
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....@...@......................................................d.....`...@......@............... .......................................P...........(......h.... ..p...............................................................H............text....=.......@.................. ..`.data....*...P...0...P..............@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):272544
                                      Entropy (8bit):6.50562073982023
                                      Encrypted:false
                                      SSDEEP:3072:9q6gkJLdnAwEqvTlz1aYqsOMBFK0rkir51KYb8FK3MEIS3PQnZg28aq/xv642ucw:0dkJLN5EqvpzTC01anZ0/H2NfFgzFIS
                                      MD5:3D7131BF95378643004211E17DF764AC
                                      SHA1:5A4C0F7C5AE61FED16345B693E5CEFE2C3CB728C
                                      SHA-256:B649BBE057F0C5B5EEFEF65087AFB3EA54EE2DBDE1BB03C532A0D894E783C031
                                      SHA-512:1C730C3BD483223D0B8E622EE649C838F0DA6F97E25F5050F9A629A1B0271A8B8E10741D101A5A0645D7C4166E2FD7F53982506EBF10A4A17F7EC65A6394317C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...P............." .........p......................................................v'....`...@......@............... ..................................p....f...........(......L....%..p...........................................................p...H............text....|.......................... ..`.data....V.......`..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):264472
                                      Entropy (8bit):6.565006382155934
                                      Encrypted:false
                                      SSDEEP:6144:B14BmTBMCV3tgcWf/e9wYxn1Wc/od4pFFm4n2C:/GCV3CfqpFFgC
                                      MD5:DB981290B935938AA7FCD85B332E370F
                                      SHA1:21E754B0DBBC323F6444D38E551AD4237C1E3CF5
                                      SHA-256:D57CFCF89FDFAFC8B5F86B7DA586B72AFF6B1997AE7896A17323993BF1741389
                                      SHA-512:45EE7D549EAC2990B17F15AA326DF1CAC57825C5E5EA2E1F854C9EED352FA03102687FD8FAC041F2CBCCAC4CD690EBF609B7AC4EEF5F97859079974BEA20DF02
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.... 8..........." .........P.......................................................K....`...@......@............... .......................................f...........)..........X%..p...............................................................H............text...5........................... ..`.data...2;.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):104608
                                      Entropy (8bit):6.03720418323957
                                      Encrypted:false
                                      SSDEEP:1536:eE8AlMvSLSjaab0PihEzfQHl9I+CAvpYhLKPyf9DKiVzm4G:eEjGKWKAuf+af9DKCy
                                      MD5:3760E66ADE87F95A0AF203D73335570E
                                      SHA1:81D2896860642BFD22384D01F3EAAC123BA8E8BC
                                      SHA-256:3F9B710E88C21089D7D7ED538B4612527A2BC5C160A41C148B872A8C84FBA756
                                      SHA-512:79AE5F2801E2498EF13C756F4CA3162F612146D5875081D85EB94EAAE15339F3D20E208E2803DEFD42C6917ED7E7F3B1606D7EAD04035007BA77FA9068BFE405
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%i..........." .....0...0...............................................p.......@....`...@......@............... ......................................H-.......p...(...`......x...p...............................................................H............text...{ .......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):166048
                                      Entropy (8bit):6.346422693533479
                                      Encrypted:false
                                      SSDEEP:3072:oqlaVz+We9hgsXZyPTA8pLtx1k82pq1L8p9X8f/F:tAVzeosXZf8pL0p9X8fd
                                      MD5:E6115534751BE304966019E057F40DE2
                                      SHA1:671416A123E8ED8243A0F352520CDB25D999AB17
                                      SHA-256:7C2A4EAD45C9BACD5AE24BDF7C1D2481F1A06F75088E7F884974AA0257E798FA
                                      SHA-512:B8834D7F4CA23F4954C0D2FF351215FD522F53055A9751EE4CEA5F965B169A29EADCA7E9376A0F24B2AAB0A72D8C5286032AA42C4958A98B0FBADB776523A341
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m+............" .........@...............................................`............`...@......@............... ..................................P...t@..X....`...(...P......@...p...........................................................P...H............text............................... ..`.data...6/... ...0... ..............@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3676336
                                      Entropy (8bit):6.684594575848001
                                      Encrypted:false
                                      SSDEEP:49152:h6S6FKfOBPKD5EUsp4Zq2daW7L2+K06Fs4sZ39SuMsFIW/pR:HOBiOmbp8uMsFIW/pR
                                      MD5:C3C16C39F19ED16A1AB42EF8DE7AE641
                                      SHA1:F072B19500679A70D1D6DD113B55921C6F963CBA
                                      SHA-256:10E4BC750F17578252293AAF7192E24E72A330D3EDC0146BE9245E9586CAC19D
                                      SHA-512:89307D4FDCF1DE91C6A0DD8C0807E56863856B803322C33AA845D90C0EEB6988F97ED70CA2754601FB61A739C0C364F2D8ADC7A28869F4921D6D5CF358FB0D2C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....y............" .....P1...................................................7.......8...`...@......@............... ..........................................`.....7..(....7.,f...b..p...............................................................H............text...dK1......P1................. ..`.data........`1.. ...`1.............@....reloc..,f....7..p....7.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):805152
                                      Entropy (8bit):6.7416805748123725
                                      Encrypted:false
                                      SSDEEP:12288:nbwydNnBKT9DzuU4/sKE5QmSfc+1yQgdY5wDG00eK0CszcyYl:nbzpKT9PuO5QmaryQgdYai0ZK03k
                                      MD5:19464109760AF17AE6CD8DBA5D222722
                                      SHA1:9DA4FA8D3C740182134C3D2B2977DCF0E0FAB669
                                      SHA-256:A4E353C60F26EAC3140F493C270320302BFB2E5FFCC1D4131682EA3E4C02D244
                                      SHA-512:47397137669BAB558BBFDB42B9AABC24A6301F8671253B0BC4632A975AD4AA0BAB87C9472AB4553A526132634CCD93A88BC09C4B8353E7FAB14DE0E2F498B7AD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................... ......i{....`...@......@............... ......................................p....d... .. )......T.......p...............................................................H............text............................... ..`.data....U.......`..................@....reloc..T........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):174352
                                      Entropy (8bit):6.296291995805638
                                      Encrypted:false
                                      SSDEEP:3072:i3adgejQmgA0o3eXZI6e07fww49JKotL3aZv0Tl:EadgQuA0/pI6eufww49F3aJ0J
                                      MD5:B58CC7032740F5EEC429E8414737B9EC
                                      SHA1:A18595EAD4A4F6ACE6F03B94248ED8E1BC1E599C
                                      SHA-256:59656C67991255D19B868DC1F48D1AD10BC8D8B6C667F792C2C9AFFBF69E47EF
                                      SHA-512:4382B3227139F6D15CBC4E2E25D4DB33B591FCC56E28E4B02D1FFD91F485CE908F0FCA236ED214B974483D856B92F348C48A06A7C1036CCB716DD20E7E69DCCD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........p............................................................`...@......@............... .......................................+...........)...p..........p...............................................................H............text............................... ..`.data....V.......`..................@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):542880
                                      Entropy (8bit):6.739097833229294
                                      Encrypted:false
                                      SSDEEP:6144:fFcC4bb3czSgsrusOv38qA0s4WfufbFHJMb3xqHYYzLhMxjCUoTclQ:K7b38crusO/yEvuhsSWmQ
                                      MD5:DDF4958F47A5D0A7ED06832880DA1BFE
                                      SHA1:40FA6F2D97DE7504770B37153F4EEBF79A069535
                                      SHA-256:BDCF09BBA6A4DE7D73FEAA0DBA8802BE86738B3DE4E3E8D0EC79E2809F0F7E17
                                      SHA-512:1D54CA464CFD1ADB8B78C1226954F2C4FB66EC3CB51980BDE613A25A18A938BB536C7C6695CAF139EAE1F8A15AAB33B53B0BF9D1DC9BFDA948007BD6DE3EC0F2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...uWB..........." .....@................................................... ......|4....`...@......@............... ..................................0........J... ...(......H.......p...........................................................0...H............text....1.......@.................. ..`.data........P.......P..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):157960
                                      Entropy (8bit):6.47315446775413
                                      Encrypted:false
                                      SSDEEP:3072:Vm98N/j+0sbFbqX63vwZuIBo7M5F896ToYdBCBuqmwLhtTihdUmXD:88Cb6oIBo7q2GBCBuwhzmT
                                      MD5:11C346045E8C17C82C66B33E1E200DD8
                                      SHA1:64E08782D5CA2ACB2AC2C88B2D8F0323F43E3295
                                      SHA-256:344C7A232249C2ACE65D2CC03D62C356FE3F56AD46A0CC4603A36EC7D0F5587F
                                      SHA-512:294F1F8DEF433238DE0E98754BD44BF0614490D8A1086759924F548B91E219E223380601F16B987B27C9D0D67FE80393827A30580CFA096C49F5B2834E73FB88
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Q............" .........@...............................................@............`...@......@............... ..................................@....6.......@...)...0..........p...........................................................@...H............text............................... ..`.data....".......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):129184
                                      Entropy (8bit):6.196981583264401
                                      Encrypted:false
                                      SSDEEP:3072:4YBSzjfI+HAOaaRH8/OhcRRY4beMDSZkXs3pMGudO:ifIcJxRHMOhO+Zkcyz0
                                      MD5:AD794A89E1FB0BFD63D31E0BA44A9690
                                      SHA1:38636C92963BADC5F01B4A3AFCCEA17BE099C4DD
                                      SHA-256:7CE9E667B76C9F647E7124755BF25F56115C5CEB3A68DBDFB0254CE16AECF19E
                                      SHA-512:5D48755E0C03D7554E5924DAFF35C1505987664E5C5BAC4F4CFB3B2DF7AC74AE214DC6B1D7D778FF04579360EAC86111A56467A0B4C86552669B109145972679
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i............" .....p...P......................................................<.....`...@......@............... .......................................4..<........(......l...0...p...............................................................H............text...Qe.......p.................. ..`.data....8.......@..................@....reloc..l...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1730848
                                      Entropy (8bit):6.692369218509377
                                      Encrypted:false
                                      SSDEEP:24576:mycmIjdj8GrJnZLDflJjD2TRSKIP616WF1IMx:amIjdjFrJnZLDfz/aSs
                                      MD5:564C9A5BBE41D6CAACB1FA1993CC8AAC
                                      SHA1:34079090BC4D48F0351673BE7B255C52FA5B6369
                                      SHA-256:B760CCED33549528F6E101C491A0CAC4064F644EF3E829AE127FD3F09A33FBFF
                                      SHA-512:1A5D4F000EAB595E7DCA508C94EEAD23AD83C9856C57B9CB18DAF43D5B795FFE4C093A063B99142D2961AAAD33987BCC7DBEA5EC901DFFFF10C57A90D7A685B6
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...@............." ......... ...............................................@............`...@......@............... ..................................P....J......@.. )... ......Xo..p...........................................................P...H............text...}........................... ..`.data........ ....... ..............@....reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):551184
                                      Entropy (8bit):6.571055787933049
                                      Encrypted:false
                                      SSDEEP:6144:KmIFBDqpp+4F/B7VRZ3KYNB0hZJ6c7fkDNRd2B/eBl3EWZg0gG/qikXOG4drks:veip+4F/BJNuZJZx++WZgoQOzrks
                                      MD5:57905BE512F822BCF59258FBF2448DF8
                                      SHA1:27828B211218F240CE1ED73997BFC7B0A04527D8
                                      SHA-256:CDAD57CC4B992A6BBE2BB79BACD6DD28D248694BF089731BB474BEC682CA77C6
                                      SHA-512:9B2044A712E59FE7F6BDAD8420FD21451E5679D7AECD7B4479341C7AA27ADA290967CB32F898A899BF6E344A88F1FB7285EB214A98792C760BD374EBCBDE02B5
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%............" .........................................................@.......O....`...@......@............... ......................................T...0*...@...)...0.......,..p...............................................................H............text....s.......................... ..`.data..............................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):432416
                                      Entropy (8bit):6.566108898209545
                                      Encrypted:false
                                      SSDEEP:6144:K+cqnJGnQkW6a+Sdjoe9k7u0GeFowoR5axLmqRSxnJ8kks1GL0q3+lL4A:l6aFP9f0NokSxOL0AEX
                                      MD5:29A059AB9999BD953C0AEC0B2C78E9A1
                                      SHA1:C41DB5BB3EF1CB499898698E3A87B83925F9BC36
                                      SHA-256:E1743ACD71086BB1AA689AACCC9485AEC04B2A7C2C15586ECDD5685AD881B7A5
                                      SHA-512:5431C58174273A5795D40DF4AA988D6049E0402F04379E84B80A9E02AE819A73BD5FBFF17109EFF0C341171A56BC28807D8B3B55DA03E7304552993DB89EA220
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....|..........." .........................................................p............`...@......@............... ..................................P........)...p.. )...`.......*..p...........................................................P...H............text............................... ..`.data...mr..........................@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):112800
                                      Entropy (8bit):6.132923222586611
                                      Encrypted:false
                                      SSDEEP:1536:NUgJ8nlSAIFIpp8oXAcRKdRObZDFduWF8XwYJiAzk:Nx8nMAc2p8qRgAVDVF8Acjg
                                      MD5:397EB70F9DE2A7676B5DA94FF7CF11BF
                                      SHA1:88424878A779059002622F22315C1E0050FF4251
                                      SHA-256:E2A5AB5B077CBE3B7CDB0622EAE9363E8D9C591DDAB2CE87FCE6777A510767A6
                                      SHA-512:0E4836D6AB91BDACBB49EF71290256A7DCF4CBCA23B9C329C2E05CF00966BF0FABE9748092A579843BC211D4612D94CF8BB655207A3D40C46D11DCC663BFE544
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....64..........." .....@...@...........................................................`...@......@............... ......................................`1...........(..............p...............................................................H............text....7.......@.................. ..`.data...B$...P...0...P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):157856
                                      Entropy (8bit):6.292306263911845
                                      Encrypted:false
                                      SSDEEP:3072:O1TeXCmzdST4L7rGE5RtqbqeQGwpncU/SLVXyVMnA9kmeBgo:WGCwdu4SsRQbIfqZm0H
                                      MD5:3874C63BA167BA4D4B815BAD86016CF4
                                      SHA1:72AB7DE57994DBAD6133FA9DDA1F2943E9F3122E
                                      SHA-256:9F9CF0B569F370DF63BE323844009718090B6D4FD4E21EC8D4DD6B6CC2FFE8CF
                                      SHA-512:17DC16864394CB6F0D52724606EBA24735A86DD62719264635265CED7DB0C36333FF0A3328222B6638DA16DD23FA6159E5F9B5EBA4499F62BABB1524587EEF2B
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....v..........." .........@...............................................@.......-....`...@......@............... .......................................9..8....@...(...0......(...p...............................................................H............text............................... ..`.data...T&.......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):96432
                                      Entropy (8bit):6.098459980747934
                                      Encrypted:false
                                      SSDEEP:1536:Y6cypC971fwwSZy9hswibRSsYwlFb7R/gJR7SSNNJkZphyNVdWvmVzS:YUC971fZgy9hswZsYcN76JR7SAfuphyI
                                      MD5:E039ACA6E9900CEADCFBDBCF094D3A14
                                      SHA1:E38CEE576F881D512D4217629AB09B795FB520E9
                                      SHA-256:FAFDAAF0437E2C10B8343E5B1B2C744977B88CAB7585FD27DCC12071B27F46F5
                                      SHA-512:02D4550D30E3B9FBBE73243BCE8161E9117BBE67610117F11158A2B02DED148BE3A88C99CD6F60BD4DACB704F87E137E488F07CCA48BAD622CEB8F74D418F011
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Uz............" .........0...............................................P......6.....`...@......@............... ..................................P....,.......P...(...@..(.......p...........................................................P...H............text............................... ..`.data...,.... ... ... ..............@....reloc..(....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):231696
                                      Entropy (8bit):6.473831853357629
                                      Encrypted:false
                                      SSDEEP:3072:LaO7AQhsFgOZrgy5HSchuzeQ4X1VjK6uJQ+Y6MFot9R9loV2O1w6D/:77AQhsFgOZrBccgeQxRJNtngV2YTL
                                      MD5:5C34FE0079268AE7F3F22811FE9495FB
                                      SHA1:DE25943AE52E36BC6DD686790A7F56D5AA5C7591
                                      SHA-256:D609294406B894BC0F60D10FB62AD7A819E3BCBA3691A1825E4250364E23A7F1
                                      SHA-512:46A330540F64EAA5A7BC8D097DADFAFB5D054282F44FC2FB57F59494E5A1E6136C98DD8B6D08DFAABCB29B8121112405A86946C27F854151B443E18968F531AD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....r(..........." .........P...............................................`............`...@......@............... ......................................xU.......`...)...P......x ..p...............................................................H............text............................... ..`.data....7.......@..................@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):280840
                                      Entropy (8bit):6.504374684121034
                                      Encrypted:false
                                      SSDEEP:6144:6T5mQ9WRSfuurvHljMR4WGTSttIqq+xM8cSA7ljZZ2uy:W5/9WRSfuMHljCxMkA7lNZ2uy
                                      MD5:D351D8F0647E32577C3F03481B85A225
                                      SHA1:611C0862E644752153C74E81E6603EC0711F7BF8
                                      SHA-256:32409E5B1F753B13850D2C88CCBA73CB9CC4678D41F11A6B30C020AF3B787054
                                      SHA-512:A4AA5C66899B9E7FAF6B30E84826AF4F2CAC4C8A0EEED0B4292B30642FAC53AD20C42E401D9448195B78AC88A2D2F8F0D5AF28A9484E6B0D85570C15C7EA296F
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...2uJ..........." .........p............................................... ............`...@......@............... ..................................P....b....... ...)..........p!..p...........................................................P...H............text............................... ..`.data....U.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):346272
                                      Entropy (8bit):6.521387641131273
                                      Encrypted:false
                                      SSDEEP:6144:+f/JWsKEin0hypPmFjQMt5e15XxGGIDvdDp3k+fc3CU1S2Du:6JW7EincF9QEe0THQCU1HDu
                                      MD5:44E2EFFD739146A1EDE87973AE254B2A
                                      SHA1:E342395ED09EF148F5848EDD1D79C3DC201A9738
                                      SHA-256:3FA27A91DAA93BD98F0EC6943DCB08531D799327B3E08E87EBC1BC9FCADF1CB8
                                      SHA-512:13507AD994D29D7DB8DBCF460819DBC2D7343FF9001426167361688DEFD3191051D233D71FCDAC51E0C16AE44CFAC5BB5A2F2A42D8389C32A51A533647977911
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...9..........." ......................................................... ......ik....`...@......@............... ..................................p...h....#... ...(......H...H)..p...........................................................p...H............text...Z........................... ..`.data...=n.......p..................@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):669856
                                      Entropy (8bit):6.738177589721567
                                      Encrypted:false
                                      SSDEEP:12288:WauvNG3LGljZ0W5Yk0ZdmNtAj0mhIPLboapg1i6k90QdsAYcNCYq:WagNGbG2vBx093n6MVS7cZq
                                      MD5:621801207C70925E83F806DBD9954A4F
                                      SHA1:AC257BE3308F039A09E0439C4111F7FAFAED12DC
                                      SHA-256:4B1C1C6254C0F73E5CC110F3BB3E342D11EFF16ECA5F0F678E5158E896DC67BC
                                      SHA-512:82C842AB166058DAAA31CCED435D29BC996ECE3E7295C0F934541AB1B1969F2A9221612573BB3CD85412A98AE1780A9A2C5E38F3E34E2385300F5EA56D622F74
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....1..........." ..... ................................................................`...@......@............... ..................................p...`....7.......(..........0+..p...........................................................p...H............text............ .................. ..`.data...h....0.......0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):547088
                                      Entropy (8bit):6.626088648642838
                                      Encrypted:false
                                      SSDEEP:12288:BZmV75OO7txaGNUL2Sdr5Nzv0SAu9FWc1sPHE/0NY05:BZm95FtxaGDSzxAu9IpEsN5
                                      MD5:FFC0A29CFB99461BBD61BAB8A455BED6
                                      SHA1:75577F5B1ADC70877BC39830968B605CC175A8C4
                                      SHA-256:91CD06310E6DA6966A37C073F4FA4FEBB896BD09EE8658F308EB1709B335EB07
                                      SHA-512:3BF93B46BE1626636BFE133E2899218649C17F05AC1294B7940A2BBEDF01161E597D0DDE047A1672B6712444F8C5807BA8157B6A2EF50E4A25F3C46501100E3A
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................0............`...@......@............... ..................................p.......|8...0...)... .......4..p...........................................................p...H............text...8........................... ..`.data...az..........................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):170144
                                      Entropy (8bit):6.427166919417408
                                      Encrypted:false
                                      SSDEEP:3072:Hza6IfDI6Q8nqNIJ55jypCTpAY3ykJ9rialFpR/fTu:T9t6vn8IJySpxFHfi
                                      MD5:53AB5080DEEE5C08F664C6329DB1CF45
                                      SHA1:F800510D0212425220BC0DFBAADC9FBD979DDFB6
                                      SHA-256:EBB450E89DE674B20C93E0108123FF1C1D2F217CF9CDF2E51609A84E76708687
                                      SHA-512:DC321BB7693ECF188C148DF5ABE942F2DD6D2FCA6F681876BC9C066A1356C7E3562846E5E1D91B759AFAC9F1872D9516FCE81270E1AEEA4FFD608899A4EF9772
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P...............................................p......?.....`...@......@............... ......................................\K.......p...(...`......8...p...............................................................H............text............................... ..`.data....8... ...@... ..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):100632
                                      Entropy (8bit):6.038277233896664
                                      Encrypted:false
                                      SSDEEP:1536:Xl4Xlu9IUefYv9AfOWog+qBWO7bBjLLEORWNzrT:Xl4XlDl89Bg+uV7bBjLLEOR2fT
                                      MD5:4F6F32BEE2BC12E8C6087488D856AF5D
                                      SHA1:AFE5F7581CB31B6934F31C9410AF4D08EE5934A2
                                      SHA-256:8971C704C33BAFE87445FD4B8E5417E2824F8F878052B11BED2AD02F7DE31DA0
                                      SHA-512:EC0416BF1B814CA94A6FAAD2B97A605BA01BBE4D62697088C665908A6EFCABFA9834E4A7C45FD4BD5DA34E59616E49607D11C9F8335946B30DB01E76AB2EA0D3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........@...............................................`......D.....`...@......@............... .......................................,..<....`...)...P..x.......p...............................................................H............text...[........................... ..`.data...s!... ...0... ..............@....reloc..x....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):190752
                                      Entropy (8bit):6.3691331105031095
                                      Encrypted:false
                                      SSDEEP:3072:tOEp0tsypJKO0BYnjbpL8DqJVyR3IUQeu0IeW+1omEAa9NYLbkbmvh0dksI8mt/R:fpKsnRnYQzIeW+1odmvhSR7mtxrX
                                      MD5:3C9FDD9789791E468453B420FA39CEC5
                                      SHA1:92386B6677D421CD2EFEC73F67D66975A41017E7
                                      SHA-256:7CD51A14E2E1D4231FA85440AFB3047B65AB4F397BFF37C91F50ED20DEF9A800
                                      SHA-512:B74F822E016E468C15B70274797944F8444A38BE9E68F6B83BA42B30A02FCA892E3EEC0E4E177AD267DBE90DF0D8FEB1B999EB2A866489E0B2B659E6282BF1F0
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[.v..........." .....`...P.......................................................a....`...@......@............... .......................................L.......... )......d.......p...............................................................H............text....Q.......`.................. ..`.data...O7...p...@...p..............@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):260376
                                      Entropy (8bit):6.615511865069277
                                      Encrypted:false
                                      SSDEEP:6144:wfAevHZGInBPKCeDc6CK9MG3bMeVmtG0FsGu6Myw0M:XyIDc6MG3wamtG0fuVMM
                                      MD5:22647404E842F5177DEC97B960B98501
                                      SHA1:5E5DECC395401901278F2B4727ED6539CE28A51C
                                      SHA-256:F289BC9873AE0BD99DB74E00F480C931CA94F3785251132C04699AB01893604B
                                      SHA-512:3EF4F8141B680EF0922C24284E7B5D5F7B006C0E718E69D6E2F0446B58B271099FE599398C1814C8698B8460A5A6062BAFAA12D2F7FFED5123A86DCA46BDB340
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....S..........." .........@............................................................`...@......@............... ..................................p...PS..x........)......8.......p...........................................................p...H............text....{.......................... ..`.data....$.......0..................@....reloc..8...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):403616
                                      Entropy (8bit):6.600068240160654
                                      Encrypted:false
                                      SSDEEP:6144:QxxBCAdWeda9F5g7yB4cPIm1OwpXQgQbTCtYnzrZjzEOdlIZJ4aU:QDBZHU9F5Rv7/QnCSnz1fQZyaU
                                      MD5:CE7139BB6444A47C86FAF3780F4D561B
                                      SHA1:32538812CF09B179760E17148E95AD84581AD8AC
                                      SHA-256:A113BB3BD9E8C13B1EAF126C3EC614A08C3193A51F52C277B3BD5F4DC00D08FB
                                      SHA-512:F2F1CEA8ED59D7DF0BE03279FDAF2A1764D2E8C00C975BFB60C81BB838FCA0B210AE7BE2A6D1B2ABDAA2A8AB9799D2D5BD568F9A6F59DB95E37C736A9B55D092
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....p................................................................`...@......@............... ...........................................-.......(...........)..p...............................................................H............text...fb.......p.................. ..`.data...Sd.......p..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):7989512
                                      Entropy (8bit):6.799190907572347
                                      Encrypted:false
                                      SSDEEP:49152:xgKjbhmQzKo84xxpBR2ZPQ3DtqDTXNaVC8v4aYzqNmKG82o4AgcKVLDSvdEAzsfr:xlRDDnVul2QSvdEhYw2gfW5WUFH5chT
                                      MD5:1B47420D8AD2071CDED2C944E3F6C984
                                      SHA1:157CD6B1DC208BAFCCA11282FB3B6259D9D5DCED
                                      SHA-256:CFB4DBA4AC73773F5EAC02006F0FE7E6399CD67F5A12B4CE26C9F0F406A7EDED
                                      SHA-512:4ECE5BE567CAC3751FFFBA31FE00F73458E205F658A3C55AC42271D00E43CEDA2ACE6C0D59272B527B36A83EC1C340A1FB7EBD9B041FCF841BADB0B6B92FC80A
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...X............." ......s...................................................y.....Z.z...`...@......@............... ..................................p............y..)...Py..h.....p...........................................................p...H............text.....s.......s................. ..`.data....Z....s..`....s.............@....reloc...h...Py..p...Py.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):129184
                                      Entropy (8bit):6.114698747717757
                                      Encrypted:false
                                      SSDEEP:3072:6Z54JKiEAYbKatyLJSsVkrc00EBR7yxcuk:B/fSessuaRxhk
                                      MD5:2E6C7A183AD043850BFA731550D43F51
                                      SHA1:3F6818E1FD9564D38223367DBE03D257FA394D83
                                      SHA-256:88DFA993884C1277A3ADCBC55EF44B4A38C55EC4F0F8C7768862377BEAE76DBC
                                      SHA-512:C8D3013E7C9171ADE3C49782394CDCE172DEC85EAC96A84CFAE7C1936666EB4093D7A518CF955D30B3E1189C0C72319A6E58D85731F83020E59DDFEA5D44F743
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........0............................................................`...@......@............... .......................................+..l........(..........(...p...............................................................H............text............................... ..`.data...Y........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1116320
                                      Entropy (8bit):6.6439477896792
                                      Encrypted:false
                                      SSDEEP:12288:43e0ziO6AJ8+utVRA8WDlLeO9om5EoU/mSdWKURfeGWTbrWnoDzgVdkn:43e0BlJ8TRocOWmc/DamGWTbwIn
                                      MD5:496F077B5C7B487EBF3E6222A53783EB
                                      SHA1:EEADF861F1EC14A8FAC957ADC2191B252E609FCE
                                      SHA-256:F8DC3E1AFC09A8C21B5C4C7AFB17C520AFE0263CCE8366CF57471D1D203728ED
                                      SHA-512:DDD0BA22E2BC0F76DA573EA6CD4AEC89A0F3CC1D32223938C963850F2348D1C8086C508E06F4076F3820A1A2B35A47D0497C4CA5E211CAF5BAC18BBA4F53185B
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....3............" .................................................................Y....`...@......@............... ......................................@...........(...........W..p...............................................................H............text............................... ..`.data...A...........................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):96528
                                      Entropy (8bit):6.024769249295685
                                      Encrypted:false
                                      SSDEEP:1536:BOryyBJoyJyGXe5CtLey6+67NVpnSPM+l5+tkmVgKmH6iRnzDDn:BPyJO5CtiXdSPM+r6kmud6KnTn
                                      MD5:1BA98C8A3C7D903ABFF78D01E081D64C
                                      SHA1:15EF718B9F1EEC435C7AEE8A59B41562D88934A4
                                      SHA-256:69DE6AB16DFBA66224B37E4FCD5E62AFDF45F75C9F5C78BFD6CBFA09142390C8
                                      SHA-512:FB194521D9964012CBCA456505A9858B49F36009A6E9DCE9F9EC6126693990750285F57DB2831048606336EB9F28193D6073B3E6CACEF337D7323A3967FF3846
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.=..........." .........0...............................................P............`...@......@............... .......................................(..\....P...)...@......X...p...............................................................H............text............................... ..`.data........ ... ... ..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):329888
                                      Entropy (8bit):6.652393975318632
                                      Encrypted:false
                                      SSDEEP:6144:x17UgKhUflT6tEFs8Sx/mPueNpQV587It9diIKc1yCC:x17SeflT6tK8UQV58kt9diUsD
                                      MD5:721811312D3F000E40A403983E60F6B7
                                      SHA1:DC9E6186A10ADF2419F8DAAC6DBBB11472A3BBB5
                                      SHA-256:39562DC738F28E2994CEE74207BEE53C833231EC68B2885E403DC3D9C43B6821
                                      SHA-512:E25E51E6ECAB823691F2E5296EBD257D15521639FBB2994B625433921445F8BE14A4FBB6D4A19A0925B0D7FC07031EE16B48B7DC4396B4A4916626D673B4EFC3
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....X..........." .........@............................................................`...@......@............... ......................................`n.. ........(......p...P ..p...............................................................H............text.............................. ..`.data...-#.......0..................@....reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):309536
                                      Entropy (8bit):6.56574804790244
                                      Encrypted:false
                                      SSDEEP:6144:nzv7WOXu33WPEei5EZNqHRk5XDiio9gZbzZYNAgk74dzzKX22zRrRBKZ+FhJDwwz:J2WR1BpLDRcnFIB2ahm97z/+
                                      MD5:B0A85005B5AAC68913092BEBEE39F34B
                                      SHA1:4E747E19165BB28054F5895A36ACA213E3B6A115
                                      SHA-256:984ED1D9AC926AB13FBBD8712CDF3CA5A7701E57C1A22B684541E46ECFBA9979
                                      SHA-512:86991DC81D38E14F19B7F1C1155F7DDFBA2FC2ABB5E5843C238984C876D5BF01E6F6613F022372226B589056E1ACDA0B7227937939DABAF33311CCCCF583FB0C
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...v.b..........." ..... ...`............................................................`...@......@............... .......................................i..`....... )...........#..p...............................................................H............text............ .................. ..`.data...'N...0...P...0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):231688
                                      Entropy (8bit):6.4927538353537635
                                      Encrypted:false
                                      SSDEEP:3072:QTJLDgw9ow9j0rKu8bmb3KD/L8V8/6Xe9QF+wVkjox7rtefYGA/+PXuXUGL:mgw9ow9A4bmrA/mt7jWfuka
                                      MD5:01187D21FC09DD04F699064387D5E27C
                                      SHA1:F6B7086AAABAB39E2AB7A2FC5B130BC2150FC1C5
                                      SHA-256:BC1F295790C53358899C6721E0CED2F33F695C2421B2BB97FAB18F9DFFDD0198
                                      SHA-512:185FFE28CDFF7738DA5E278616B374DF79D0B1486B3D4B218266E1C408003DB509AEACF9D5C10D3F84EADED3BB9BD2A1A55F1156F9CB1C320384D62B05009410
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............." .........@...............................................`...........`...@......@............... .......................................U..t....`...)...P..H...P ..p...............................................................H............text...S........................... ..`.data....$... ...0... ..............@....reloc..H....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):100616
                                      Entropy (8bit):5.964892851536555
                                      Encrypted:false
                                      SSDEEP:1536:yQAG0KzKsXnTOShX+bX5SHuDQp6O/U/xOQwQ7rzUU3q2bP6NLrSjlV4i7Ep4za/e:ywRXSSV+bJSHu6cgXSJV4QXUe
                                      MD5:82BB53A6347A98BC441E26C6EFBB6EE7
                                      SHA1:94FFF378394772F8F6B37A66A3C7DAE43F3848E3
                                      SHA-256:D407C1380C52E1A04E554C0B134D9BC4699C7225290003ACE8E988E4AEEDBB25
                                      SHA-512:4BC1BFEF668F6843F85FBCC28B886E66BB886D30903C8DC8CBE3CCA8417AFB6130856C73FFF0686E3022ACEF8D26994DB4CF296ECF788EBA9D59B8E21EA74E58
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....0... ...............................................`......K.....`...@......@............... ......................................p+.......`...)...P..8...@...p...............................................................H............text...|#.......0.................. ..`.data...{....@.......@..............@....reloc..8....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):2050208
                                      Entropy (8bit):6.677577580791444
                                      Encrypted:false
                                      SSDEEP:49152:HUy8hZ9wf3V7i9KAgmJE2Jjd/mxObmVw6Q41x:HU4QRgeL41x
                                      MD5:814F7E26E5AEECCEC424393D142FEA98
                                      SHA1:A9F8B6CB03EBE4E64E2B17FB4E57C17D24B7B00A
                                      SHA-256:60F3B82345E2812DCFDEF98642B2CA707B34C51D917D86615DF309714EF1E9D8
                                      SHA-512:46FF8137B77EF79BF5C8CEDBC35F263AB671641B50E0C16D705B744A9E902E1D6349D58570D3BBF4532CCCDD8DAAFBB30C2173C52E02734B589303516ACB43E4
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`................................................... ......c.....`...@......@............... ..........................................d.... ...(..........H...p...............................................................H............text....U.......`.................. ..`.data.......p.......p..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):186528
                                      Entropy (8bit):6.415230610741847
                                      Encrypted:false
                                      SSDEEP:3072:pSw4kXyyyLNMWWqfY8SJYrjXQori1RqU2TOK1xguZunS:VCyyKSA86YrkorvU2rfj0S
                                      MD5:287EDFA9B689281780A9475A99A587CC
                                      SHA1:B29E4F6C62D1C1FC83BD4DD9F73405F8173FD28D
                                      SHA-256:FA4952DF244AC5DD6D5D36B62E25B2CD0BF844453196D29838638518CB6944B6
                                      SHA-512:7D2BB2334D641E4831C3F2A4A304AB82DAE11B5F06718524B479D27C5B151212692E97A114FA40B7BB8610DB8FEBDE4B2BC2EC8A4C555197D295AF057B636C08
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....T..........." .....`...@.......................................................~....`...@......@............... .......................................N...........(..........h...p...............................................................H............text....T.......`.................. ..`.data....&...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):862368
                                      Entropy (8bit):7.456874615261393
                                      Encrypted:false
                                      SSDEEP:12288:5f7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPQYBKgTWeUAm:5D9km6k/IwRYbiBeKGCHYTy/Am
                                      MD5:BD45A5557BDB95B90A2B51CE1C82E868
                                      SHA1:576C6EC24EA8DAA10FB7C8360B867C26A78CD9FB
                                      SHA-256:F22C997008FDA321A85557778F5BF95F369AE6DB161A52D4BB08CEA6991215A2
                                      SHA-512:989CB3A5B896644775CF5874E99E8DFDA3654AF6D7E8AEA7B38769078B67CF2B87B475A0D494D1717E83C4CA7A11B15895B01BD0C16D122F101E1FC46EC05F00
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....+............" .........@.......................................................O....`...@......@............... .......................................B..p........(......<...8...p...............................................................H............text............................... ..`.data...`!.......0..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):133280
                                      Entropy (8bit):6.118931111888508
                                      Encrypted:false
                                      SSDEEP:1536:7mTuj37yym3E5T+zpq5D3lhjdPTp8K76+d05Hzdy+NXMBpm4+SqUNiNxCzQd:7mTuq33E16qvZ5N77uLLN8BkSqUNACkd
                                      MD5:1829B95B9A2AB17DA9612B1529D5DF0C
                                      SHA1:C6B08686B182940D659D9E12251D8CBB02602BAE
                                      SHA-256:E73E129E5AED0F39F9147CD1FF2E047B01227AA791943D69A1DE4785B9598FB4
                                      SHA-512:FF687A80F9DF35DE0CA2A606763631D21D3558F9702028C2E50E20FA46FF4401DCE4585D69222E64988EF7221276363B264C1CFEDA2F67F9FB132839FA7C8E39
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....S..........." ......... ...........................................................`...@......@............... ......................................|-..X........(.......... ...p...............................................................H............text.............................. ..`.data...}...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1501456
                                      Entropy (8bit):6.703064329512441
                                      Encrypted:false
                                      SSDEEP:24576:iNDUuuRgw5xH6D9+YFVCwIbvRz6ySHAJcEVAvM8UbUJnBpK95:8vmTH6DMYTCwIlzPScp8UJ
                                      MD5:44E63A84FC57C49E4F2FA313CF651CBF
                                      SHA1:65240A270AFB9C06B65BB08ABF2CB8C1FD44EE97
                                      SHA-256:DC8B1118B266EC750AF5B4480869E01A97751A2F55352AC6908CEFB4A59499D1
                                      SHA-512:A0078A0FE7C8A092E71841287543E276643A0B469DA77D11B78F7857A6D5A1099FF6E4CE67A7B9992B60D97184922EA118AFD378EF4A357943D054A796456491
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%..........." .....0................................................................`...@......@............... ...................................... ............)...........R..p...............................................................H............text....&.......0.................. ..`.data...\Q...@...`...@..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1022128
                                      Entropy (8bit):6.821588247611613
                                      Encrypted:false
                                      SSDEEP:24576:7PNtms1Go9Fz7KPTT8inDiv67tA2ehjEnQKL:N1G457KLTRivKehjg7
                                      MD5:66FEE2E52A143A1227E062E88F4C3C19
                                      SHA1:65F5B79A84F89C820DE6273D0F7F323189C81FF4
                                      SHA-256:B9FE1181B9C0504D97940331B47DA8817BE5C202A0D57C2B92FE6909972F2012
                                      SHA-512:36E1CDB8C5AD2064F46BC30FF2F3742DE94D057C0D7ECCC1B1AFE1416EAD3128673CF35768396289FD34249324AE2958B0EF9C1E06298D533FCE7B40EBECD1A2
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....mL..........." .........P...............................................p.......q....`...@......@............... ...........................................G...p...(...P......h...p...............................................................H............text............................... ..`.data....)... ...0... ..............@....reloc.......P... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):133400
                                      Entropy (8bit):6.277895373459539
                                      Encrypted:false
                                      SSDEEP:1536:Zj3t+/k1S+F3g2vlsEjd2fzs6FlsdJQ/WoioIa3cBPdzcWxRC4dezFTDkn:Zj3tYkwQQQmEjd2ZFli6/riY5avItDkn
                                      MD5:4D0F0F9563809C92DD1A38DEB4E24F33
                                      SHA1:03D2328EFB08D1E86686F8876595A162753BE374
                                      SHA-256:20DDABA930EE090B47FA38722EB0D5D23C9F860E45B3A2C1F03CDB4EA1B69C53
                                      SHA-512:DCDE9B8BEA8DD1111B2908FF89C96FD8CAD0812881E359EAB59BDF13451F5FF1DD50EADFC2FA2489B8B60A90926DBADC9D4641196974C65442006B0F142B5ABA
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7.<..........." .........@............................................................`...@......@............... ......................................L7...........)..............p...............................................................H............text.............................. ..`.data....#.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):489752
                                      Entropy (8bit):6.715559969531241
                                      Encrypted:false
                                      SSDEEP:12288:X/ZX6ZS+34JkIT8tA7nPgNK4pFI6yB5v3Jx45WX9gLP:XV+Icur4vi5v5x4IX9gLP
                                      MD5:902DE8298523A79CF1F6E013E4CDE766
                                      SHA1:0D797B0D06D107A8DE21F72C2ECB6292E5E0F0ED
                                      SHA-256:E383DE92AA93F424FAEED789CDA2B920699D4A6EC805E5FD46833DAC9CD319A6
                                      SHA-512:4C0A192E7D6E9BDE627546ECE7287D41184E4FD91AE0DC87D660B5894BF210C27F3E8B1F3E8F5B568ECEF6C29D8AC2980970575EC2ACB6E696391AD88FA9D666
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................P.......?....`...@......@............... ..................................h......,1...P...)...@......`"..p...........................................................h...H............text...*|.......................... ..`.data...M...........................@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):133296
                                      Entropy (8bit):6.342375712378606
                                      Encrypted:false
                                      SSDEEP:3072:UzCkkW0glfG6WVKdrhYnS+5On3kg9dE8rVP9kiTL:0kWxI6WVKVhjg8rVPOif
                                      MD5:8B391D187DB389BE181E700081C81906
                                      SHA1:EE3E0803D217FC947EFA6BA2D51CF196337EA4F6
                                      SHA-256:C44D73E3582228CAE2CDBFE74F6A60D11B4E1B4FCBD7343FA52F3C3C12AEA770
                                      SHA-512:0D89BEC917A2E82D39EDB089E8AF23C9732FA67205391709608DD0AA826DF5C9FAA9FEC4C265F7ED6AB8D109D620C878AD97F4F9EC8DD6D3CD1E6222DF007DBE
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r............." .........@............................................................`...@......@............... ......................................44...........(..........@...p...............................................................H............text............................... ..`.data....$.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):661664
                                      Entropy (8bit):6.673728367333183
                                      Encrypted:false
                                      SSDEEP:6144:4J5UP48Vd00bmWIQf2VQIhS3dzGpepguWC4bVUl6lJlD2EL66zP0ARZ9dn3/sx1w:5PJddbmWnf2VQ9bgnzVTFD2S6isx91o3
                                      MD5:537F45E761B7BF2593E86778B1AAC461
                                      SHA1:36F5AF91AC751FF1DDAC5297E0835388335706C0
                                      SHA-256:A5E3E04CA99F4B82C761370508EBE6E1DC7FE6B9463E904BA408AFDBC16D5272
                                      SHA-512:32D9A9C892422CACC9A7554719076DAD65AF3B31C8402247804CC5B66216ACBBE8D773AEB540DC98421E43659BE284E41F60DEEDBF4FE0928302A0CB4997AF49
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...g............" .....@..........................................................S.....`...@......@............... ......................................`...hI.......(...........4..p...............................................................H............text....5.......@.................. ..`.data.......P.......P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):311056
                                      Entropy (8bit):4.240184363331846
                                      Encrypted:false
                                      SSDEEP:3072:SE9XK6chFa5y9sh33X+QIa7rGgtfqYZdLqt:xq0FfqYZdLk
                                      MD5:433E16EF5493F3056333B527F1E2DD60
                                      SHA1:FE62C578F0186E2184EC45F2DAD74BB541949B07
                                      SHA-256:C78605F3D54C17048715442A67E02C104EDF16BA63845E76E5C58EA39F3EAB5D
                                      SHA-512:1D6D372A802A99383BDBA8788E96417D60CA19F072CB471BF36622190F44A34260C3F0F823C378091474FBA3082EB062D9560AE30A62966AB2B4925B51111262
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%%=.aDS.aDS.aDS.q...`DS.q.Q.`DS.RichaDS.PE..d......f.........." ...(.............................................................R....`.......................................................... ...................)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@.......f........l...l...l..........f...........................f........l...................................RSDS.".7(.BH...w".......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!......rsrc$02....................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):668448
                                      Entropy (8bit):6.597025509314607
                                      Encrypted:false
                                      SSDEEP:6144:6lUe0bQZSn84GFMN5mSVv8pg8OWFODaunfRSzPg9HRfAWbsxLTjjTVSAAbijTwxt:6ZZo8JaN5z+dufRS6xrgSAXTCWon
                                      MD5:C72941B29791828AFBF0D431CC7FBA35
                                      SHA1:B6DA4DFA2DFC390069FE838D3841DCCF6D48ABAA
                                      SHA-256:CCF2823C73204A39DC0A1DE9E9B948B87BB9243F710AB53A6E0DF4C159BEF7D4
                                      SHA-512:992183DEA27FDA359E475D937063C8679F47C53872180DF8AAA667C2F220ED6A5D09E87B30C0FB6CBCBA2F52B395A7FBFB230C9DF10036E5DD6CD3800AFE8CCB
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O...!]..!]..!].]..!].. \..!].. ]..!]9w"\..!]9w%\..!]9w$\..!].p(\..!].p!\..!].p.]..!].p#\..!]Rich..!]........PE..d......f.........." ...(............@.....................................................`A........................................p...d......................\F...... )...........+..p............................*..@............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..\F.......H..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1785096
                                      Entropy (8bit):6.549282182275219
                                      Encrypted:false
                                      SSDEEP:49152:u/m1kU6fimCAYAOwJlfRyraVXxwHkye4asWnwZMN8f:uKAYzolImViHTe4avuf
                                      MD5:00949AA1FCE3C881929ADB781077D8C0
                                      SHA1:FF75673FD2492EC8D09458E2000CCE68565EFF26
                                      SHA-256:91A91D35EB8D85293DFF960E8431963114AEFB9B62B0C261C0012ED040A2FE44
                                      SHA-512:3FCE596DC69C4335EC5403171F5A044DC7E5E3DE8BFFE56777444E33DBED91D3647E74EDA936C2CE0117F5B9D5C2D28A522C26F8E54B4B1BE2E1ADBB4F1159CB
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O....z..z..z.V...z..V{..z..{...z.a.y..z.a.~..z.a....z.t...z.z..z....z.x..z.Rich..z.........PE..d......f.........." ...(.4..........`C.......................................p............`A........................................p................@.......P..h........)...P.......@..p.......................(....?..@............P..p............................text....3.......4.................. ..`.rdata.......P.......8..............@..@.data....h.......@..................@....pdata..h....P......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):5044488
                                      Entropy (8bit):6.559243918969336
                                      Encrypted:false
                                      SSDEEP:49152:SFznQSUNeMW/3Pz42WuxpWNbIotHsErN3ocWErFMzHRGNTJc5fnzn7M4Fdpi9Zdo:dexpWNbIotUcsA9FbNF0DcxQ
                                      MD5:059FC7A9CEAD83069D5147DD4DD75AE5
                                      SHA1:EF7754EE10708C753E6A64C5F3B122CEF94A6166
                                      SHA-256:DB1D6DEB3B4A74769DB761EEDF669142AB2D759EBA324672DE2649EF3D88E7F0
                                      SHA-512:1656BD914B308F1FFBCCED00A53C96AB4BCFD411CA6AA0E98FD8F4768A2F94A4096D6858E4AA0E6A1DBF068F1D1A1E2D3D560592AFB09DA1EBBB27B8F9E7F903
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N... .. .. .... ...$.. ...!.. ..!... .T.#.. .T.$.. .T.%.. ..#.. ....]. .. .. ..... ..... ..".. .Rich.. .........PE..d......f.........." ...(..;..N................................................N.......M...`A.........................................$H.|...<&H.,.....N.......I.......L..)... N.p_..p.=.p.....................>.(...`.<.@.............;.....|"H.`....................text...B.;.......;................. ..`.CLR_UEF\.....;.......;............. ..`.rdata...[....;..\....;.............@..@.data........PH..:...*H.............@....pdata........I......dH.............@..@.didat..8.....L......0K.............@...Section.......L......2K.............@..._RDATA...2....L..4...4K.............@..@.rsrc.........N......hL.............@..@.reloc..p_... N..`...pL.............@..B........................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):393488
                                      Entropy (8bit):6.332083868536635
                                      Encrypted:false
                                      SSDEEP:6144:8LsyeU2urknHxoHs+n1wg1xhDrLj5OAS0+QB02u7FksfEX7RPzfUz:ysyN2urknCHsAwgtrsA6Qu2v7dcz
                                      MD5:4DF8367F195394E23720173C751CF159
                                      SHA1:E215CF52164D4180605D5C16F873691649F4C32E
                                      SHA-256:29BCB525992E2BF1DC2C66918450ADE3B36E88226B1CEAB18A8C110A0E0DA0DC
                                      SHA-512:FD5DB356CB08578B731C62AFE3A98D57FDE6889ED1664038F01FBEF00FE06C83BC93365CFE94B8D23906990BFF5DA437A97C684C69CB61812E46C627C55CDD34
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...?..?..?.Qb<..?.Qb;..?.Qb:...?....?..>..?..>.Q.?.e6..?.e?..?.e...?.e=..?.Rich..?.........PE..d......f.........." ...(.8..........P........................................ ............`A............................................ ...0...........x........2.......)..............p.......................(.......@............P...............................text...\7.......8.................. ..`.rdata..(N...P...P...<..............@..@.data...............................@....pdata...2.......4..................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1338400
                                      Entropy (8bit):6.358098724993395
                                      Encrypted:false
                                      SSDEEP:12288:cABsjnIunobZ5eGiBSk7uf9xg9Y/ydKEPXoRyingNLi0/rqsaoGSZNrWVgi00szd:cjIuG4Sk7ug9Y/ytNe4rqsa0njGzQD
                                      MD5:05D4804E5EA5509E19A3388B46A363E2
                                      SHA1:31EA1248542D2914FC76179E5731126DFCCDBFA0
                                      SHA-256:61350E7EE96E614900D641B4ECC3F35271AA2BA72C0455AE0D021E20C95F9A3E
                                      SHA-512:6DBD79B065E8C0D3B042DA7615ABC0EF7DC7522E86AEB3DF9707080AFE113077A894F5CB963D2B0A179B5755296011798B24F7102AE9A5274CCD5C0FF9959EDA
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=I.nI.nI.n@.-nC.n.l.oC.n.l.oF.n.l.oc.n...oM.n...oB.nI.n..nYk.o..nYk.oH.nYkAnH.nYk.oH.nRichI.n........PE..d.....f.........." ...(.b..........................................................R.....`A.........................................g..p...Pi.......`..........<....F.. &...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1338400
                                      Entropy (8bit):6.358098724993395
                                      Encrypted:false
                                      SSDEEP:12288:cABsjnIunobZ5eGiBSk7uf9xg9Y/ydKEPXoRyingNLi0/rqsaoGSZNrWVgi00szd:cjIuG4Sk7ug9Y/ytNe4rqsa0njGzQD
                                      MD5:05D4804E5EA5509E19A3388B46A363E2
                                      SHA1:31EA1248542D2914FC76179E5731126DFCCDBFA0
                                      SHA-256:61350E7EE96E614900D641B4ECC3F35271AA2BA72C0455AE0D021E20C95F9A3E
                                      SHA-512:6DBD79B065E8C0D3B042DA7615ABC0EF7DC7522E86AEB3DF9707080AFE113077A894F5CB963D2B0A179B5755296011798B24F7102AE9A5274CCD5C0FF9959EDA
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=I.nI.nI.n@.-nC.n.l.oC.n.l.oF.n.l.oc.n...oM.n...oB.nI.n..nYk.o..nYk.oH.nYkAnH.nYk.oH.nRichI.n........PE..d.....f.........." ...(.b..........................................................R.....`A.........................................g..p...Pi.......`..........<....F.. &...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):1241520
                                      Entropy (8bit):6.349941690072582
                                      Encrypted:false
                                      SSDEEP:12288:YyL6o2u8NwfPWN0uenPtMDQUxbDjDDF2FZNd0W+/y9RtI/2gTZWQ9s16y6p54yqX:YyL6oXnU0uePtM/DjDDFA7dFiugTypf
                                      MD5:18C328AE6740B28D3BCB238BDA17AEB9
                                      SHA1:AB73DDA2F6EB35B743C56BABD2E3F5CADEBDB938
                                      SHA-256:1676DF96BF8D0DA277F1ADC2102E7FC711240982D61C31610F83474F093092F4
                                      SHA-512:CC5821C2E80F11BE3B010AD11943B53555C8537DD2975F900556B45A2FBA3C600D64707BFA72828EB320CEE74E48EF90FD726F76C5011361085824085017E024
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\........................*.......*.......*..<...S......S..............-.......-..h....-.......-i......-......Rich............PE..d.....f.........." ...(............0O...............................................Z....`A........................................P...`....................@...........%......p...@:..p....................<..(....9..@............ ...............................text............................... ..`.rdata..(.... ......................@..@.data........ ......................@....pdata.......@......................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):136984
                                      Entropy (8bit):3.9056973889632753
                                      Encrypted:false
                                      SSDEEP:1536:HIH591YWvh7xR+l5dZU49N9SqignwJ5cvBMgSIctpoECyIWLzH:HIHhal5dZU4dSqHns2SpSkIAT
                                      MD5:136282A8FF7A4730B2F719AFA5DADF90
                                      SHA1:A86A5911C6BE4CE1E9535FC3F993677050EA5F15
                                      SHA-256:95EED17CA001846333831DA4DB370FB838AE114CCE512DB31380E8B45C464024
                                      SHA-512:3061C63242A95554A9855652D750FA3609860637EBB020A94CF3656761C182F0A1E15CFC87C6276BEF34FF75CDCB3FEDDA1E3B74D33A4E1B27628A36FA4302BB
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%%=.aDS.aDS.aDS.q...`DS.q.Q.`DS.RichaDS.PE..d......f.........." ...(..................................................................`.......................................................... ...................)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@.......f........j...l...l..........f...........................f........l...................................RSDS.. 2v.ZA.].`S6Sc....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..P....rsrc$01....P:.......rsrc$02....................................................................................................................................................

                                      C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):538136
                                      Entropy (8bit):6.299714405457925
                                      Encrypted:false
                                      SSDEEP:12288:q5YDDKStgzRK093ertSfiOMVAXUYYJJOb:qmDxSP6OaLYYJC
                                      MD5:027854570A4412624BECEE78A10395C1
                                      SHA1:6B0E6BC0CD97F2CAC1B962BE868FC7CB621D77F8
                                      SHA-256:2D67E87859ECAEB15C4DD621B0983F1A9AD3E2AA9B11624C018A43E6D6B06BEC
                                      SHA-512:8593D309434C7954AA42E5BD63F76A5BAE783C8F2130798EA285032C71F890C4C1783614597EE2BA3DA3294A68CE636EA2A9DCB21A858A840C8D8F6316928D65
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:..:..:..:..;..<U..%..<U..1..<U..*..3......q...?..:.....q...8..TU.....TU..;..TUj.;..:...8..TU..;..Rich:..................PE..d......e.........." ...&.@...................................................p......7.....`A.........................................|..h....|..h........@.......:.......(...`......0...T..............................@............P..h............................text...q>.......@.................. ..`.rdata...C...P...D...D..............@..@.data...............................@....pdata...:.......<..................@..@_RDATA..............................@..@.rsrc....@.......B..................@..@.reloc.......`......................@..B........................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.997085095311196
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:Photoshop_x64_en-us.exe
                                      File size:24'276'144 bytes
                                      MD5:62044b7de91afa1c39d5312428957c44
                                      SHA1:5ad2964db98cafa09ea71f2a790959a0ed67ff2a
                                      SHA256:a1af62c4cae7eb01939beb0adb4adc83296d85a49462b399d14cf814d50627d3
                                      SHA512:88448cb1b537a69735ac55cae778cb3f0552729e958b241ae2810b459dbedc76ab43a2d8df50787d8dfc992e0f1cfca43a599d75b89916f39e8181be2c3b463f
                                      SSDEEP:393216:A26GA3is67YJMnDiyrZ74MC1EgVqNHb2k7D/fea7KiDqBIaThxGVnxpxjAat0eb1:lA3isGYJMD1rZKLqNPDKiDqV/Gvp+60G
                                      TLSH:1F37334BAD1CAA53E33B853502F02D6D80D00494DB9D2D2FB7721B4B6FC621CE5AE56B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...9.oZ.................d...|.....

                                      File Icon

                                      Icon Hash:0771ccf8d84d2907

                                      Static PE Info

                                      General

                                      Entrypoint:0x40320c
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x5A6FED39 [Tue Jan 30 03:57:45 2018 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:3abe302b6d9a1256e6a915429af4ffd2

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 00000184h
                                      push ebx
                                      push esi
                                      push edi
                                      xor ebx, ebx
                                      push 00008001h
                                      mov dword ptr [esp+18h], ebx
                                      mov dword ptr [esp+10h], 0040A198h
                                      mov dword ptr [esp+20h], ebx
                                      mov byte ptr [esp+14h], 00000020h
                                      call dword ptr [004080A0h]
                                      call dword ptr [0040809Ch]
                                      and eax, BFFFFFFFh
                                      cmp ax, 00000006h
                                      mov dword ptr [0042F40Ch], eax
                                      je 00007F199C6EE033h
                                      push ebx
                                      call 00007F199C6F110Ah
                                      cmp eax, ebx
                                      je 00007F199C6EE029h
                                      push 00000C00h
                                      call eax
                                      mov esi, 00408298h
                                      push esi
                                      call 00007F199C6F1086h
                                      push esi
                                      call dword ptr [00408098h]
                                      lea esi, dword ptr [esi+eax+01h]
                                      cmp byte ptr [esi], bl
                                      jne 00007F199C6EE00Dh
                                      push 0000000Ah
                                      call 00007F199C6F10DEh
                                      push 00000008h
                                      call 00007F199C6F10D7h
                                      push 00000006h
                                      mov dword ptr [0042F404h], eax
                                      call 00007F199C6F10CBh
                                      cmp eax, ebx
                                      je 00007F199C6EE031h
                                      push 0000001Eh
                                      call eax
                                      test eax, eax
                                      je 00007F199C6EE029h
                                      or byte ptr [0042F40Fh], 00000040h
                                      push ebp
                                      call dword ptr [00408044h]
                                      push ebx
                                      call dword ptr [00408288h]
                                      mov dword ptr [0042F4D8h], eax
                                      push ebx
                                      lea eax, dword ptr [esp+38h]
                                      push 00000160h
                                      push eax
                                      push ebx
                                      push 00429830h
                                      call dword ptr [00408178h]
                                      push 0040A188h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85340xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x4508.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x628f0x640094777a1c66c6303b9367f07906450c26False0.670078125data6.442195364271234IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x13540x14005143a41b917c20afc11d259fd85b6ffcFalse0.4599609375data5.236269898436511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x255180x60012c02de2bdc517e2722ceeb84aff8b34False0.455078125data4.04938010159809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x300000xb0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x3b0000x45080x46004c95aeafa8baa85d30aafed2970aec04False0.6133370535714285data5.902828666894074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x3b3280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
                                      RT_ICON0x3c3d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
                                      RT_ICON0x3d2780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
                                      RT_ICON0x3db200x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
                                      RT_ICON0x3e0880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
                                      RT_ICON0x3e4f00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
                                      RT_ICON0x3e7d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
                                      RT_DIALOG0x3e9000x120dataEnglishUnited States0.5138888888888888
                                      RT_DIALOG0x3ea200x202dataEnglishUnited States0.4085603112840467
                                      RT_DIALOG0x3ec280xf8dataEnglishUnited States0.6330645161290323
                                      RT_DIALOG0x3ed200xeedataEnglishUnited States0.6260504201680672
                                      RT_GROUP_ICON0x3ee100x68dataEnglishUnited States0.6634615384615384
                                      RT_VERSION0x3ee780x268MS Windows COFF Motorola 68000 object fileEnglishUnited States0.4935064935064935
                                      RT_MANIFEST0x3f0e00x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                      Imports

                                      DLLImport
                                      KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                      USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                      SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                      ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      No network behavior found

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:16:38:06
                                      Start date:12/10/2024
                                      Path:C:\Users\user\Desktop\Photoshop_x64_en-us.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\Photoshop_x64_en-us.exe"
                                      Imagebase:0x400000
                                      File size:24'276'144 bytes
                                      MD5 hash:62044B7DE91AFA1C39D5312428957C44
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:22.8%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:21.1%
                                        Total number of Nodes:1276
                                        Total number of Limit Nodes:25
                                        execution_graph 3611 402340 3612 402acb 17 API calls 3611->3612 3613 402351 3612->3613 3614 402acb 17 API calls 3613->3614 3615 40235a 3614->3615 3616 402acb 17 API calls 3615->3616 3617 402364 GetPrivateProfileStringA 3616->3617 3618 401d41 GetDlgItem GetClientRect 3619 402acb 17 API calls 3618->3619 3620 401d71 LoadImageA SendMessageA 3619->3620 3621 402957 3620->3621 3622 401d8f DeleteObject 3620->3622 3622->3621 3623 404a44 GetDlgItem GetDlgItem 3624 404a96 7 API calls 3623->3624 3638 404cae 3623->3638 3625 404b39 DeleteObject 3624->3625 3626 404b2c SendMessageA 3624->3626 3627 404b42 3625->3627 3626->3625 3629 404b79 3627->3629 3631 405fc2 17 API calls 3627->3631 3628 404d92 3630 404e3e 3628->3630 3634 404ca1 3628->3634 3640 404deb SendMessageA 3628->3640 3632 40403f 18 API calls 3629->3632 3635 404e50 3630->3635 3636 404e48 SendMessageA 3630->3636 3637 404b5b SendMessageA SendMessageA 3631->3637 3633 404b8d 3632->3633 3639 40403f 18 API calls 3633->3639 3641 4040a6 8 API calls 3634->3641 3647 404e62 ImageList_Destroy 3635->3647 3648 404e69 3635->3648 3652 404e79 3635->3652 3636->3635 3637->3627 3638->3628 3655 404d1f 3638->3655 3676 404992 SendMessageA 3638->3676 3656 404b9b 3639->3656 3640->3634 3645 404e00 SendMessageA 3640->3645 3646 405034 3641->3646 3642 404d84 SendMessageA 3642->3628 3644 404fe8 3644->3634 3653 404ffa ShowWindow GetDlgItem ShowWindow 3644->3653 3651 404e13 3645->3651 3647->3648 3649 404e72 GlobalFree 3648->3649 3648->3652 3649->3652 3650 404c6f GetWindowLongA SetWindowLongA 3654 404c88 3650->3654 3661 404e24 SendMessageA 3651->3661 3652->3644 3668 404eb4 3652->3668 3681 404a12 3652->3681 3653->3634 3657 404ca6 3654->3657 3658 404c8e ShowWindow 3654->3658 3655->3628 3655->3642 3656->3650 3660 404bea SendMessageA 3656->3660 3662 404c69 3656->3662 3665 404c26 SendMessageA 3656->3665 3666 404c37 SendMessageA 3656->3666 3675 404074 SendMessageA 3657->3675 3674 404074 SendMessageA 3658->3674 3660->3656 3661->3630 3662->3650 3662->3654 3663 404ef8 3669 404fbe InvalidateRect 3663->3669 3673 404f6c SendMessageA SendMessageA 3663->3673 3665->3656 3666->3656 3668->3663 3670 404ee2 SendMessageA 3668->3670 3669->3644 3671 404fd4 3669->3671 3670->3663 3672 40494d 20 API calls 3671->3672 3672->3644 3673->3663 3674->3634 3675->3638 3677 4049f1 SendMessageA 3676->3677 3678 4049b5 GetMessagePos ScreenToClient SendMessageA 3676->3678 3680 4049e9 3677->3680 3679 4049ee 3678->3679 3678->3680 3679->3677 3680->3655 3690 405fa0 lstrcpynA 3681->3690 3683 404a25 3691 405efe wsprintfA 3683->3691 3685 404a2f 3686 40140b 2 API calls 3685->3686 3687 404a38 3686->3687 3692 405fa0 lstrcpynA 3687->3692 3689 404a3f 3689->3668 3690->3683 3691->3685 3692->3689 3693 401746 3694 402acb 17 API calls 3693->3694 3695 40174d 3694->3695 3696 405b68 2 API calls 3695->3696 3697 401754 3696->3697 3697->3697 3698 401947 3699 402acb 17 API calls 3698->3699 3700 40194e lstrlenA 3699->3700 3701 40257d 3700->3701 3146 4014ca 3147 4050c7 24 API calls 3146->3147 3148 4014d1 3147->3148 3702 4025ca 3703 402aa9 17 API calls 3702->3703 3709 4025d4 3703->3709 3704 402642 3705 405bb1 ReadFile 3705->3709 3706 402644 3711 405efe wsprintfA 3706->3711 3708 402654 3708->3704 3710 40266a SetFilePointer 3708->3710 3709->3704 3709->3705 3709->3706 3709->3708 3710->3704 3711->3704 3712 40224b 3713 402acb 17 API calls 3712->3713 3714 402251 3713->3714 3715 402acb 17 API calls 3714->3715 3716 40225a 3715->3716 3717 402acb 17 API calls 3716->3717 3718 402263 3717->3718 3719 4062a3 2 API calls 3718->3719 3720 40226c 3719->3720 3721 402270 3720->3721 3722 40227d lstrlenA lstrlenA 3720->3722 3723 4050c7 24 API calls 3721->3723 3724 4050c7 24 API calls 3722->3724 3726 402278 3723->3726 3725 4022b9 SHFileOperationA 3724->3725 3725->3721 3725->3726 3727 4028cb 3728 402aa9 17 API calls 3727->3728 3729 4028d1 3728->3729 3730 402906 3729->3730 3731 40271c 3729->3731 3733 4028e3 3729->3733 3730->3731 3732 405fc2 17 API calls 3730->3732 3732->3731 3733->3731 3735 405efe wsprintfA 3733->3735 3735->3731 3736 4022cd 3737 4022d4 3736->3737 3741 4022e7 3736->3741 3738 405fc2 17 API calls 3737->3738 3739 4022e1 3738->3739 3740 4056bc MessageBoxIndirectA 3739->3740 3740->3741 2800 4044d1 2801 4044fd 2800->2801 2802 40450e 2800->2802 2903 4056a0 GetDlgItemTextA 2801->2903 2804 40451a GetDlgItem 2802->2804 2810 404586 2802->2810 2805 40452e 2804->2805 2809 404542 SetWindowTextA 2805->2809 2913 4059d1 CharNextA CharNextA 2805->2913 2806 40465d 2863 404807 2806->2863 2876 4056a0 GetDlgItemTextA 2806->2876 2807 404508 2904 40620a 2807->2904 2866 40403f 2809->2866 2810->2806 2810->2863 2922 405fc2 2810->2922 2814 40468d 2877 405a26 2814->2877 2820 40455e 2824 40403f 18 API calls 2820->2824 2822 404605 CoTaskMemFree 2826 405938 3 API calls 2822->2826 2827 40456c 2824->2827 2828 404612 2826->2828 2869 404074 SendMessageA 2827->2869 2831 404649 SetDlgItemTextA 2828->2831 2836 405fc2 17 API calls 2828->2836 2831->2806 2832 4046aa 2834 406338 5 API calls 2832->2834 2833 404572 2870 406338 GetModuleHandleA 2833->2870 2845 4046b1 2834->2845 2840 404631 lstrcmpiA 2836->2840 2838 4046ed 2943 405fa0 lstrcpynA 2838->2943 2839 404581 SHAutoComplete 2839->2810 2840->2831 2841 404642 lstrcatA 2840->2841 2841->2831 2842 4046c0 GetDiskFreeSpaceExA 2842->2845 2852 404745 2842->2852 2844 4046f4 2846 4059d1 4 API calls 2844->2846 2845->2838 2845->2842 2939 40597f lstrlenA 2845->2939 2848 4046fa 2846->2848 2849 404700 2848->2849 2850 404703 GetDiskFreeSpaceA 2848->2850 2849->2850 2851 40471e MulDiv 2850->2851 2850->2852 2851->2852 2853 4047b6 2852->2853 2892 40494d 2852->2892 2854 4047d9 2853->2854 2944 40140b 2853->2944 2947 404061 KiUserCallbackDispatcher 2854->2947 2859 4047b8 SetDlgItemTextA 2859->2853 2860 4047a8 2895 404888 2860->2895 2861 4047f5 2861->2863 2864 404802 2861->2864 2951 4040a6 2863->2951 2948 40442a 2864->2948 2867 405fc2 17 API calls 2866->2867 2868 40404a SetDlgItemTextA 2867->2868 2868->2820 2869->2833 2871 406354 2870->2871 2872 40635e GetProcAddress 2870->2872 2965 4062ca GetSystemDirectoryA 2871->2965 2874 404579 2872->2874 2874->2839 2874->2863 2875 40635a 2875->2872 2875->2874 2876->2814 2968 405fa0 lstrcpynA 2877->2968 2879 405a37 2880 4059d1 4 API calls 2879->2880 2881 405a3d 2880->2881 2882 404693 2881->2882 2883 40620a 5 API calls 2881->2883 2891 405fa0 lstrcpynA 2882->2891 2889 405a4d 2883->2889 2884 405a78 lstrlenA 2885 405a83 2884->2885 2884->2889 2886 405938 3 API calls 2885->2886 2888 405a88 GetFileAttributesA 2886->2888 2888->2882 2889->2882 2889->2884 2890 40597f 2 API calls 2889->2890 2969 4062a3 FindFirstFileA 2889->2969 2890->2884 2891->2832 2893 404888 20 API calls 2892->2893 2894 4047a3 2893->2894 2894->2859 2894->2860 2896 40489e 2895->2896 2897 405fc2 17 API calls 2896->2897 2898 404902 2897->2898 2899 405fc2 17 API calls 2898->2899 2900 40490d 2899->2900 2901 405fc2 17 API calls 2900->2901 2902 404923 lstrlenA wsprintfA SetDlgItemTextA 2901->2902 2902->2853 2903->2807 2911 406216 2904->2911 2905 40627e 2906 406282 CharPrevA 2905->2906 2908 40629d 2905->2908 2906->2905 2907 406273 CharNextA 2907->2905 2907->2911 2908->2802 2910 406261 CharNextA 2910->2911 2911->2905 2911->2907 2911->2910 2912 40626e CharNextA 2911->2912 2972 405963 2911->2972 2912->2907 2914 4059ec 2913->2914 2916 4059fc 2913->2916 2915 4059f7 CharNextA 2914->2915 2914->2916 2918 404538 2915->2918 2917 405963 CharNextA 2916->2917 2916->2918 2917->2916 2918->2809 2919 405938 lstrlenA CharPrevA 2918->2919 2920 405952 lstrcatA 2919->2920 2921 40595d 2919->2921 2920->2921 2921->2809 2934 405fcf 2922->2934 2923 4061f1 2924 4045ed SHBrowseForFolderA 2923->2924 2983 405fa0 lstrcpynA 2923->2983 2924->2806 2924->2822 2926 4061cb lstrlenA 2926->2934 2929 405fc2 10 API calls 2929->2926 2930 4060e7 GetSystemDirectoryA 2930->2934 2932 4060fa GetWindowsDirectoryA 2932->2934 2933 40620a 5 API calls 2933->2934 2934->2923 2934->2926 2934->2929 2934->2930 2934->2932 2934->2933 2935 40612e SHGetSpecialFolderLocation 2934->2935 2936 405fc2 10 API calls 2934->2936 2937 406174 lstrcatA 2934->2937 2976 405e87 2934->2976 2981 405efe wsprintfA 2934->2981 2982 405fa0 lstrcpynA 2934->2982 2935->2934 2938 406146 SHGetPathFromIDListA CoTaskMemFree 2935->2938 2936->2934 2937->2934 2938->2934 2940 40598c 2939->2940 2941 405991 CharPrevA 2940->2941 2942 40599d 2940->2942 2941->2940 2941->2942 2942->2845 2943->2844 2988 401389 2944->2988 2947->2861 2949 404438 2948->2949 2950 40443d SendMessageA 2948->2950 2949->2950 2950->2863 2952 404169 2951->2952 2953 4040be GetWindowLongA 2951->2953 2953->2952 2954 4040d3 2953->2954 2954->2952 2955 404100 GetSysColor 2954->2955 2956 404103 2954->2956 2955->2956 2957 404113 SetBkMode 2956->2957 2958 404109 SetTextColor 2956->2958 2959 404131 2957->2959 2960 40412b GetSysColor 2957->2960 2958->2957 2961 404138 SetBkColor 2959->2961 2962 404142 2959->2962 2960->2959 2961->2962 2962->2952 2963 404155 DeleteObject 2962->2963 2964 40415c CreateBrushIndirect 2962->2964 2963->2964 2964->2952 2966 4062ec wsprintfA LoadLibraryExA 2965->2966 2966->2875 2968->2879 2970 4062c4 2969->2970 2971 4062b9 FindClose 2969->2971 2970->2889 2971->2970 2973 405969 2972->2973 2974 40597c 2973->2974 2975 40596f CharNextA 2973->2975 2974->2911 2975->2973 2984 405e26 2976->2984 2979 405eea 2979->2934 2980 405ebb RegQueryValueExA RegCloseKey 2980->2979 2981->2934 2982->2934 2983->2924 2985 405e35 2984->2985 2986 405e3e RegOpenKeyExA 2985->2986 2987 405e39 2985->2987 2986->2987 2987->2979 2987->2980 2990 401390 2988->2990 2989 4013fe 2989->2854 2990->2989 2991 4013cb MulDiv SendMessageA 2990->2991 2991->2990 3742 4020d1 3743 402acb 17 API calls 3742->3743 3744 4020d8 3743->3744 3745 402acb 17 API calls 3744->3745 3746 4020e2 3745->3746 3747 402acb 17 API calls 3746->3747 3748 4020ec 3747->3748 3749 402acb 17 API calls 3748->3749 3750 4020f6 3749->3750 3751 402acb 17 API calls 3750->3751 3753 402100 3751->3753 3752 402142 CoCreateInstance 3757 402161 3752->3757 3759 40220c 3752->3759 3753->3752 3754 402acb 17 API calls 3753->3754 3754->3752 3755 401423 24 API calls 3756 402242 3755->3756 3758 4021ec MultiByteToWideChar 3757->3758 3757->3759 3758->3759 3759->3755 3759->3756 3760 4026d4 3761 4026da 3760->3761 3762 4026de FindNextFileA 3761->3762 3765 4026f0 3761->3765 3763 40272f 3762->3763 3762->3765 3766 405fa0 lstrcpynA 3763->3766 3766->3765 3767 4014d6 3768 402aa9 17 API calls 3767->3768 3769 4014dc Sleep 3768->3769 3771 402957 3769->3771 3772 4023d6 3773 402acb 17 API calls 3772->3773 3774 4023e8 3773->3774 3775 402acb 17 API calls 3774->3775 3776 4023f2 3775->3776 3789 402b5b 3776->3789 3779 402427 3782 402aa9 17 API calls 3779->3782 3784 402433 3779->3784 3780 402acb 17 API calls 3781 402420 lstrlenA 3780->3781 3781->3779 3782->3784 3783 402452 RegSetValueExA 3786 402468 RegCloseKey 3783->3786 3784->3783 3785 402f9c 31 API calls 3784->3785 3785->3783 3788 40271c 3786->3788 3790 402b76 3789->3790 3793 405e54 3790->3793 3794 405e63 3793->3794 3795 402402 3794->3795 3796 405e6e RegCreateKeyExA 3794->3796 3795->3779 3795->3780 3795->3788 3796->3795 3064 401759 3102 402acb 3064->3102 3066 401760 3067 401786 3066->3067 3068 40177e 3066->3068 3133 405fa0 lstrcpynA 3067->3133 3132 405fa0 lstrcpynA 3068->3132 3071 401784 3074 40620a 5 API calls 3071->3074 3072 401791 3073 405938 3 API calls 3072->3073 3075 401797 lstrcatA 3073->3075 3080 4017a3 3074->3080 3075->3071 3076 4062a3 2 API calls 3076->3080 3079 4017ba CompareFileTime 3079->3080 3080->3076 3080->3079 3081 40187e 3080->3081 3086 405fa0 lstrcpynA 3080->3086 3089 405fc2 17 API calls 3080->3089 3101 401855 3080->3101 3108 405b14 GetFileAttributesA 3080->3108 3111 405b39 GetFileAttributesA CreateFileA 3080->3111 3134 4056bc 3080->3134 3082 4050c7 24 API calls 3081->3082 3083 401888 3082->3083 3112 402f9c 3083->3112 3084 4050c7 24 API calls 3092 40186a 3084->3092 3086->3080 3088 4018af SetFileTime 3090 4018c1 CloseHandle 3088->3090 3089->3080 3091 4018d2 3090->3091 3090->3092 3093 4018d7 3091->3093 3094 4018ea 3091->3094 3095 405fc2 17 API calls 3093->3095 3096 405fc2 17 API calls 3094->3096 3099 4018df lstrcatA 3095->3099 3097 4018f2 3096->3097 3100 4056bc MessageBoxIndirectA 3097->3100 3099->3097 3100->3092 3101->3084 3101->3092 3103 402ad7 3102->3103 3104 405fc2 17 API calls 3103->3104 3105 402af8 3104->3105 3106 402b04 3105->3106 3107 40620a 5 API calls 3105->3107 3106->3066 3107->3106 3109 405b33 3108->3109 3110 405b26 SetFileAttributesA 3108->3110 3109->3080 3110->3109 3111->3080 3114 402fb2 3112->3114 3113 402fe0 3138 4031ae 3113->3138 3114->3113 3143 4031c4 SetFilePointer 3114->3143 3118 403147 3120 403189 3118->3120 3125 40314b 3118->3125 3119 402ffd GetTickCount 3121 40189b 3119->3121 3128 40304c 3119->3128 3123 4031ae ReadFile 3120->3123 3121->3088 3121->3090 3122 4031ae ReadFile 3122->3128 3123->3121 3124 4031ae ReadFile 3124->3125 3125->3121 3125->3124 3126 405be0 WriteFile 3125->3126 3126->3125 3127 4030a2 GetTickCount 3127->3128 3128->3121 3128->3122 3128->3127 3129 4030c7 MulDiv wsprintfA 3128->3129 3141 405be0 WriteFile 3128->3141 3130 4050c7 24 API calls 3129->3130 3130->3128 3132->3071 3133->3072 3135 4056d1 3134->3135 3136 40571d 3135->3136 3137 4056e5 MessageBoxIndirectA 3135->3137 3136->3080 3137->3136 3144 405bb1 ReadFile 3138->3144 3142 405bfe 3141->3142 3142->3128 3143->3113 3145 402feb 3144->3145 3145->3118 3145->3119 3145->3121 3797 401659 3798 402acb 17 API calls 3797->3798 3799 40165f 3798->3799 3800 4062a3 2 API calls 3799->3800 3801 401665 3800->3801 3802 401959 3803 402aa9 17 API calls 3802->3803 3804 401960 3803->3804 3805 402aa9 17 API calls 3804->3805 3806 40196d 3805->3806 3807 402acb 17 API calls 3806->3807 3808 401984 lstrlenA 3807->3808 3810 401994 3808->3810 3809 4019d4 3810->3809 3814 405fa0 lstrcpynA 3810->3814 3812 4019c4 3812->3809 3813 4019c9 lstrlenA 3812->3813 3813->3809 3814->3812 3815 401cda 3816 402aa9 17 API calls 3815->3816 3817 401ce0 IsWindow 3816->3817 3818 401a0e 3817->3818 3819 401a5e 3820 402aa9 17 API calls 3819->3820 3821 401a67 3820->3821 3822 402aa9 17 API calls 3821->3822 3823 401a0e 3822->3823 3824 401f61 3825 402acb 17 API calls 3824->3825 3826 401f68 3825->3826 3827 406338 5 API calls 3826->3827 3828 401f77 3827->3828 3829 401f8f GlobalAlloc 3828->3829 3838 401ff7 3828->3838 3830 401fa3 3829->3830 3829->3838 3831 406338 5 API calls 3830->3831 3832 401faa 3831->3832 3833 406338 5 API calls 3832->3833 3834 401fb4 3833->3834 3834->3838 3839 405efe wsprintfA 3834->3839 3836 401feb 3840 405efe wsprintfA 3836->3840 3839->3836 3840->3838 3841 402561 3842 402acb 17 API calls 3841->3842 3843 402568 3842->3843 3846 405b39 GetFileAttributesA CreateFileA 3843->3846 3845 402574 3846->3845 3847 401563 3848 4028ff 3847->3848 3851 405efe wsprintfA 3848->3851 3850 402904 3851->3850 3852 401b63 3853 401b70 3852->3853 3854 401bb4 3852->3854 3857 4022d4 3853->3857 3862 401b87 3853->3862 3855 401bb8 3854->3855 3856 401bdd GlobalAlloc 3854->3856 3865 401bf8 3855->3865 3873 405fa0 lstrcpynA 3855->3873 3858 405fc2 17 API calls 3856->3858 3859 405fc2 17 API calls 3857->3859 3858->3865 3861 4022e1 3859->3861 3866 4056bc MessageBoxIndirectA 3861->3866 3871 405fa0 lstrcpynA 3862->3871 3863 401bca GlobalFree 3863->3865 3866->3865 3867 401b96 3872 405fa0 lstrcpynA 3867->3872 3869 401ba5 3874 405fa0 lstrcpynA 3869->3874 3871->3867 3872->3869 3873->3863 3874->3865 3875 4024e5 3885 402b0b 3875->3885 3878 402aa9 17 API calls 3879 4024f8 3878->3879 3880 402513 RegEnumKeyA 3879->3880 3881 40251f RegEnumValueA 3879->3881 3883 40271c 3879->3883 3882 402534 RegCloseKey 3880->3882 3881->3882 3882->3883 3886 402acb 17 API calls 3885->3886 3887 402b22 3886->3887 3888 405e26 RegOpenKeyExA 3887->3888 3889 4024ef 3888->3889 3889->3878 3890 40166a 3891 402acb 17 API calls 3890->3891 3892 401671 3891->3892 3893 402acb 17 API calls 3892->3893 3894 40167a 3893->3894 3895 402acb 17 API calls 3894->3895 3896 401683 MoveFileA 3895->3896 3897 401696 3896->3897 3898 40168f 3896->3898 3900 4062a3 2 API calls 3897->3900 3902 402242 3897->3902 3899 401423 24 API calls 3898->3899 3899->3902 3901 4016a5 3900->3901 3901->3902 3903 405d7f 36 API calls 3901->3903 3903->3898 3174 403b6b 3175 403b83 3174->3175 3176 403cbe 3174->3176 3175->3176 3177 403b8f 3175->3177 3178 403d0f 3176->3178 3179 403ccf GetDlgItem GetDlgItem 3176->3179 3180 403b9a SetWindowPos 3177->3180 3181 403bad 3177->3181 3183 403d69 3178->3183 3188 401389 2 API calls 3178->3188 3182 40403f 18 API calls 3179->3182 3180->3181 3185 403bb2 ShowWindow 3181->3185 3186 403bca 3181->3186 3187 403cf9 SetClassLongA 3182->3187 3184 40408b SendMessageA 3183->3184 3189 403cb9 3183->3189 3215 403d7b 3184->3215 3185->3186 3190 403bd2 DestroyWindow 3186->3190 3191 403bec 3186->3191 3192 40140b 2 API calls 3187->3192 3193 403d41 3188->3193 3194 403fc8 3190->3194 3195 403bf1 SetWindowLongA 3191->3195 3196 403c02 3191->3196 3192->3178 3193->3183 3197 403d45 SendMessageA 3193->3197 3194->3189 3205 403ff9 ShowWindow 3194->3205 3195->3189 3200 403cab 3196->3200 3201 403c0e GetDlgItem 3196->3201 3197->3189 3198 40140b 2 API calls 3198->3215 3199 403fca DestroyWindow EndDialog 3199->3194 3204 4040a6 8 API calls 3200->3204 3202 403c21 SendMessageA IsWindowEnabled 3201->3202 3203 403c3e 3201->3203 3202->3189 3202->3203 3207 403c4b 3203->3207 3208 403c92 SendMessageA 3203->3208 3209 403c5e 3203->3209 3219 403c43 3203->3219 3204->3189 3205->3189 3206 405fc2 17 API calls 3206->3215 3207->3208 3207->3219 3208->3200 3212 403c66 3209->3212 3213 403c7b 3209->3213 3210 404018 SendMessageA 3214 403c79 3210->3214 3211 40403f 18 API calls 3211->3215 3217 40140b 2 API calls 3212->3217 3216 40140b 2 API calls 3213->3216 3214->3200 3215->3189 3215->3198 3215->3199 3215->3206 3215->3211 3220 40403f 18 API calls 3215->3220 3236 403f0a DestroyWindow 3215->3236 3218 403c82 3216->3218 3217->3219 3218->3200 3218->3219 3219->3210 3221 403df6 GetDlgItem 3220->3221 3222 403e13 ShowWindow KiUserCallbackDispatcher 3221->3222 3223 403e0b 3221->3223 3245 404061 KiUserCallbackDispatcher 3222->3245 3223->3222 3225 403e3d KiUserCallbackDispatcher 3230 403e51 3225->3230 3226 403e56 GetSystemMenu EnableMenuItem SendMessageA 3227 403e86 SendMessageA 3226->3227 3226->3230 3227->3230 3230->3226 3246 404074 SendMessageA 3230->3246 3247 403b4c 3230->3247 3250 405fa0 lstrcpynA 3230->3250 3232 403eb5 lstrlenA 3233 405fc2 17 API calls 3232->3233 3234 403ec6 SetWindowTextA 3233->3234 3235 401389 2 API calls 3234->3235 3235->3215 3236->3194 3237 403f24 CreateDialogParamA 3236->3237 3237->3194 3238 403f57 3237->3238 3239 40403f 18 API calls 3238->3239 3240 403f62 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3239->3240 3241 401389 2 API calls 3240->3241 3242 403fa8 3241->3242 3242->3189 3243 403fb0 ShowWindow 3242->3243 3244 40408b SendMessageA 3243->3244 3244->3194 3245->3225 3246->3230 3248 405fc2 17 API calls 3247->3248 3249 403b5a SetWindowTextA 3248->3249 3249->3230 3250->3232 3904 4019ed 3905 402acb 17 API calls 3904->3905 3906 4019f4 3905->3906 3907 402acb 17 API calls 3906->3907 3908 4019fd 3907->3908 3909 401a04 lstrcmpiA 3908->3909 3910 401a16 lstrcmpA 3908->3910 3911 401a0a 3909->3911 3910->3911 3912 40156f 3913 401586 3912->3913 3914 40157f ShowWindow 3912->3914 3915 401594 ShowWindow 3913->3915 3916 402957 3913->3916 3914->3913 3915->3916 3917 402473 3918 402b0b 17 API calls 3917->3918 3919 40247d 3918->3919 3920 402acb 17 API calls 3919->3920 3921 402486 3920->3921 3922 402490 RegQueryValueExA 3921->3922 3927 40271c 3921->3927 3923 4024b0 3922->3923 3924 4024b6 RegCloseKey 3922->3924 3923->3924 3928 405efe wsprintfA 3923->3928 3924->3927 3928->3924 3929 4014f4 SetForegroundWindow 3930 402957 3929->3930 3931 404175 lstrcpynA lstrlenA 3932 401cfb 3933 402aa9 17 API calls 3932->3933 3934 401d02 3933->3934 3935 402aa9 17 API calls 3934->3935 3936 401d0e GetDlgItem 3935->3936 3937 40257d 3936->3937 3938 402c7c 3939 402c8b SetTimer 3938->3939 3941 402ca4 3938->3941 3939->3941 3940 402cf9 3941->3940 3942 402cbe MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3941->3942 3942->3940 3943 4022fc 3944 402304 3943->3944 3945 40230a 3943->3945 3946 402acb 17 API calls 3944->3946 3947 40231a 3945->3947 3948 402acb 17 API calls 3945->3948 3946->3945 3949 402328 3947->3949 3950 402acb 17 API calls 3947->3950 3948->3947 3951 402acb 17 API calls 3949->3951 3950->3949 3952 402331 WritePrivateProfileStringA 3951->3952 3953 4018fd 3954 401934 3953->3954 3955 402acb 17 API calls 3954->3955 3956 401939 3955->3956 3957 405768 67 API calls 3956->3957 3958 401942 3957->3958 3959 4026fe 3960 402acb 17 API calls 3959->3960 3961 402705 FindFirstFileA 3960->3961 3962 402728 3961->3962 3966 402718 3961->3966 3963 40272f 3962->3963 3967 405efe wsprintfA 3962->3967 3968 405fa0 lstrcpynA 3963->3968 3967->3963 3968->3966 3969 401000 3970 401037 BeginPaint GetClientRect 3969->3970 3971 40100c DefWindowProcA 3969->3971 3973 4010f3 3970->3973 3974 401179 3971->3974 3975 401073 CreateBrushIndirect FillRect DeleteObject 3973->3975 3976 4010fc 3973->3976 3975->3973 3977 401102 CreateFontIndirectA 3976->3977 3978 401167 EndPaint 3976->3978 3977->3978 3979 401112 6 API calls 3977->3979 3978->3974 3979->3978 3980 401900 3981 402acb 17 API calls 3980->3981 3982 401907 3981->3982 3983 4056bc MessageBoxIndirectA 3982->3983 3984 401910 3983->3984 3985 402381 3986 4023b3 3985->3986 3987 402388 3985->3987 3989 402acb 17 API calls 3986->3989 3988 402b0b 17 API calls 3987->3988 3990 40238f 3988->3990 3991 4023ba 3989->3991 3993 402acb 17 API calls 3990->3993 3995 4023c7 3990->3995 3996 402b89 3991->3996 3994 4023a0 RegDeleteValueA RegCloseKey 3993->3994 3994->3995 3997 402b95 3996->3997 3998 402b9c 3996->3998 3997->3995 3998->3997 4000 402bcd 3998->4000 4001 405e26 RegOpenKeyExA 4000->4001 4006 402bfb 4001->4006 4002 402c21 RegEnumKeyA 4003 402c38 RegCloseKey 4002->4003 4002->4006 4004 406338 5 API calls 4003->4004 4007 402c48 4004->4007 4005 402c59 RegCloseKey 4010 402c4c 4005->4010 4006->4002 4006->4003 4006->4005 4008 402bcd 6 API calls 4006->4008 4006->4010 4009 402c69 RegDeleteKeyA 4007->4009 4007->4010 4008->4006 4009->4010 4010->3997 4011 401502 4012 40150a 4011->4012 4014 40151d 4011->4014 4013 402aa9 17 API calls 4012->4013 4013->4014 4015 402003 4016 402015 4015->4016 4017 4020c3 4015->4017 4018 402acb 17 API calls 4016->4018 4019 401423 24 API calls 4017->4019 4020 40201c 4018->4020 4026 402242 4019->4026 4021 402acb 17 API calls 4020->4021 4022 402025 4021->4022 4023 40203a LoadLibraryExA 4022->4023 4024 40202d GetModuleHandleA 4022->4024 4023->4017 4025 40204a GetProcAddress 4023->4025 4024->4023 4024->4025 4027 402096 4025->4027 4028 402059 4025->4028 4029 4050c7 24 API calls 4027->4029 4030 401423 24 API calls 4028->4030 4031 402069 4028->4031 4029->4031 4030->4031 4031->4026 4032 4020b7 FreeLibrary 4031->4032 4032->4026 4033 402583 4034 402588 4033->4034 4035 40259c 4033->4035 4036 402aa9 17 API calls 4034->4036 4037 402acb 17 API calls 4035->4037 4038 402591 4036->4038 4039 4025a3 lstrlenA 4037->4039 4040 4025c5 4038->4040 4041 405be0 WriteFile 4038->4041 4039->4038 4041->4040 2992 405205 2993 4053b0 2992->2993 2994 405227 GetDlgItem GetDlgItem GetDlgItem 2992->2994 2995 4053e0 2993->2995 2996 4053b8 GetDlgItem CreateThread CloseHandle 2993->2996 3037 404074 SendMessageA 2994->3037 2999 40540e 2995->2999 3000 4053f6 ShowWindow ShowWindow 2995->3000 3001 40542f 2995->3001 2996->2995 3054 405199 OleInitialize 2996->3054 2998 405297 3003 40529e GetClientRect GetSystemMetrics SendMessageA SendMessageA 2998->3003 3002 405469 2999->3002 3005 405442 ShowWindow 2999->3005 3006 40541e 2999->3006 3050 404074 SendMessageA 3000->3050 3007 4040a6 8 API calls 3001->3007 3002->3001 3010 405476 SendMessageA 3002->3010 3008 4052f0 SendMessageA SendMessageA 3003->3008 3009 40530c 3003->3009 3013 405462 3005->3013 3014 405454 3005->3014 3051 404018 3006->3051 3012 40543b 3007->3012 3008->3009 3016 405311 SendMessageA 3009->3016 3017 40531f 3009->3017 3010->3012 3018 40548f CreatePopupMenu 3010->3018 3015 404018 SendMessageA 3013->3015 3038 4050c7 3014->3038 3015->3002 3016->3017 3021 40403f 18 API calls 3017->3021 3020 405fc2 17 API calls 3018->3020 3022 40549f AppendMenuA 3020->3022 3023 40532f 3021->3023 3024 4054d0 TrackPopupMenu 3022->3024 3025 4054bd GetWindowRect 3022->3025 3026 405338 ShowWindow 3023->3026 3027 40536c GetDlgItem SendMessageA 3023->3027 3024->3012 3028 4054ec 3024->3028 3025->3024 3029 40535b 3026->3029 3030 40534e ShowWindow 3026->3030 3027->3012 3031 405393 SendMessageA SendMessageA 3027->3031 3032 40550b SendMessageA 3028->3032 3049 404074 SendMessageA 3029->3049 3030->3029 3031->3012 3032->3032 3033 405528 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3032->3033 3035 40554a SendMessageA 3033->3035 3035->3035 3036 40556c GlobalUnlock SetClipboardData CloseClipboard 3035->3036 3036->3012 3037->2998 3039 4050e2 3038->3039 3048 405185 3038->3048 3040 4050ff lstrlenA 3039->3040 3041 405fc2 17 API calls 3039->3041 3042 405128 3040->3042 3043 40510d lstrlenA 3040->3043 3041->3040 3044 40513b 3042->3044 3045 40512e SetWindowTextA 3042->3045 3046 40511f lstrcatA 3043->3046 3043->3048 3047 405141 SendMessageA SendMessageA SendMessageA 3044->3047 3044->3048 3045->3044 3046->3042 3047->3048 3048->3013 3049->3027 3050->2999 3052 404025 SendMessageA 3051->3052 3053 40401f 3051->3053 3052->3001 3053->3052 3061 40408b 3054->3061 3056 4051bc 3059 401389 2 API calls 3056->3059 3060 4051e3 3056->3060 3057 40408b SendMessageA 3058 4051f5 CoUninitialize 3057->3058 3059->3056 3060->3057 3062 4040a3 3061->3062 3063 404094 SendMessageA 3061->3063 3062->3056 3063->3062 4042 402688 4043 402904 4042->4043 4044 40268f 4042->4044 4045 402aa9 17 API calls 4044->4045 4046 402696 4045->4046 4047 4026a5 SetFilePointer 4046->4047 4047->4043 4048 4026b5 4047->4048 4050 405efe wsprintfA 4048->4050 4050->4043 3149 401c0a 3171 402aa9 3149->3171 3151 401c11 3152 402aa9 17 API calls 3151->3152 3153 401c1e 3152->3153 3154 401c33 3153->3154 3155 402acb 17 API calls 3153->3155 3156 402acb 17 API calls 3154->3156 3160 401c43 3154->3160 3155->3154 3156->3160 3157 401c9a 3159 402acb 17 API calls 3157->3159 3158 401c4e 3161 402aa9 17 API calls 3158->3161 3162 401c9f 3159->3162 3160->3157 3160->3158 3163 401c53 3161->3163 3165 402acb 17 API calls 3162->3165 3164 402aa9 17 API calls 3163->3164 3166 401c5f 3164->3166 3167 401ca8 FindWindowExA 3165->3167 3168 401c8a SendMessageA 3166->3168 3169 401c6c SendMessageTimeoutA 3166->3169 3170 401cc6 3167->3170 3168->3170 3169->3170 3172 405fc2 17 API calls 3171->3172 3173 402abe 3172->3173 3173->3151 4051 40448a 4052 4044c0 4051->4052 4053 40449a 4051->4053 4055 4040a6 8 API calls 4052->4055 4054 40403f 18 API calls 4053->4054 4056 4044a7 SetDlgItemTextA 4054->4056 4057 4044cc 4055->4057 4056->4052 3286 40320c SetErrorMode GetVersion 3287 40324d 3286->3287 3288 403253 3286->3288 3289 406338 5 API calls 3287->3289 3290 4062ca 3 API calls 3288->3290 3289->3288 3291 403269 lstrlenA 3290->3291 3291->3288 3292 403278 3291->3292 3293 406338 5 API calls 3292->3293 3294 40327f 3293->3294 3295 406338 5 API calls 3294->3295 3296 403286 3295->3296 3297 406338 5 API calls 3296->3297 3298 403292 #17 OleInitialize SHGetFileInfoA 3297->3298 3376 405fa0 lstrcpynA 3298->3376 3301 4032de GetCommandLineA 3377 405fa0 lstrcpynA 3301->3377 3303 4032f0 3304 405963 CharNextA 3303->3304 3305 403319 CharNextA 3304->3305 3311 403329 3305->3311 3306 4033f3 3307 403406 GetTempPathA 3306->3307 3378 4031db 3307->3378 3309 40341e 3312 403422 GetWindowsDirectoryA lstrcatA 3309->3312 3313 403478 DeleteFileA 3309->3313 3310 405963 CharNextA 3310->3311 3311->3306 3311->3310 3316 4033f5 3311->3316 3315 4031db 12 API calls 3312->3315 3388 402d63 GetTickCount GetModuleFileNameA 3313->3388 3318 40343e 3315->3318 3472 405fa0 lstrcpynA 3316->3472 3317 40348c 3319 403522 3317->3319 3323 403512 3317->3323 3327 405963 CharNextA 3317->3327 3318->3313 3321 403442 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3318->3321 3475 4036f4 3319->3475 3322 4031db 12 API calls 3321->3322 3325 403470 3322->3325 3416 4037ce 3323->3416 3325->3313 3325->3319 3329 4034a7 3327->3329 3338 403552 3329->3338 3339 4034ed 3329->3339 3330 40365a 3332 403662 GetCurrentProcess OpenProcessToken 3330->3332 3333 4036dc ExitProcess 3330->3333 3331 40353c 3334 4056bc MessageBoxIndirectA 3331->3334 3335 4036ad 3332->3335 3336 40367d LookupPrivilegeValueA AdjustTokenPrivileges 3332->3336 3340 40354a ExitProcess 3334->3340 3341 406338 5 API calls 3335->3341 3336->3335 3343 405627 5 API calls 3338->3343 3342 405a26 18 API calls 3339->3342 3345 4036b4 3341->3345 3346 4034f8 3342->3346 3344 403557 lstrcatA 3343->3344 3347 403573 lstrcatA lstrcmpiA 3344->3347 3348 403568 lstrcatA 3344->3348 3349 4036c9 ExitWindowsEx 3345->3349 3352 4036d5 3345->3352 3346->3319 3473 405fa0 lstrcpynA 3346->3473 3347->3319 3351 40358f 3347->3351 3348->3347 3349->3333 3349->3352 3354 403594 3351->3354 3355 40359b 3351->3355 3356 40140b 2 API calls 3352->3356 3353 403507 3474 405fa0 lstrcpynA 3353->3474 3358 40558d 4 API calls 3354->3358 3359 40560a 2 API calls 3355->3359 3356->3333 3360 403599 3358->3360 3361 4035a0 SetCurrentDirectoryA 3359->3361 3360->3361 3362 4035ba 3361->3362 3363 4035af 3361->3363 3483 405fa0 lstrcpynA 3362->3483 3482 405fa0 lstrcpynA 3363->3482 3366 405fc2 17 API calls 3367 4035f9 DeleteFileA 3366->3367 3368 403606 CopyFileA 3367->3368 3373 4035c8 3367->3373 3368->3373 3369 40364e 3371 405d7f 36 API calls 3369->3371 3371->3319 3372 405fc2 17 API calls 3372->3373 3373->3366 3373->3369 3373->3372 3375 40363a CloseHandle 3373->3375 3484 405d7f MoveFileExA 3373->3484 3488 40563f CreateProcessA 3373->3488 3375->3373 3376->3301 3377->3303 3379 40620a 5 API calls 3378->3379 3381 4031e7 3379->3381 3380 4031f1 3380->3309 3381->3380 3382 405938 3 API calls 3381->3382 3383 4031f9 3382->3383 3384 40560a 2 API calls 3383->3384 3385 4031ff 3384->3385 3491 405b68 3385->3491 3495 405b39 GetFileAttributesA CreateFileA 3388->3495 3390 402da3 3409 402db3 3390->3409 3496 405fa0 lstrcpynA 3390->3496 3392 402dc9 3393 40597f 2 API calls 3392->3393 3394 402dcf 3393->3394 3497 405fa0 lstrcpynA 3394->3497 3396 402dda GetFileSize 3397 402ed6 3396->3397 3411 402df1 3396->3411 3498 402cff 3397->3498 3399 402edf 3401 402f0f GlobalAlloc 3399->3401 3399->3409 3510 4031c4 SetFilePointer 3399->3510 3400 4031ae ReadFile 3400->3411 3509 4031c4 SetFilePointer 3401->3509 3403 402f42 3406 402cff 6 API calls 3403->3406 3405 402f2a 3408 402f9c 31 API calls 3405->3408 3406->3409 3407 402ef8 3410 4031ae ReadFile 3407->3410 3414 402f36 3408->3414 3409->3317 3412 402f03 3410->3412 3411->3397 3411->3400 3411->3403 3411->3409 3413 402cff 6 API calls 3411->3413 3412->3401 3412->3409 3413->3411 3414->3409 3414->3414 3415 402f73 SetFilePointer 3414->3415 3415->3409 3417 406338 5 API calls 3416->3417 3418 4037e2 3417->3418 3419 4037e8 3418->3419 3420 4037fa 3418->3420 3523 405efe wsprintfA 3419->3523 3421 405e87 3 API calls 3420->3421 3422 403825 3421->3422 3424 403843 lstrcatA 3422->3424 3426 405e87 3 API calls 3422->3426 3425 4037f8 3424->3425 3515 403a93 3425->3515 3426->3424 3429 405a26 18 API calls 3430 403875 3429->3430 3431 4038fe 3430->3431 3433 405e87 3 API calls 3430->3433 3432 405a26 18 API calls 3431->3432 3434 403904 3432->3434 3435 4038a1 3433->3435 3436 403914 LoadImageA 3434->3436 3437 405fc2 17 API calls 3434->3437 3435->3431 3440 4038bd lstrlenA 3435->3440 3443 405963 CharNextA 3435->3443 3438 4039ba 3436->3438 3439 40393b RegisterClassA 3436->3439 3437->3436 3442 40140b 2 API calls 3438->3442 3441 403971 SystemParametersInfoA CreateWindowExA 3439->3441 3471 4039c4 3439->3471 3444 4038f1 3440->3444 3445 4038cb lstrcmpiA 3440->3445 3441->3438 3446 4039c0 3442->3446 3448 4038bb 3443->3448 3447 405938 3 API calls 3444->3447 3445->3444 3449 4038db GetFileAttributesA 3445->3449 3450 403a93 18 API calls 3446->3450 3446->3471 3451 4038f7 3447->3451 3448->3440 3452 4038e7 3449->3452 3453 4039d1 3450->3453 3524 405fa0 lstrcpynA 3451->3524 3452->3444 3455 40597f 2 API calls 3452->3455 3456 403a60 3453->3456 3457 4039dd ShowWindow 3453->3457 3455->3444 3459 405199 5 API calls 3456->3459 3458 4062ca 3 API calls 3457->3458 3461 4039f5 3458->3461 3460 403a66 3459->3460 3462 403a82 3460->3462 3463 403a6a 3460->3463 3464 403a03 GetClassInfoA 3461->3464 3466 4062ca 3 API calls 3461->3466 3465 40140b 2 API calls 3462->3465 3469 40140b 2 API calls 3463->3469 3463->3471 3467 403a17 GetClassInfoA RegisterClassA 3464->3467 3468 403a2d DialogBoxParamA 3464->3468 3465->3471 3466->3464 3467->3468 3470 40140b 2 API calls 3468->3470 3469->3471 3470->3471 3471->3319 3472->3307 3473->3353 3474->3323 3476 40370c 3475->3476 3477 4036fe CloseHandle 3475->3477 3526 403739 3476->3526 3477->3476 3482->3362 3483->3373 3485 405da0 3484->3485 3486 405d93 3484->3486 3485->3373 3577 405c0f 3486->3577 3489 405672 CloseHandle 3488->3489 3490 40567e 3488->3490 3489->3490 3490->3373 3492 405b73 GetTickCount GetTempFileNameA 3491->3492 3493 405ba0 3492->3493 3494 40320a 3492->3494 3493->3492 3493->3494 3494->3309 3495->3390 3496->3392 3497->3396 3499 402d20 3498->3499 3500 402d08 3498->3500 3503 402d30 GetTickCount 3499->3503 3504 402d28 3499->3504 3501 402d11 DestroyWindow 3500->3501 3502 402d18 3500->3502 3501->3502 3502->3399 3506 402d61 3503->3506 3507 402d3e CreateDialogParamA ShowWindow 3503->3507 3511 406374 3504->3511 3506->3399 3507->3506 3509->3405 3510->3407 3512 406391 PeekMessageA 3511->3512 3513 402d2e 3512->3513 3514 406387 DispatchMessageA 3512->3514 3513->3399 3514->3512 3516 403aa7 3515->3516 3525 405efe wsprintfA 3516->3525 3518 403b18 3519 403b4c 18 API calls 3518->3519 3521 403b1d 3519->3521 3520 403853 3520->3429 3521->3520 3522 405fc2 17 API calls 3521->3522 3522->3521 3523->3425 3524->3431 3525->3518 3527 403747 3526->3527 3528 403711 3527->3528 3529 40374c FreeLibrary GlobalFree 3527->3529 3530 405768 3528->3530 3529->3528 3529->3529 3531 405a26 18 API calls 3530->3531 3532 405788 3531->3532 3533 405790 DeleteFileA 3532->3533 3534 4057a7 3532->3534 3538 40352b OleUninitialize 3533->3538 3535 4058d5 3534->3535 3567 405fa0 lstrcpynA 3534->3567 3535->3538 3541 4062a3 2 API calls 3535->3541 3537 4057cd 3539 4057e0 3537->3539 3540 4057d3 lstrcatA 3537->3540 3538->3330 3538->3331 3543 40597f 2 API calls 3539->3543 3542 4057e6 3540->3542 3544 4058f9 3541->3544 3545 4057f4 lstrcatA 3542->3545 3546 4057ff lstrlenA FindFirstFileA 3542->3546 3543->3542 3544->3538 3547 405938 3 API calls 3544->3547 3545->3546 3546->3535 3565 405823 3546->3565 3548 405903 3547->3548 3550 405720 5 API calls 3548->3550 3549 405963 CharNextA 3549->3565 3551 40590f 3550->3551 3552 405913 3551->3552 3553 405929 3551->3553 3552->3538 3558 4050c7 24 API calls 3552->3558 3554 4050c7 24 API calls 3553->3554 3554->3538 3555 4058b4 FindNextFileA 3557 4058cc FindClose 3555->3557 3555->3565 3557->3535 3559 405920 3558->3559 3560 405d7f 36 API calls 3559->3560 3560->3538 3562 405768 60 API calls 3562->3565 3563 4050c7 24 API calls 3563->3555 3564 4050c7 24 API calls 3564->3565 3565->3549 3565->3555 3565->3562 3565->3563 3565->3564 3566 405d7f 36 API calls 3565->3566 3568 405fa0 lstrcpynA 3565->3568 3569 405720 3565->3569 3566->3565 3567->3537 3568->3565 3570 405b14 2 API calls 3569->3570 3571 40572c 3570->3571 3572 405743 DeleteFileA 3571->3572 3573 40573b RemoveDirectoryA 3571->3573 3574 40574d 3571->3574 3575 405749 3572->3575 3573->3575 3574->3565 3575->3574 3576 405759 SetFileAttributesA 3575->3576 3576->3574 3578 405c35 3577->3578 3579 405c5b GetShortPathNameA 3577->3579 3604 405b39 GetFileAttributesA CreateFileA 3578->3604 3581 405c70 3579->3581 3582 405d7a 3579->3582 3581->3582 3584 405c78 wsprintfA 3581->3584 3582->3485 3583 405c3f CloseHandle GetShortPathNameA 3583->3582 3585 405c53 3583->3585 3586 405fc2 17 API calls 3584->3586 3585->3579 3585->3582 3587 405ca0 3586->3587 3605 405b39 GetFileAttributesA CreateFileA 3587->3605 3589 405cad 3589->3582 3590 405cbc GetFileSize GlobalAlloc 3589->3590 3591 405d73 CloseHandle 3590->3591 3592 405cde 3590->3592 3591->3582 3593 405bb1 ReadFile 3592->3593 3594 405ce6 3593->3594 3594->3591 3606 405a9e lstrlenA 3594->3606 3597 405d11 3599 405a9e 4 API calls 3597->3599 3598 405cfd lstrcpyA 3600 405d1f 3598->3600 3599->3600 3601 405d56 SetFilePointer 3600->3601 3602 405be0 WriteFile 3601->3602 3603 405d6c GlobalFree 3602->3603 3603->3591 3604->3583 3605->3589 3607 405adf lstrlenA 3606->3607 3608 405ab8 lstrcmpiA 3607->3608 3609 405ae7 3607->3609 3608->3609 3610 405ad6 CharNextA 3608->3610 3609->3597 3609->3598 3610->3607 4058 40378c 4059 403797 4058->4059 4060 40379b 4059->4060 4061 40379e GlobalAlloc 4059->4061 4061->4060 4062 401490 4063 4050c7 24 API calls 4062->4063 4064 401497 4063->4064 4065 401d9b GetDC 4066 402aa9 17 API calls 4065->4066 4067 401dad GetDeviceCaps MulDiv ReleaseDC 4066->4067 4068 402aa9 17 API calls 4067->4068 4069 401dde 4068->4069 4070 405fc2 17 API calls 4069->4070 4071 401e1b CreateFontIndirectA 4070->4071 4072 40257d 4071->4072 4073 40149d 4074 4014ab PostQuitMessage 4073->4074 4075 4022e7 4073->4075 4074->4075 4076 40159d 4077 402acb 17 API calls 4076->4077 4078 4015a4 SetFileAttributesA 4077->4078 4079 4015b6 4078->4079 4080 401a1e 4081 402acb 17 API calls 4080->4081 4082 401a27 ExpandEnvironmentStringsA 4081->4082 4083 401a3b 4082->4083 4085 401a4e 4082->4085 4084 401a40 lstrcmpA 4083->4084 4083->4085 4084->4085 4091 40171f 4092 402acb 17 API calls 4091->4092 4093 401726 SearchPathA 4092->4093 4094 401741 4093->4094 4095 401d20 4096 402aa9 17 API calls 4095->4096 4097 401d2e SetWindowLongA 4096->4097 4098 402957 4097->4098 4099 404822 4100 404832 4099->4100 4101 40484e 4099->4101 4110 4056a0 GetDlgItemTextA 4100->4110 4103 404881 4101->4103 4104 404854 SHGetPathFromIDListA 4101->4104 4106 404864 4104->4106 4109 40486b SendMessageA 4104->4109 4105 40483f SendMessageA 4105->4101 4107 40140b 2 API calls 4106->4107 4107->4109 4109->4103 4110->4105 4111 4041aa 4112 4041c0 4111->4112 4117 4042cc 4111->4117 4115 40403f 18 API calls 4112->4115 4113 40433b 4114 404405 4113->4114 4116 404345 GetDlgItem 4113->4116 4123 4040a6 8 API calls 4114->4123 4118 404216 4115->4118 4119 4043c3 4116->4119 4120 40435b 4116->4120 4117->4113 4117->4114 4121 404310 GetDlgItem SendMessageA 4117->4121 4122 40403f 18 API calls 4118->4122 4119->4114 4124 4043d5 4119->4124 4120->4119 4128 404381 SendMessageA LoadCursorA SetCursor 4120->4128 4144 404061 KiUserCallbackDispatcher 4121->4144 4126 404223 CheckDlgButton 4122->4126 4127 404400 4123->4127 4129 4043db SendMessageA 4124->4129 4130 4043ec 4124->4130 4142 404061 KiUserCallbackDispatcher 4126->4142 4145 40444e 4128->4145 4129->4130 4130->4127 4135 4043f2 SendMessageA 4130->4135 4131 404336 4136 40442a SendMessageA 4131->4136 4135->4127 4136->4113 4137 404241 GetDlgItem 4143 404074 SendMessageA 4137->4143 4139 404257 SendMessageA 4140 404275 GetSysColor 4139->4140 4141 40427e SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4139->4141 4140->4141 4141->4127 4142->4137 4143->4139 4144->4131 4148 405682 ShellExecuteExA 4145->4148 4147 4043b4 LoadCursorA SetCursor 4147->4119 4148->4147 4149 401e2b 4150 402aa9 17 API calls 4149->4150 4151 401e31 4150->4151 4152 402aa9 17 API calls 4151->4152 4153 401e3d 4152->4153 4154 401e54 EnableWindow 4153->4154 4155 401e49 ShowWindow 4153->4155 4156 402957 4154->4156 4155->4156 4157 4063ad WaitForSingleObject 4158 4063c7 4157->4158 4159 4063d9 GetExitCodeProcess 4158->4159 4160 406374 2 API calls 4158->4160 4161 4063ce WaitForSingleObject 4160->4161 4161->4158 4162 401f31 4163 402acb 17 API calls 4162->4163 4164 401f38 4163->4164 4165 4062a3 2 API calls 4164->4165 4166 401f3e 4165->4166 4167 401f50 4166->4167 4169 405efe wsprintfA 4166->4169 4169->4167 4176 402932 SendMessageA 4177 402957 4176->4177 4178 40294c InvalidateRect 4176->4178 4178->4177 4179 4014b7 4180 4014bd 4179->4180 4181 401389 2 API calls 4180->4181 4182 4014c5 4181->4182 4183 4026ba 4184 4026c0 4183->4184 4185 402957 4184->4185 4186 4026c8 FindClose 4184->4186 4186->4185 3251 4015bb 3252 402acb 17 API calls 3251->3252 3253 4015c2 3252->3253 3254 4059d1 4 API calls 3253->3254 3255 4015ca 3254->3255 3256 401624 3255->3256 3257 405963 CharNextA 3255->3257 3267 4015f3 3255->3267 3268 40160c GetFileAttributesA 3255->3268 3275 405627 3255->3275 3283 40560a CreateDirectoryA 3255->3283 3258 401652 3256->3258 3259 401629 3256->3259 3257->3255 3261 401423 24 API calls 3258->3261 3271 401423 3259->3271 3269 40164a 3261->3269 3266 40163b SetCurrentDirectoryA 3266->3269 3267->3255 3278 40558d CreateDirectoryA 3267->3278 3268->3255 3272 4050c7 24 API calls 3271->3272 3273 401431 3272->3273 3274 405fa0 lstrcpynA 3273->3274 3274->3266 3276 406338 5 API calls 3275->3276 3277 40562e 3276->3277 3277->3255 3279 4055da 3278->3279 3280 4055de GetLastError 3278->3280 3279->3267 3280->3279 3281 4055ed SetFileSecurityA 3280->3281 3281->3279 3282 405603 GetLastError 3281->3282 3282->3279 3284 40561a 3283->3284 3285 40561e GetLastError 3283->3285 3284->3255 3285->3284 4187 40503b 4188 40504b 4187->4188 4189 40505f 4187->4189 4190 405051 4188->4190 4199 4050a8 4188->4199 4191 405067 IsWindowVisible 4189->4191 4195 40507e 4189->4195 4193 40408b SendMessageA 4190->4193 4194 405074 4191->4194 4191->4199 4192 4050ad CallWindowProcA 4196 40505b 4192->4196 4193->4196 4197 404992 5 API calls 4194->4197 4195->4192 4198 404a12 4 API calls 4195->4198 4197->4195 4198->4199 4199->4192 4200 4016bb 4201 402acb 17 API calls 4200->4201 4202 4016c1 GetFullPathNameA 4201->4202 4205 4016d8 4202->4205 4209 4016f9 4202->4209 4203 402957 4204 40170d GetShortPathNameA 4204->4203 4206 4062a3 2 API calls 4205->4206 4205->4209 4207 4016e9 4206->4207 4207->4209 4210 405fa0 lstrcpynA 4207->4210 4209->4203 4209->4204 4210->4209 4211 40273c 4212 402acb 17 API calls 4211->4212 4214 40274a 4212->4214 4213 402760 4215 405b14 2 API calls 4213->4215 4214->4213 4216 402acb 17 API calls 4214->4216 4217 402766 4215->4217 4216->4213 4239 405b39 GetFileAttributesA CreateFileA 4217->4239 4219 402773 4220 40281c 4219->4220 4221 40277f GlobalAlloc 4219->4221 4224 402824 DeleteFileA 4220->4224 4225 402837 4220->4225 4222 402813 CloseHandle 4221->4222 4223 402798 4221->4223 4222->4220 4240 4031c4 SetFilePointer 4223->4240 4224->4225 4227 40279e 4228 4031ae ReadFile 4227->4228 4229 4027a7 GlobalAlloc 4228->4229 4230 4027f1 4229->4230 4231 4027b7 4229->4231 4232 405be0 WriteFile 4230->4232 4233 402f9c 31 API calls 4231->4233 4234 4027fd GlobalFree 4232->4234 4238 4027c4 4233->4238 4235 402f9c 31 API calls 4234->4235 4237 402810 4235->4237 4236 4027e8 GlobalFree 4236->4230 4237->4222 4238->4236 4239->4219 4240->4227 4241 401b3f 4242 402acb 17 API calls 4241->4242 4243 401b46 4242->4243 4244 402aa9 17 API calls 4243->4244 4245 401b4f wsprintfA 4244->4245 4246 402957 4245->4246

                                        Executed Functions

                                        Function 0040320C Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 40320c-40324b SetErrorMode GetVersion 1 40324d-403255 call 406338 0->1 2 40325e 0->2 1->2 7 403257 1->7 4 403263-403276 call 4062ca lstrlenA 2->4 9 403278-403294 call 406338 * 3 4->9 7->2 16 4032a5-403303 #17 OleInitialize SHGetFileInfoA call 405fa0 GetCommandLineA call 405fa0 9->16 17 403296-40329c 9->17 24 403305-40330a 16->24 25 40330f-403324 call 405963 CharNextA 16->25 17->16 21 40329e 17->21 21->16 24->25 28 4033e9-4033ed 25->28 29 4033f3 28->29 30 403329-40332c 28->30 33 403406-403420 GetTempPathA call 4031db 29->33 31 403334-40333c 30->31 32 40332e-403332 30->32 34 403344-403347 31->34 35 40333e-40333f 31->35 32->31 32->32 43 403422-403440 GetWindowsDirectoryA lstrcatA call 4031db 33->43 44 403478-403492 DeleteFileA call 402d63 33->44 37 4033d9-4033e6 call 405963 34->37 38 40334d-403351 34->38 35->34 37->28 53 4033e8 37->53 41 403353-403359 38->41 42 403369-403396 38->42 47 40335b-40335d 41->47 48 40335f 41->48 49 403398-40339e 42->49 50 4033a9-4033d7 42->50 43->44 61 403442-403472 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031db 43->61 58 403526-403536 call 4036f4 OleUninitialize 44->58 59 403498-40349e 44->59 47->42 47->48 48->42 55 4033a0-4033a2 49->55 56 4033a4 49->56 50->37 52 4033f5-403401 call 405fa0 50->52 52->33 53->28 55->50 55->56 56->50 72 40365a-403660 58->72 73 40353c-40354c call 4056bc ExitProcess 58->73 63 4034a0-4034ab call 405963 59->63 64 403516-40351d call 4037ce 59->64 61->44 61->58 76 4034e1-4034eb 63->76 77 4034ad-4034d6 63->77 70 403522 64->70 70->58 74 403662-40367b GetCurrentProcess OpenProcessToken 72->74 75 4036dc-4036e4 72->75 79 4036ad-4036bb call 406338 74->79 80 40367d-4036a7 LookupPrivilegeValueA AdjustTokenPrivileges 74->80 82 4036e6 75->82 83 4036ea-4036ee ExitProcess 75->83 84 403552-403566 call 405627 lstrcatA 76->84 85 4034ed-4034fa call 405a26 76->85 81 4034d8-4034da 77->81 97 4036c9-4036d3 ExitWindowsEx 79->97 98 4036bd-4036c7 79->98 80->79 81->76 88 4034dc-4034df 81->88 82->83 95 403573-40358d lstrcatA lstrcmpiA 84->95 96 403568-40356e lstrcatA 84->96 85->58 94 4034fc-403512 call 405fa0 * 2 85->94 88->76 88->81 94->64 95->58 100 40358f-403592 95->100 96->95 97->75 101 4036d5-4036d7 call 40140b 97->101 98->97 98->101 103 403594-403599 call 40558d 100->103 104 40359b call 40560a 100->104 101->75 112 4035a0-4035ad SetCurrentDirectoryA 103->112 104->112 113 4035ba-4035e2 call 405fa0 112->113 114 4035af-4035b5 call 405fa0 112->114 118 4035e8-403604 call 405fc2 DeleteFileA 113->118 114->113 121 403645-40364c 118->121 122 403606-403616 CopyFileA 118->122 121->118 124 40364e-403655 call 405d7f 121->124 122->121 123 403618-403638 call 405d7f call 405fc2 call 40563f 122->123 123->121 133 40363a-403641 CloseHandle 123->133 124->58 133->121
                                        APIs
                                        • SetErrorMode.KERNELBASE ref: 00403231
                                        • GetVersion.KERNEL32 ref: 00403237
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
                                        • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
                                        • OleInitialize.OLE32(00000000), ref: 004032AD
                                        • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
                                        • GetCommandLineA.KERNEL32(1.7.5.2_x64_en-us Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",00000020,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",00000000,?,00000006,00000008,0000000A), ref: 0040331A
                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403428
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403434
                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403448
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403450
                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403461
                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403469
                                        • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040347D
                                          • Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                          • Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                          • Part of subcall function 004037CE: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Release_1.7.5.2,1033,1.7.5.2_x64_en-us Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,1.7.5.2_x64_en-us Setup: Completed,00000000,00000002,75923410), ref: 004038BE
                                          • Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
                                          • Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(: Completed), ref: 004038DC
                                          • Part of subcall function 004037CE: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Release_1.7.5.2), ref: 00403925
                                          • Part of subcall function 004037CE: RegisterClassA.USER32(0042EBA0), ref: 00403962
                                          • Part of subcall function 004036F4: CloseHandle.KERNEL32(000002C8,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF
                                        • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
                                        • ExitProcess.KERNEL32 ref: 0040354C
                                        • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403670
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
                                        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
                                        • ExitProcess.KERNEL32 ref: 004036EE
                                          • Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                        • String ID: "$"C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$.tmp$1.7.5.2_x64_en-us Setup$1033$C:\Users\user\AppData\Local\Release_1.7.5.2$C:\Users\user\AppData\Local\Release_1.7.5.2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Photoshop_x64_en-us.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                        • API String ID: 3776617018-3902185942
                                        • Opcode ID: 0c56b843355a1b5052003ad6c96391fb885e88ea16e554df3499d9c18739d90c
                                        • Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
                                        • Opcode Fuzzy Hash: 0c56b843355a1b5052003ad6c96391fb885e88ea16e554df3499d9c18739d90c
                                        • Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E
                                        Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 134 405205-405221 135 4053b0-4053b6 134->135 136 405227-4052ee GetDlgItem * 3 call 404074 call 404965 GetClientRect GetSystemMetrics SendMessageA * 2 134->136 137 4053e0-4053ec 135->137 138 4053b8-4053da GetDlgItem CreateThread CloseHandle 135->138 154 4052f0-40530a SendMessageA * 2 136->154 155 40530c-40530f 136->155 141 40540e-405414 137->141 142 4053ee-4053f4 137->142 138->137 146 405416-40541c 141->146 147 405469-40546c 141->147 144 4053f6-405409 ShowWindow * 2 call 404074 142->144 145 40542f-405436 call 4040a6 142->145 144->141 158 40543b-40543f 145->158 151 405442-405452 ShowWindow 146->151 152 40541e-40542a call 404018 146->152 147->145 149 40546e-405474 147->149 149->145 156 405476-405489 SendMessageA 149->156 159 405462-405464 call 404018 151->159 160 405454-40545d call 4050c7 151->160 152->145 154->155 162 405311-40531d SendMessageA 155->162 163 40531f-405336 call 40403f 155->163 164 405586-405588 156->164 165 40548f-4054bb CreatePopupMenu call 405fc2 AppendMenuA 156->165 159->147 160->159 162->163 173 405338-40534c ShowWindow 163->173 174 40536c-40538d GetDlgItem SendMessageA 163->174 164->158 171 4054d0-4054e6 TrackPopupMenu 165->171 172 4054bd-4054cd GetWindowRect 165->172 171->164 175 4054ec-405506 171->175 172->171 176 40535b 173->176 177 40534e-405359 ShowWindow 173->177 174->164 178 405393-4053ab SendMessageA * 2 174->178 179 40550b-405526 SendMessageA 175->179 180 405361-405367 call 404074 176->180 177->180 178->164 179->179 181 405528-405548 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 179->181 180->174 183 40554a-40556a SendMessageA 181->183 183->183 184 40556c-405580 GlobalUnlock SetClipboardData CloseClipboard 183->184 184->164
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 00405264
                                        • GetDlgItem.USER32(?,000003EE), ref: 00405273
                                        • GetClientRect.USER32(?,?), ref: 004052B0
                                        • GetSystemMetrics.USER32(00000002), ref: 004052B7
                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
                                        • ShowWindow.USER32(?,00000008), ref: 00405353
                                        • GetDlgItem.USER32(?,000003EC), ref: 00405374
                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
                                        • GetDlgItem.USER32(?,000003F8), ref: 00405282
                                          • Part of subcall function 00404074: SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082
                                        • GetDlgItem.USER32(?,000003EC), ref: 004053C5
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005199,00000000), ref: 004053D3
                                        • CloseHandle.KERNELBASE(00000000), ref: 004053DA
                                        • ShowWindow.USER32(00000000), ref: 004053FD
                                        • ShowWindow.USER32(?,00000008), ref: 00405404
                                        • ShowWindow.USER32(00000008), ref: 0040544A
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
                                        • CreatePopupMenu.USER32 ref: 0040548F
                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054A4
                                        • GetWindowRect.USER32(?,000000FF), ref: 004054C4
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
                                        • OpenClipboard.USER32(00000000), ref: 00405529
                                        • EmptyClipboard.USER32 ref: 0040552F
                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
                                        • GlobalLock.KERNEL32(00000000), ref: 00405542
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040556F
                                        • SetClipboardData.USER32(00000001,00000000), ref: 0040557A
                                        • CloseClipboard.USER32 ref: 00405580
                                        Strings
                                        • 1.7.5.2_x64_en-us Setup: Completed, xrefs: 004054F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID: 1.7.5.2_x64_en-us Setup: Completed
                                        • API String ID: 590372296-3480597815
                                        • Opcode ID: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
                                        • Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
                                        • Opcode Fuzzy Hash: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
                                        • Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68
                                        Function 004044D1 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 274stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 364 4044d1-4044fb 365 4044fd-404509 call 4056a0 call 40620a 364->365 366 40450e-404518 364->366 365->366 368 404586-40458d 366->368 369 40451a-404530 GetDlgItem call 4059a5 366->369 371 404593-40459c 368->371 372 404664-40466b 368->372 380 404542-40457b SetWindowTextA call 40403f * 2 call 404074 call 406338 369->380 381 404532-40453a call 4059d1 369->381 375 4045b6-4045bb 371->375 376 40459e-4045a9 371->376 377 40467a-404695 call 4056a0 call 405a26 372->377 378 40466d-404674 372->378 375->372 384 4045c1-404603 call 405fc2 SHBrowseForFolderA 375->384 382 40480d-40481f call 4040a6 376->382 383 4045af 376->383 403 404697 377->403 404 40469e-4046b6 call 405fa0 call 406338 377->404 378->377 378->382 380->382 421 404581-404584 SHAutoComplete 380->421 381->380 396 40453c-40453d call 405938 381->396 383->375 397 404605-40461f CoTaskMemFree call 405938 384->397 398 40465d 384->398 396->380 409 404621-404627 397->409 410 404649-40465b SetDlgItemTextA 397->410 398->372 403->404 419 4046b8-4046be 404->419 420 4046ed-4046fe call 405fa0 call 4059d1 404->420 409->410 413 404629-404640 call 405fc2 lstrcmpiA 409->413 410->372 413->410 423 404642-404644 lstrcatA 413->423 419->420 424 4046c0-4046d2 GetDiskFreeSpaceExA 419->424 438 404700 420->438 439 404703-40471c GetDiskFreeSpaceA 420->439 421->368 423->410 426 4046d4-4046d6 424->426 427 404745-40475f 424->427 430 4046d8 426->430 431 4046da-4046eb call 40597f 426->431 429 404761 427->429 433 404766-404770 call 404965 429->433 430->431 431->420 431->424 442 404772-404779 433->442 443 40478b-404794 433->443 438->439 439->429 441 40471e-404743 MulDiv 439->441 441->433 442->443 444 40477b 442->444 445 4047c6-4047d0 443->445 446 404796-4047a6 call 40494d 443->446 449 404784 444->449 450 40477d-404782 444->450 447 4047d2-4047d9 call 40140b 445->447 448 4047dc-4047e2 445->448 458 4047b8-4047c1 SetDlgItemTextA 446->458 459 4047a8-4047b1 call 404888 446->459 447->448 453 4047e4 448->453 454 4047e7-4047f8 call 404061 448->454 449->443 450->443 450->449 453->454 462 404807 454->462 463 4047fa-404800 454->463 458->445 464 4047b6 459->464 462->382 463->462 465 404802 call 40442a 463->465 464->445 465->462
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 00404520
                                        • SetWindowTextA.USER32(00000000,?), ref: 0040454A
                                        • SHAutoComplete.SHLWAPI(00000000,00000001,00000007,00000000,?,00000014,?,?,00000001,?), ref: 00404584
                                        • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
                                        • CoTaskMemFree.OLE32(00000000), ref: 00404606
                                        • lstrcmpiA.KERNEL32(: Completed,1.7.5.2_x64_en-us Setup: Completed), ref: 00404638
                                        • lstrcatA.KERNEL32(?,: Completed), ref: 00404644
                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656
                                          • Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3
                                          • Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
                                          • Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
                                          • Part of subcall function 0040620A: CharNextA.USER32(?,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
                                          • Part of subcall function 0040620A: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284
                                        • GetDiskFreeSpaceExA.KERNELBASE(C:\Users\user\AppData\Local\,?,?,?,00000001,C:\Users\user\AppData\Local\,?,?,000003FB,?), ref: 004046CD
                                        • GetDiskFreeSpaceA.KERNEL32(C:\Users\user\AppData\Local\,?,?,0000040F,?,C:\Users\user\AppData\Local\,C:\Users\user\AppData\Local\,?,00000001,C:\Users\user\AppData\Local\,?,?,000003FB,?), ref: 00404714
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F
                                          • Part of subcall function 00404888: lstrlenA.KERNEL32(1.7.5.2_x64_en-us Setup: Completed,1.7.5.2_x64_en-us Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
                                          • Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
                                          • Part of subcall function 00404888: SetDlgItemTextA.USER32(?,1.7.5.2_x64_en-us Setup: Completed), ref: 00404941
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: !;U$1.7.5.2_x64_en-us Setup: Completed$: Completed$A$C:\Users\user\AppData\Local\$C:\Users\user\AppData\Local\Release_1.7.5.2
                                        • API String ID: 4039761011-2832795098
                                        • Opcode ID: c2f3dfb5037054c53878e4ea31ef781d5b126f8ae34c199c0b7ee3e13d691d9f
                                        • Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
                                        • Opcode Fuzzy Hash: c2f3dfb5037054c53878e4ea31ef781d5b126f8ae34c199c0b7ee3e13d691d9f
                                        • Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D
                                        Function 004062A3 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNELBASE(75923410,0042C0C0,0042BC78,00405A69,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 004062AE
                                        • FindClose.KERNEL32(00000000), ref: 004062BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                        • Instruction ID: 1e2c953ed1559e2f686ededff4fae2b078191910b4ed7f61f032671a7c701700
                                        • Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                        • Instruction Fuzzy Hash: ACD01236519020ABC21027787E0C84B7A589F053347118A7BF4A6F21E0C7348C6686DC
                                        Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 185 403b6b-403b7d 186 403b83-403b89 185->186 187 403cbe-403ccd 185->187 186->187 188 403b8f-403b98 186->188 189 403d1c-403d31 187->189 190 403ccf-403d17 GetDlgItem * 2 call 40403f SetClassLongA call 40140b 187->190 191 403b9a-403ba7 SetWindowPos 188->191 192 403bad-403bb0 188->192 194 403d71-403d76 call 40408b 189->194 195 403d33-403d36 189->195 190->189 191->192 197 403bb2-403bc4 ShowWindow 192->197 198 403bca-403bd0 192->198 204 403d7b-403d96 194->204 200 403d38-403d43 call 401389 195->200 201 403d69-403d6b 195->201 197->198 205 403bd2-403be7 DestroyWindow 198->205 206 403bec-403bef 198->206 200->201 216 403d45-403d64 SendMessageA 200->216 201->194 203 40400c 201->203 211 40400e-404015 203->211 209 403d98-403d9a call 40140b 204->209 210 403d9f-403da5 204->210 212 403fe9-403fef 205->212 214 403bf1-403bfd SetWindowLongA 206->214 215 403c02-403c08 206->215 209->210 219 403fca-403fe3 DestroyWindow EndDialog 210->219 220 403dab-403db6 210->220 212->203 218 403ff1-403ff7 212->218 214->211 221 403cab-403cb9 call 4040a6 215->221 222 403c0e-403c1f GetDlgItem 215->222 216->211 218->203 226 403ff9-404002 ShowWindow 218->226 219->212 220->219 227 403dbc-403e09 call 405fc2 call 40403f * 3 GetDlgItem 220->227 221->211 223 403c21-403c38 SendMessageA IsWindowEnabled 222->223 224 403c3e-403c41 222->224 223->203 223->224 228 403c43-403c44 224->228 229 403c46-403c49 224->229 226->203 255 403e13-403e4f ShowWindow KiUserCallbackDispatcher call 404061 KiUserCallbackDispatcher 227->255 256 403e0b-403e10 227->256 232 403c74-403c79 call 404018 228->232 233 403c57-403c5c 229->233 234 403c4b-403c51 229->234 232->221 236 403c92-403ca5 SendMessageA 233->236 238 403c5e-403c64 233->238 234->236 237 403c53-403c55 234->237 236->221 237->232 241 403c66-403c6c call 40140b 238->241 242 403c7b-403c84 call 40140b 238->242 253 403c72 241->253 242->221 251 403c86-403c90 242->251 251->253 253->232 259 403e51-403e52 255->259 260 403e54 255->260 256->255 261 403e56-403e84 GetSystemMenu EnableMenuItem SendMessageA 259->261 260->261 262 403e86-403e97 SendMessageA 261->262 263 403e99 261->263 264 403e9f-403ed9 call 404074 call 403b4c call 405fa0 lstrlenA call 405fc2 SetWindowTextA call 401389 262->264 263->264 264->204 275 403edf-403ee1 264->275 275->204 276 403ee7-403eeb 275->276 277 403f0a-403f1e DestroyWindow 276->277 278 403eed-403ef3 276->278 277->212 280 403f24-403f51 CreateDialogParamA 277->280 278->203 279 403ef9-403eff 278->279 279->204 281 403f05 279->281 280->212 282 403f57-403fae call 40403f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 280->282 281->203 282->203 287 403fb0-403fc3 ShowWindow call 40408b 282->287 289 403fc8 287->289 289->212
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
                                        • ShowWindow.USER32(?), ref: 00403BC4
                                        • DestroyWindow.USER32 ref: 00403BD8
                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
                                        • GetDlgItem.USER32(?,?), ref: 00403C15
                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
                                        • IsWindowEnabled.USER32(00000000), ref: 00403C30
                                        • GetDlgItem.USER32(?,00000001), ref: 00403CDE
                                        • GetDlgItem.USER32(?,00000002), ref: 00403CE8
                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403D02
                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D53
                                        • GetDlgItem.USER32(?,00000003), ref: 00403DF9
                                        • ShowWindow.USER32(00000000,?), ref: 00403E1A
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E2C
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E47
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E5D
                                        • EnableMenuItem.USER32(00000000), ref: 00403E64
                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E7C
                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
                                        • lstrlenA.KERNEL32(1.7.5.2_x64_en-us Setup: Completed,?,1.7.5.2_x64_en-us Setup: Completed,00000000), ref: 00403EB9
                                        • SetWindowTextA.USER32(?,1.7.5.2_x64_en-us Setup: Completed), ref: 00403EC8
                                        • ShowWindow.USER32(?,0000000A), ref: 00403FFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                        • String ID: 1.7.5.2_x64_en-us Setup: Completed
                                        • API String ID: 1252290697-3480597815
                                        • Opcode ID: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
                                        • Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
                                        • Opcode Fuzzy Hash: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
                                        • Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D
                                        Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 290 4037ce-4037e6 call 406338 293 4037e8-4037f8 call 405efe 290->293 294 4037fa-40382b call 405e87 290->294 303 40384e-403877 call 403a93 call 405a26 293->303 299 403843-403849 lstrcatA 294->299 300 40382d-40383e call 405e87 294->300 299->303 300->299 308 40387d-403882 303->308 309 4038fe-403906 call 405a26 303->309 308->309 310 403884-4038a8 call 405e87 308->310 315 403914-403939 LoadImageA 309->315 316 403908-40390f call 405fc2 309->316 310->309 317 4038aa-4038ac 310->317 319 4039ba-4039c2 call 40140b 315->319 320 40393b-40396b RegisterClassA 315->320 316->315 321 4038bd-4038c9 lstrlenA 317->321 322 4038ae-4038bb call 405963 317->322 334 4039c4-4039c7 319->334 335 4039cc-4039d7 call 403a93 319->335 323 403971-4039b5 SystemParametersInfoA CreateWindowExA 320->323 324 403a89 320->324 328 4038f1-4038f9 call 405938 call 405fa0 321->328 329 4038cb-4038d9 lstrcmpiA 321->329 322->321 323->319 327 403a8b-403a92 324->327 328->309 329->328 333 4038db-4038e5 GetFileAttributesA 329->333 338 4038e7-4038e9 333->338 339 4038eb-4038ec call 40597f 333->339 334->327 343 403a60-403a61 call 405199 335->343 344 4039dd-4039f7 ShowWindow call 4062ca 335->344 338->328 338->339 339->328 347 403a66-403a68 343->347 351 403a03-403a15 GetClassInfoA 344->351 352 4039f9-4039fe call 4062ca 344->352 349 403a82-403a84 call 40140b 347->349 350 403a6a-403a70 347->350 349->324 350->334 353 403a76-403a7d call 40140b 350->353 356 403a17-403a27 GetClassInfoA RegisterClassA 351->356 357 403a2d-403a50 DialogBoxParamA call 40140b 351->357 352->351 353->334 356->357 361 403a55-403a5e call 40371e 357->361 361->327
                                        APIs
                                          • Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                          • Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                        • lstrcatA.KERNEL32(1033,1.7.5.2_x64_en-us Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,1.7.5.2_x64_en-us Setup: Completed,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",00000000), ref: 00403849
                                        • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Release_1.7.5.2,1033,1.7.5.2_x64_en-us Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,1.7.5.2_x64_en-us Setup: Completed,00000000,00000002,75923410), ref: 004038BE
                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
                                        • GetFileAttributesA.KERNEL32(: Completed), ref: 004038DC
                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Release_1.7.5.2), ref: 00403925
                                          • Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B
                                        • RegisterClassA.USER32(0042EBA0), ref: 00403962
                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
                                        • ShowWindow.USER32(00000005,00000000), ref: 004039E5
                                        • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A11
                                        • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A1E
                                        • RegisterClassA.USER32(0042EBA0), ref: 00403A27
                                        • DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$.DEFAULT\Control Panel\International$.exe$1.7.5.2_x64_en-us Setup: Completed$1033$: Completed$C:\Users\user\AppData\Local\Release_1.7.5.2$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                        • API String ID: 1975747703-381932712
                                        • Opcode ID: 28a6cb2043b9e6f93c7e77f288588c57623ef7bc68a152342dd55961b2cdd3aa
                                        • Instruction ID: 8d2c68cc78653f9ce1e9d6bc3eacbdf8e43f68bf53c64efb99e72e2069adee56
                                        • Opcode Fuzzy Hash: 28a6cb2043b9e6f93c7e77f288588c57623ef7bc68a152342dd55961b2cdd3aa
                                        • Instruction Fuzzy Hash: BE61EA70340601BED620BB669D46F373EACEB54749F40447FF985B22E2CB7C59069A2D
                                        Function 00402D63 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 467 402d63-402db1 GetTickCount GetModuleFileNameA call 405b39 470 402db3-402db8 467->470 471 402dbd-402deb call 405fa0 call 40597f call 405fa0 GetFileSize 467->471 472 402f95-402f99 470->472 479 402df1 471->479 480 402ed8-402ee6 call 402cff 471->480 482 402df6-402e0d 479->482 486 402ee8-402eeb 480->486 487 402f3b-402f40 480->487 484 402e11-402e1a call 4031ae 482->484 485 402e0f 482->485 493 402e20-402e27 484->493 494 402f42-402f4a call 402cff 484->494 485->484 489 402eed-402f05 call 4031c4 call 4031ae 486->489 490 402f0f-402f39 GlobalAlloc call 4031c4 call 402f9c 486->490 487->472 489->487 517 402f07-402f0d 489->517 490->487 515 402f4c-402f5d 490->515 499 402ea3-402ea7 493->499 500 402e29-402e3d call 405af4 493->500 494->487 504 402eb1-402eb7 499->504 505 402ea9-402eb0 call 402cff 499->505 500->504 514 402e3f-402e46 500->514 511 402ec6-402ed0 504->511 512 402eb9-402ec3 call 4063ef 504->512 505->504 511->482 516 402ed6 511->516 512->511 514->504 520 402e48-402e4f 514->520 521 402f65-402f6a 515->521 522 402f5f 515->522 516->480 517->487 517->490 520->504 523 402e51-402e58 520->523 524 402f6b-402f71 521->524 522->521 523->504 525 402e5a-402e61 523->525 524->524 526 402f73-402f8e SetFilePointer call 405af4 524->526 525->504 527 402e63-402e83 525->527 530 402f93 526->530 527->487 529 402e89-402e8d 527->529 531 402e95-402e9d 529->531 532 402e8f-402e93 529->532 530->472 531->504 533 402e9f-402ea1 531->533 532->516 532->531 533->504
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00402D74
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,00000400), ref: 00402D90
                                          • Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00405B3D
                                          • Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                        • GetFileSize.KERNEL32(00000000,00000000,Photoshop_x64_en-us.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00402DDC
                                        Strings
                                        • Error launching installer, xrefs: 00402DB3
                                        • "C:\Users\user\Desktop\Photoshop_x64_en-us.exe", xrefs: 00402D63
                                        • Null, xrefs: 00402E5A
                                        • C:\Users\user\Desktop\Photoshop_x64_en-us.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
                                        • C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
                                        • Inst, xrefs: 00402E48
                                        • Photoshop_x64_en-us.exe, xrefs: 00402DD0
                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
                                        • soft, xrefs: 00402E51
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                        • String ID: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Photoshop_x64_en-us.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$Photoshop_x64_en-us.exe$soft
                                        • API String ID: 4283519449-3016161947
                                        • Opcode ID: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
                                        • Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
                                        • Opcode Fuzzy Hash: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
                                        • Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD
                                        Function 00405FC2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 534 405fc2-405fcd 535 405fe0-405ff6 534->535 536 405fcf-405fde 534->536 537 4061e7-4061eb 535->537 538 405ffc-406007 535->538 536->535 539 4061f1-4061fb 537->539 540 406019-406023 537->540 538->537 541 40600d-406014 538->541 542 406206-406207 539->542 543 4061fd-406201 call 405fa0 539->543 540->539 544 406029-406030 540->544 541->537 543->542 546 406036-40606a 544->546 547 4061da 544->547 548 406070-40607a 546->548 549 406187-40618a 546->549 550 4061e4-4061e6 547->550 551 4061dc-4061e2 547->551 552 406094 548->552 553 40607c-406080 548->553 554 4061ba-4061bd 549->554 555 40618c-40618f 549->555 550->537 551->537 559 40609b-4060a2 552->559 553->552 556 406082-406086 553->556 560 4061cb-4061d8 lstrlenA 554->560 561 4061bf-4061c6 call 405fc2 554->561 557 406191-40619d call 405efe 555->557 558 40619f-4061ab call 405fa0 555->558 556->552 562 406088-40608c 556->562 572 4061b0-4061b6 557->572 558->572 564 4060a4-4060a6 559->564 565 4060a7-4060a9 559->565 560->537 561->560 562->552 568 40608e-406092 562->568 564->565 570 4060e2-4060e5 565->570 571 4060ab-4060ce call 405e87 565->571 568->559 573 4060f5-4060f8 570->573 574 4060e7-4060f3 GetSystemDirectoryA 570->574 584 4060d4-4060dd call 405fc2 571->584 585 40616e-406172 571->585 572->560 576 4061b8 572->576 578 406165-406167 573->578 579 4060fa-406108 GetWindowsDirectoryA 573->579 577 406169-40616c 574->577 581 40617f-406185 call 40620a 576->581 577->581 577->585 578->577 583 40610a-406114 578->583 579->578 581->560 587 406116-406119 583->587 588 40612e-406144 SHGetSpecialFolderLocation 583->588 584->577 585->581 590 406174-40617a lstrcatA 585->590 587->588 591 40611b-406122 587->591 592 406162 588->592 593 406146-406160 SHGetPathFromIDListA CoTaskMemFree 588->593 590->581 595 40612a-40612c 591->595 592->578 593->577 593->592 595->577 595->588
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 004060ED
                                        • GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,004050FF,Completed,00000000), ref: 00406100
                                        • SHGetSpecialFolderLocation.SHELL32(004050FF,759223A0,?,Completed,00000000,004050FF,Completed,00000000), ref: 0040613C
                                        • SHGetPathFromIDListA.SHELL32(759223A0,: Completed), ref: 0040614A
                                        • CoTaskMemFree.OLE32(759223A0), ref: 00406156
                                        • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
                                        • lstrlenA.KERNEL32(: Completed,?,Completed,00000000,004050FF,Completed,00000000,00000000,0041CD5D,759223A0), ref: 004061CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                        • String ID: !;U$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 717251189-2991185782
                                        • Opcode ID: 3c1c995c5f9bde827c4174b96e9e8874e10e0fc44bc72d96516fe9b754b6549c
                                        • Instruction ID: 277d3937a9213029abeea5e1082be0a56f2569e83deff567e7d71b2b9830288d
                                        • Opcode Fuzzy Hash: 3c1c995c5f9bde827c4174b96e9e8874e10e0fc44bc72d96516fe9b754b6549c
                                        • Instruction Fuzzy Hash: 2B61E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D
                                        Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 596 401759-40177c call 402acb call 4059a5 601 401786-401798 call 405fa0 call 405938 lstrcatA 596->601 602 40177e-401784 call 405fa0 596->602 607 40179d-4017a3 call 40620a 601->607 602->607 612 4017a8-4017ac 607->612 613 4017ae-4017b8 call 4062a3 612->613 614 4017df-4017e2 612->614 621 4017ca-4017dc 613->621 622 4017ba-4017c8 CompareFileTime 613->622 616 4017e4-4017e5 call 405b14 614->616 617 4017ea-401806 call 405b39 614->617 616->617 624 401808-40180b 617->624 625 40187e-4018a7 call 4050c7 call 402f9c 617->625 621->614 622->621 627 401860-40186a call 4050c7 624->627 628 40180d-40184f call 405fa0 * 2 call 405fc2 call 405fa0 call 4056bc 624->628 639 4018a9-4018ad 625->639 640 4018af-4018bb SetFileTime 625->640 637 401873-401879 627->637 628->612 660 401855-401856 628->660 641 402960 637->641 639->640 643 4018c1-4018cc CloseHandle 639->643 640->643 647 402962-402966 641->647 645 4018d2-4018d5 643->645 646 402957-40295a 643->646 649 4018d7-4018e8 call 405fc2 lstrcatA 645->649 650 4018ea-4018ed call 405fc2 645->650 646->641 654 4018f2-4022ec call 4056bc 649->654 650->654 654->646 654->647 660->637 662 401858-401859 660->662 662->627
                                        APIs
                                        • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll,C:\Users\user\AppData\Local\Release_1.7.5.2,00000000,00000000,00000031), ref: 00401798
                                        • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll,C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll,00000000,00000000,C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll,C:\Users\user\AppData\Local\Release_1.7.5.2,00000000,00000000,00000031), ref: 004017C2
                                          • Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,1.7.5.2_x64_en-us Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD
                                          • Part of subcall function 004050C7: lstrlenA.KERNEL32(Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                          • Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                          • Part of subcall function 004050C7: lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,0041CD5D,759223A0), ref: 00405123
                                          • Part of subcall function 004050C7: SetWindowTextA.USER32(Completed,Completed), ref: 00405135
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Release_1.7.5.2$C:\Users\user\AppData\Local\Release_1.7.5.2$C:\Users\user\AppData\Local\Release_1.7.5.2\shared\Microsoft.NETCore.App\8.0.8\msquic.dll
                                        • API String ID: 1941528284-412111112
                                        • Opcode ID: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
                                        • Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
                                        • Opcode Fuzzy Hash: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
                                        • Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE
                                        Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 663 4050c7-4050dc 664 405192-405196 663->664 665 4050e2-4050f4 663->665 666 4050f6-4050fa call 405fc2 665->666 667 4050ff-40510b lstrlenA 665->667 666->667 669 405128-40512c 667->669 670 40510d-40511d lstrlenA 667->670 671 40513b-40513f 669->671 672 40512e-405135 SetWindowTextA 669->672 670->664 673 40511f-405123 lstrcatA 670->673 674 405141-405183 SendMessageA * 3 671->674 675 405185-405187 671->675 672->671 673->669 674->675 675->664 676 405189-40518c 675->676 676->664
                                        APIs
                                        • lstrlenA.KERNEL32(Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                        • lstrlenA.KERNEL32(004030F7,Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                        • lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,0041CD5D,759223A0), ref: 00405123
                                        • SetWindowTextA.USER32(Completed,Completed), ref: 00405135
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID: Completed
                                        • API String ID: 2531174081-3087654605
                                        • Opcode ID: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
                                        • Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
                                        • Opcode Fuzzy Hash: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
                                        • Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98
                                        Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 677 402f9c-402fb0 678 402fb2 677->678 679 402fb9-402fc2 677->679 678->679 680 402fc4 679->680 681 402fcb-402fd0 679->681 680->681 682 402fe0-402fed call 4031ae 681->682 683 402fd2-402fdb call 4031c4 681->683 687 402ff3-402ff7 682->687 688 40319c 682->688 683->682 689 403147-403149 687->689 690 402ffd-403046 GetTickCount 687->690 691 40319e-40319f 688->691 692 403189-40318c 689->692 693 40314b-40314e 689->693 694 4031a4 690->694 695 40304c-403054 690->695 696 4031a7-4031ab 691->696 697 403191-40319a call 4031ae 692->697 698 40318e 692->698 693->694 699 403150 693->699 694->696 700 403056 695->700 701 403059-403067 call 4031ae 695->701 697->688 710 4031a1 697->710 698->697 704 403153-403159 699->704 700->701 701->688 709 40306d-403076 701->709 707 40315b 704->707 708 40315d-40316b call 4031ae 704->708 707->708 708->688 714 40316d-403179 call 405be0 708->714 713 40307c-40309c call 40645d 709->713 710->694 719 4030a2-4030b5 GetTickCount 713->719 720 40313f-403141 713->720 721 403143-403145 714->721 722 40317b-403185 714->722 723 4030b7-4030bf 719->723 724 4030fa-4030fc 719->724 720->691 721->691 722->704 725 403187 722->725 726 4030c1-4030c5 723->726 727 4030c7-4030f2 MulDiv wsprintfA call 4050c7 723->727 728 403133-403137 724->728 729 4030fe-403102 724->729 725->694 726->724 726->727 735 4030f7 727->735 728->695 730 40313d 728->730 732 403104-40310b call 405be0 729->732 733 403119-403124 729->733 730->694 737 403110-403112 732->737 734 403127-40312b 733->734 734->713 738 403131 734->738 735->724 737->721 739 403114-403117 737->739 738->694 739->734
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: (TA$(TA$... %d%%
                                        • API String ID: 551687249-2950751476
                                        • Opcode ID: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
                                        • Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
                                        • Opcode Fuzzy Hash: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
                                        • Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9
                                        Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 740 4062ca-4062ea GetSystemDirectoryA 741 4062ec 740->741 742 4062ee-4062f0 740->742 741->742 743 406300-406302 742->743 744 4062f2-4062fa 742->744 746 406303-406335 wsprintfA LoadLibraryExA 743->746 744->743 745 4062fc-4062fe 744->745 745->746
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
                                        • wsprintfA.USER32 ref: 0040631A
                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%s.dll$UXTHEME$\
                                        • API String ID: 2200240437-4240819195
                                        • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                        • Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
                                        • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                        • Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C
                                        Function 00404888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 747 404888-40489c 748 4048a9-4048b4 747->748 749 40489e-4048a7 747->749 751 4048b6-4048bb 748->751 752 4048bc-4048c2 748->752 750 4048f7-40494a call 405fc2 * 3 lstrlenA wsprintfA SetDlgItemTextA 749->750 751->752 754 4048c4-4048c8 752->754 755 4048c9-4048cf 752->755 754->755 756 4048d1-4048dc 755->756 757 4048de-4048f5 755->757 756->757 757->750
                                        APIs
                                        • lstrlenA.KERNEL32(1.7.5.2_x64_en-us Setup: Completed,1.7.5.2_x64_en-us Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
                                        • wsprintfA.USER32 ref: 0040492E
                                        • SetDlgItemTextA.USER32(?,1.7.5.2_x64_en-us Setup: Completed), ref: 00404941
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s$1.7.5.2_x64_en-us Setup: Completed
                                        • API String ID: 3540041739-3421790784
                                        • Opcode ID: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
                                        • Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
                                        • Opcode Fuzzy Hash: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
                                        • Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9
                                        Function 00405B68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 763 405b68-405b72 764 405b73-405b9e GetTickCount GetTempFileNameA 763->764 765 405ba0-405ba2 764->765 766 405bad-405baf 764->766 765->764 767 405ba4 765->767 768 405ba7-405baa 766->768 767->768
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405B7C
                                        • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96
                                        Strings
                                        • "C:\Users\user\Desktop\Photoshop_x64_en-us.exe", xrefs: 00405B68
                                        • nsa, xrefs: 00405B73
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-4282938907
                                        • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                        • Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
                                        • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                        • Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58
                                        Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 769 401c0a-401c2a call 402aa9 * 2 774 401c36-401c3a 769->774 775 401c2c-401c33 call 402acb 769->775 777 401c46-401c4c 774->777 778 401c3c-401c43 call 402acb 774->778 775->774 781 401c9a-401cc0 call 402acb * 2 FindWindowExA 777->781 782 401c4e-401c6a call 402aa9 * 2 777->782 778->777 794 401cc6 781->794 792 401c8a-401c98 SendMessageA 782->792 793 401c6c-401c88 SendMessageTimeoutA 782->793 792->794 795 401cc9-401ccc 793->795 794->795 796 401cd2 795->796 797 402957-402966 795->797 796->797
                                        APIs
                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
                                        • Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
                                        • Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
                                        • Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28
                                        Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 800 4015bb-4015ce call 402acb call 4059d1 805 4015d0-4015e3 call 405963 800->805 806 401624-401627 800->806 814 4015e5-4015e8 805->814 815 4015fb-4015fc call 40560a 805->815 808 401652-402242 call 401423 806->808 809 401629-401644 call 401423 call 405fa0 SetCurrentDirectoryA 806->809 823 402957-402966 808->823 824 40271c-402723 808->824 809->823 827 40164a-40164d 809->827 814->815 820 4015ea-4015f1 call 405627 814->820 825 401601-401603 815->825 820->815 831 4015f3-4015f9 call 40558d 820->831 824->823 828 401605-40160a 825->828 829 40161a-401622 825->829 827->823 832 401617 828->832 833 40160c-401615 GetFileAttributesA 828->833 829->805 829->806 831->825 832->829 833->829 833->832
                                        APIs
                                          • Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
                                          • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
                                          • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8
                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                          • Part of subcall function 0040558D: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Release_1.7.5.2,00000000,00000000,000000F0), ref: 0040163C
                                        Strings
                                        • C:\Users\user\AppData\Local\Release_1.7.5.2, xrefs: 00401631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                        • String ID: C:\Users\user\AppData\Local\Release_1.7.5.2
                                        • API String ID: 1892508949-3796708228
                                        • Opcode ID: f0cbd9c1b325b376272a317df95519341cc2b91b44784a6a57c25228b43916ba
                                        • Instruction ID: df45c6993d6bc62f872b04d9318ddfa5d1dc0af5cd0ca16cddc76749c9d8dee7
                                        • Opcode Fuzzy Hash: f0cbd9c1b325b376272a317df95519341cc2b91b44784a6a57c25228b43916ba
                                        • Instruction Fuzzy Hash: B6112731608152EBCF217BB54D419BF66B0DA92324F68093FE5D1B22E2D63D49439A3F
                                        Function 00405A26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,1.7.5.2_x64_en-us Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD
                                          • Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
                                          • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
                                          • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8
                                        • lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A79
                                        • GetFileAttributesA.KERNELBASE(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,75923410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405A89
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 3248276644-823278215
                                        • Opcode ID: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
                                        • Instruction ID: ffa0610acded3722bed2d7d96fb1c232a132fb9d66bc0fefd21ab2e8d06464ef
                                        • Opcode Fuzzy Hash: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
                                        • Instruction Fuzzy Hash: 4EF04C25305D6556C622723A1C89AAF1A04CED3324759073FF891F12D2DB3C8A439DBE
                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                        • Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
                                        • Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                        • Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                                        Function 00405199 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 004051A9
                                          • Part of subcall function 0040408B: SendMessageA.USER32(0002043A,00000000,00000000,00000000), ref: 0040409D
                                        • CoUninitialize.COMBASE(00000404,00000000), ref: 004051F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: InitializeMessageSendUninitialize
                                        • String ID:
                                        • API String ID: 2896919175-0
                                        • Opcode ID: 4d5a35a9e69c381e3a71e49746e515aeb3c7a3ab989e8b49d3278fd537e00ed7
                                        • Instruction ID: 9a4107cfbe68633d7303be5c07e0fe70bc3b4157787a3ac4c512c47dfa525867
                                        • Opcode Fuzzy Hash: 4d5a35a9e69c381e3a71e49746e515aeb3c7a3ab989e8b49d3278fd537e00ed7
                                        • Instruction Fuzzy Hash: 44F02472A006009BE75067509E00B1777B0DBA0314F89043EFF84B72E0CAB548068A6D
                                        Function 00406338 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                          • Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
                                          • Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
                                          • Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
                                        • Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
                                        • Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
                                        • Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD
                                        Function 00405B39 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00405B3D
                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                        • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                        • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                        • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                        Function 00405B14 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B2D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                        • Instruction ID: a6801623bae5b64e590af13d118403295127a001a29879099f28d41f07625d68
                                        • Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                        • Instruction Fuzzy Hash: A4D0C972504121ABC2102728AE0889BBB65DB54271702CA36F8A9A26B1DB304C569A98
                                        Function 0040560A Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNELBASE(?,00000000,004031FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405610
                                        • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                        • Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
                                        • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                        • Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E
                                        Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BF4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                        • Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
                                        • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                        • Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8
                                        Function 00405BB1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                        • Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
                                        • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                        • Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4
                                        Function 0040403F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetDlgItemTextA.USER32(?,?,00000000), ref: 00404059
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ItemText
                                        • String ID:
                                        • API String ID: 3367045223-0
                                        • Opcode ID: 4457819aef064333d33129331044ca01e07456b82d14fe9ce94e4aa4973d1197
                                        • Instruction ID: bf62610f610bba90556bdcd31abde1078def355814f7361e89583e93c2f26f86
                                        • Opcode Fuzzy Hash: 4457819aef064333d33129331044ca01e07456b82d14fe9ce94e4aa4973d1197
                                        • Instruction Fuzzy Hash: C2C04C79148700BFD641A755CD42F1FB7EDEF94315F40C92EB19CA11D1C63988209A26
                                        Function 0040408B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(0002043A,00000000,00000000,00000000), ref: 0040409D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                        • Instruction ID: b9763db4476a092513200920bafbf00b2c19ecde7e8b58ff16c676c9221c7c43
                                        • Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                        • Instruction Fuzzy Hash: 32C04C717406006AEA208B51DD49F0677946750B01F1484397751F50D4C674E410DA1C
                                        Function 00404074 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                        • Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
                                        • Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                        • Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18
                                        Function 004031C4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                        • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                        • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                        • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                        Function 004056A0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ItemText
                                        • String ID:
                                        • API String ID: 3367045223-0
                                        • Opcode ID: 40498c8cdaf19faf8fac96c30b0225c48e5cbdcaabe5f16ab3b52aac2bfbc46c
                                        • Instruction ID: d226fe56d1cdccde1b956e8079fa1d048980d82a5c04cf3ec04b228babaa357b
                                        • Opcode Fuzzy Hash: 40498c8cdaf19faf8fac96c30b0225c48e5cbdcaabe5f16ab3b52aac2bfbc46c
                                        • Instruction Fuzzy Hash: CEB09276104200BFDE029B40DE04E0ABF62BB98711F10C428F395640708A729022EB09
                                        Function 00404061 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,00403E3D), ref: 0040406B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                        • Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
                                        • Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                        • Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

                                        Non-executed Functions

                                        Function 00404A44 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404A5C
                                        • GetDlgItem.USER32(?,00000408), ref: 00404A67
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
                                        • LoadBitmapA.USER32(0000006E), ref: 00404AC4
                                        • SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
                                        • DeleteObject.GDI32(00000000), ref: 00404B3A
                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
                                        • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404C74
                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
                                        • ShowWindow.USER32(?,00000005), ref: 00404C93
                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00404E63
                                        • GlobalFree.KERNEL32(00000000), ref: 00404E73
                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404FC4
                                        • ShowWindow.USER32(?,00000000), ref: 00405012
                                        • GetDlgItem.USER32(?,000003FE), ref: 0040501D
                                        • ShowWindow.USER32(00000000), ref: 00405024
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $!;U$M$N
                                        • API String ID: 1638840714-3655259287
                                        • Opcode ID: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
                                        • Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
                                        • Opcode Fuzzy Hash: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
                                        • Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58
                                        Function 00405768 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405791
                                        • lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D9
                                        • lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057FA
                                        • lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405800
                                        • FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405811
                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
                                        • FindClose.KERNEL32(00000000), ref: 004058CF
                                        Strings
                                        • "C:\Users\user\Desktop\Photoshop_x64_en-us.exe", xrefs: 00405768
                                        • \*.*, xrefs: 004057D3
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405775
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                        • API String ID: 2035342205-3448623390
                                        • Opcode ID: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
                                        • Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
                                        • Opcode Fuzzy Hash: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
                                        • Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69
                                        Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202
                                        Strings
                                        • C:\Users\user\AppData\Local\Release_1.7.5.2, xrefs: 00402193
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID: C:\Users\user\AppData\Local\Release_1.7.5.2
                                        • API String ID: 123533781-3796708228
                                        • Opcode ID: 40c70af69a87ca8cb82e66cf1409966c3c879d972079004b2dd01fadddb836e2
                                        • Instruction ID: e240bf9bd5167367365347af51bd1272e3bc3770d4ab5d97d329ed4db4fc5742
                                        • Opcode Fuzzy Hash: 40c70af69a87ca8cb82e66cf1409966c3c879d972079004b2dd01fadddb836e2
                                        • Instruction Fuzzy Hash: 81510771A00208BFCF10DFE4C989A9D7BB6AF48318F2085AAF515EB2D1DA799941CF54
                                        Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: f295b58c0a2fd1d68c9cc5f139160eb99b98fb313d823f02cc77549283ac6a7f
                                        • Instruction ID: 54a63a0b970f9f74e56537ecc54aa136cf23b82a2183361db5dda5742450debe
                                        • Opcode Fuzzy Hash: f295b58c0a2fd1d68c9cc5f139160eb99b98fb313d823f02cc77549283ac6a7f
                                        • Instruction Fuzzy Hash: 83F0EC72604151DBD700E7A49949DFEB76CDF11324FA0057BE181F20C1CABC8A459B3A
                                        Function 0040677D Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                        • Instruction ID: 39e82714288353bf73825cbb988a8a6af090c2e25faa9df829ed1fe8e01e3ef1
                                        • Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                        • Instruction Fuzzy Hash: CFE18A71900706DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1E738AA91CF54
                                        Function 00406F54 Relevance: .3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                        • Instruction ID: bf128a229d130661f6540426524f772d2f37fab74758cf72108bd9da8b00e916
                                        • Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                        • Instruction Fuzzy Hash: 22C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95
                                        Function 004041AA Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404235
                                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404249
                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404267
                                        • GetSysColor.USER32(?), ref: 00404278
                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
                                        • lstrlenA.KERNEL32(?), ref: 00404299
                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
                                        • GetDlgItem.USER32(?,0000040A), ref: 0040431F
                                        • SendMessageA.USER32(00000000), ref: 00404322
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040434D
                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
                                        • SetCursor.USER32(00000000), ref: 004043A5
                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
                                        • SetCursor.USER32(00000000), ref: 004043BE
                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043EA
                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: !;U$: Completed$N$uA@
                                        • API String ID: 3103080414-2036120492
                                        • Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
                                        • Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
                                        • Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
                                        • Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58
                                        Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextA.USER32(00000000,1.7.5.2_x64_en-us Setup,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: 1.7.5.2_x64_en-us Setup$F
                                        • API String ID: 941294808-4148638735
                                        • Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                        • Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
                                        • Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                        • Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4
                                        Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
                                        • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C49
                                          • Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
                                          • Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0
                                        • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C66
                                        • wsprintfA.USER32 ref: 00405C84
                                        • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
                                        • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
                                        • GlobalFree.KERNEL32(00000000), ref: 00405D6D
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74
                                          • Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00405B3D
                                          • Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %s=%s$[Rename]
                                        • API String ID: 2171350718-1727408572
                                        • Opcode ID: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
                                        • Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
                                        • Opcode Fuzzy Hash: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
                                        • Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD
                                        Function 0040620A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
                                        • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
                                        • CharNextA.USER32(?,"C:\Users\user\Desktop\Photoshop_x64_en-us.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
                                        • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284
                                        Strings
                                        • *?|<>/":, xrefs: 00406252
                                        • "C:\Users\user\Desktop\Photoshop_x64_en-us.exe", xrefs: 00406246
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040620B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: "C:\Users\user\Desktop\Photoshop_x64_en-us.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-4269692032
                                        • Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
                                        • Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
                                        • Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
                                        • Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE
                                        Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000EB), ref: 004040C3
                                        • GetSysColor.USER32(00000000), ref: 00404101
                                        • SetTextColor.GDI32(?,00000000), ref: 0040410D
                                        • SetBkMode.GDI32(?,?), ref: 00404119
                                        • GetSysColor.USER32(?), ref: 0040412C
                                        • SetBkColor.GDI32(?,?), ref: 0040413C
                                        • DeleteObject.GDI32(?), ref: 00404156
                                        • CreateBrushIndirect.GDI32(?), ref: 00404160
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
                                        • Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
                                        • Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
                                        • Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54
                                        Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
                                        • GetMessagePos.USER32 ref: 004049B5
                                        • ScreenToClient.USER32(?,?), ref: 004049CF
                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                        • Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
                                        • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                        • Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4
                                        Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00401D9E
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
                                        • ReleaseDC.USER32(?,00000000), ref: 00401DD1
                                        • CreateFontIndirectA.GDI32(0040B818), ref: 00401E20
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                        • String ID: MS Shell Dlg
                                        • API String ID: 3808545654-76309092
                                        • Opcode ID: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
                                        • Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
                                        • Opcode Fuzzy Hash: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
                                        • Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D
                                        Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
                                        • MulDiv.KERNEL32(01726CAC,00000064,01726CB0), ref: 00402CC2
                                        • wsprintfA.USER32 ref: 00402CD2
                                        • SetWindowTextA.USER32(?,?), ref: 00402CE2
                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402CCC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
                                        • Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
                                        • Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
                                        • Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58
                                        Function 0040558D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
                                        • GetLastError.KERNEL32 ref: 004055E4
                                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
                                        • GetLastError.KERNEL32 ref: 00405603
                                        Strings
                                        • C:\Users\user\Desktop, xrefs: 0040558D
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004055B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                        • API String ID: 3449924974-1521822154
                                        • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                        • Instruction ID: 602471e653a91b50aa3f697eebcabcd82e3e1e6dca1d35eba90d193cad737e86
                                        • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                        • Instruction Fuzzy Hash: 2D011A71C00219EADF10DFA1C9047EFBBB8EF14355F10803AD545B6290DB799608CFA9
                                        Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
                                        • GlobalFree.KERNEL32(?), ref: 004027EB
                                        • GlobalFree.KERNEL32(00000000), ref: 004027FE
                                        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
                                        • Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
                                        • Opcode Fuzzy Hash: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
                                        • Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8
                                        Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?), ref: 00401D45
                                        • GetClientRect.USER32(00000000,?), ref: 00401D52
                                        • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
                                        • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
                                        • DeleteObject.GDI32(00000000), ref: 00401D90
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: 0eb514b26757c14dfc9e7ab691bd09cd0abb996a20804aaa0a787f0dfa13f32e
                                        • Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
                                        • Opcode Fuzzy Hash: 0eb514b26757c14dfc9e7ab691bd09cd0abb996a20804aaa0a787f0dfa13f32e
                                        • Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38
                                        Function 00405938 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 0040593E
                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405947
                                        • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405958
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405938
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-823278215
                                        • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                        • Instruction ID: 7219f54bd6567b4b537029212711971aeb7da606d1672e2911cb7cc87ef8a5af
                                        • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                        • Instruction Fuzzy Hash: 90D0A7A2102A31AAE10127154C05DCF6A08CF023507040036F200B2191C73C0D418BFE
                                        Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202E
                                          • Part of subcall function 004050C7: lstrlenA.KERNEL32(Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                          • Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Completed,00000000,0041CD5D,759223A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                          • Part of subcall function 004050C7: lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,0041CD5D,759223A0), ref: 00405123
                                          • Part of subcall function 004050C7: SetWindowTextA.USER32(Completed,Completed), ref: 00405135
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                          • Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                        • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203E
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 2987980305-0
                                        • Opcode ID: 490571eaf18eb528810bd7303bcbaa8e0b92f898ddca79ec3151c5cc349cda19
                                        • Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
                                        • Opcode Fuzzy Hash: 490571eaf18eb528810bd7303bcbaa8e0b92f898ddca79ec3151c5cc349cda19
                                        • Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E
                                        Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Close$Enum
                                        • String ID:
                                        • API String ID: 464197530-0
                                        • Opcode ID: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
                                        • Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
                                        • Opcode Fuzzy Hash: 6c5bd0e34eef19a3a2ab9834a7226b1c5a8bd41f7ddf1dd46113ff98e1d6fe90
                                        • Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8
                                        Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
                                        • GetTickCount.KERNEL32 ref: 00402D30
                                        • CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
                                        • ShowWindow.USER32(00000000,00000005), ref: 00402D5B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
                                        • Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
                                        • Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
                                        • Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC
                                        Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 0040506A
                                        • CallWindowProcA.USER32(?,?,?,?), ref: 004050BB
                                          • Part of subcall function 0040408B: SendMessageA.USER32(0002043A,00000000,00000000,00000000), ref: 0040409D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
                                        • Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
                                        • Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
                                        • Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA
                                        Function 00405E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,004060CB,80000002), ref: 00405ECD
                                        • RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405ED8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID: : Completed
                                        • API String ID: 3356406503-2954849223
                                        • Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                        • Instruction ID: 161d8fcf8587aa93f0d987360409ed3ef12a8a36c24b5ed9f98f318b00ae4845
                                        • Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                        • Instruction Fuzzy Hash: E0015A72500609EBDF228F61CD09FDB3BA8EF55364F00402AFA95A2191D778DA54DBA4
                                        Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
                                        • CloseHandle.KERNEL32(?), ref: 00405675
                                        Strings
                                        • Error launching installer, xrefs: 00405652
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID: Error launching installer
                                        • API String ID: 3712363035-66219284
                                        • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                        • Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
                                        • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                        • Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C
                                        Function 00403739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
                                        • GlobalFree.KERNEL32(00000000), ref: 0040375A
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: Free$GlobalLibrary
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 1100898210-823278215
                                        • Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                        • Instruction ID: b24f28e728a59e08de23ecbb17507a5b71a11735b8e3b636be16efbcbefcbfb5
                                        • Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                        • Instruction Fuzzy Hash: F7E0127351212097C7217F69EE4875AB7A86F46F22F09507AE8447B26487745C428BDC
                                        Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00405985
                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,C:\Users\user\Desktop\Photoshop_x64_en-us.exe,80000000,00000003), ref: 00405993
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-1246513382
                                        • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                        • Instruction ID: ff79c929155de07913877b57a895d1bbe205444e8a13cf8e1c8c73a821d1827b
                                        • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                        • Instruction Fuzzy Hash: CDD0C7B3409E70AEF30353149D04B9FAA58DF16710F090466F580E6191C67C4D428BFD
                                        Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
                                        • CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3342441400.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3342422570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342464049.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342483231.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3342564517.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_Photoshop_x64_en-us.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                        • Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
                                        • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                        • Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9