Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16359.15944.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.16359.15944.exe
Analysis ID:1542662
MD5:1ef81575c0f526800283239b2469818d
SHA1:16509b0ae23980c3d49afe176d61e770affd8112
SHA256:bf5ae3f1cfe10e6772e1ca445a9a49280141746d9a5a72bccfe3eb5786a6c9a0
Tags:exe
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to log keystrokes (.Net Source)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.16359.15944.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe" MD5: 1EF81575C0F526800283239B2469818D)
    • KillProcPCTT.exe (PID: 6332 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe MD5: 58AB737BC9B7870455589C683CBBE7D9)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mssched.exe (PID: 1248 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe MD5: DDD7094ECD63758C260126E8A8D7880F)
  • mssched.exe (PID: 7108 cmdline: "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" MD5: DDD7094ECD63758C260126E8A8D7880F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe, ProcessId: 6660, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scheduler

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exeReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeReversingLabs: Detection: 60%
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeVirustotal: Detection: 67%Perma Link

Compliance

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE / OLE file has a valid certificate
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindowsjusched\jusched32\obj\Debug\jusched32.pdb source: jusched32.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb,g source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdbSHA256t source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdba*{* m*_CorExeMainmscoree.dll source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdb source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: .pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\norritb\Documents\git\NsisDotNetChecker\plugin\Release\DotNetChecker.pdb source: DotNetChecker.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4x nop then jmp 00007FF848E72B09h4_2_00007FF848E70A7A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4x nop then jmp 00007FF848E72B09h4_2_00007FF848E72A75
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4x nop then jmp 00007FF848E71806h4_2_00007FF848E7165F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4x nop then jmp 00007FF848E91806h6_2_00007FF848E91606
Source: AWSSDK.Core.dll.0.drString found in binary or memory: http://169.254.169.254
Source: AWSSDK.Core.dll.0.drString found in binary or memory: http://169.254.170.2
Source: AWSSDK.Core.dll.0.drString found in binary or memory: http://169.254.170.2aUnable
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: mssched.exe, 00000004.00000002.3324489153.000001FC2E3B0000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2196206672.00000125E4BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: AWSSDK.S3.dll.0.drString found in binary or memory: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html)
Source: AWSSDK.Core.dll.0.drString found in binary or memory: http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: http://pctattletale.com/amazonfix.php
Source: AWSSDK.S3.dll.0.drString found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: mssched.exe, 00000004.00000002.3322345709.000001FC15A14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: http://www.pctattletale.com/members/autologinfirstrun.php?AuthKey=
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: http://www.pctattletale.com/members/forgotpassword.php
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15AA7000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.drString found in binary or memory: http://www.pctattletale.com/removal.php
Source: AWSSDK.Core.dll.0.drString found in binary or memory: https://ip-ranges.amazonaws.com/ip-ranges.json
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/AddComputer
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/AddExclusionAccount
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/CreateAccount
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/DeleteComputer
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/GetComputerStatus
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/SendKeyStrokes
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com/members/signup.php?source=PCTTSiteWinDownloadqhttp://www.pctattletale.com/m
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15941000.00000004.00000800.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2192544443.00000125CC3A1000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.drString found in binary or memory: https://pctattletale.com:443/app/Authenticationv14.php
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to log keystrokes (.Net Source)
Source: mssched.exe.0.dr, UserActivityHook.cs.Net Code: Start
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040755C0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_00406D850_2_00406D85
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4_2_00007FF848E75D5F4_2_00007FF848E75D5F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4_2_00007FF848E754DC4_2_00007FF848E754DC
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAWSSDK.Core.dllb! vs SecuriteInfo.com.FileRepMalware.16359.15944.exe
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: mssched.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AWSSDK.Core.dll.0.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal45.spyw.winEXE@7/13@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040498A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\schedulerJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KillProcPCTT.exe.logJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Users\user\AppData\Local\Temp\nsq505C.tmpJump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeReversingLabs: Detection: 60%
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeVirustotal: Detection: 67%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeProcess created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: riched20.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: usp10.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: msls31.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: riched20.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: usp10.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: msls31.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic file information: File size 1585816 > 1048576
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindowsjusched\jusched32\obj\Debug\jusched32.pdb source: jusched32.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb,g source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdbSHA256t source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdba*{* m*_CorExeMainmscoree.dll source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdb source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: .pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\norritb\Documents\git\NsisDotNetChecker\plugin\Release\DotNetChecker.pdb source: DotNetChecker.dll.0.dr
Source: KillProcPCTT.exe.0.drStatic PE information: 0x8FC92EDE [Mon Jun 11 10:43:42 2046 UTC]
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4_2_00007FF848E75976 push edi; retf 4_2_00007FF848E759D6
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4_2_00007FF848E700BD pushad ; iretd 4_2_00007FF848E700C1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeCode function: 4_2_00007FF848E72021 push ebx; iretd 4_2_00007FF848E7203A
Source: mssched.exe.0.drStatic PE information: section name: .text entropy: 7.467575341224463
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run schedulerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run schedulerJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeMemory allocated: 2500000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeMemory allocated: 1FC13FB0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeMemory allocated: 1FC2D940000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeMemory allocated: 125CA9E0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeMemory allocated: 125E43A0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dllJump to dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe TID: 7104Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_00406873 FindFirstFileW,FindClose,0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092806026.000000000060F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeAPI call chain: ExitProcess graph end nodegraph_0-3420
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exeQueries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeQueries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeQueries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeQueries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exeCode function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		2
Masquerading		1
Input Capture		1
Query Registry		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		11
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Process Injection		LSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Obfuscated Files or Information		Cached Domain Credentials15
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Timestomp		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542662 Sample: SecuriteInfo.com.FileRepMal... Startdate: 26/10/2024 Architecture: WINDOWS Score: 45 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Contains functionality to log keystrokes (.Net Source) 2->30 7 SecuriteInfo.com.FileRepMalware.16359.15944.exe 2 21 2->7         started        10 mssched.exe 3 2->10         started        process3 file4 18 C:\Users\user\AppData\...\DotNetChecker.dll, PE32 7->18 dropped 20 C:\Program Files (x86)\...\mssched.exe, PE32 7->20 dropped 22 C:\Program Files (x86)\...\jusched32.exe, PE32 7->22 dropped 24 4 other files (none is malicious) 7->24 dropped 12 KillProcPCTT.exe 2 7->12         started        14 mssched.exe 10 7->14         started        process5 process6 16 conhost.exe 12->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.FileRepMalware.16359.15944.exe61%ReversingLabsWin32.Trojan.Malgent
SecuriteInfo.com.FileRepMalware.16359.15944.exe67%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dll0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dll0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exe25%ReversingLabsWin32.Trojan.Generic
C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe62%ReversingLabsWin32.Spyware.PcTattletale
C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://169.254.170.20%VirustotalBrowse
http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html0%VirustotalBrowse
https://pctattletale.com/app/Authenticationv14.php/AddComputer0%VirustotalBrowse
https://www.newtonsoft.com/json0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.htmlAWSSDK.Core.dll.0.drfalseunknown
https://sectigo.com/CPS0mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://169.254.170.2AWSSDK.Core.dll.0.drfalseunknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
  • URL Reputation: safe
unknown
https://pctattletale.com/app/Authenticationv14.php/AddComputermssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalseunknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
  • URL Reputation: safe
unknown
https://www.newtonsoft.com/jsonNewtonsoft.Json.dll.0.drfalseunknown
http://s3.amazonaws.com/doc/2006-03-01/AWSSDK.S3.dll.0.drfalse
    		unknown
    http://169.254.170.2aUnableAWSSDK.Core.dll.0.drfalse
      		unknown
      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
      • URL Reputation: safe
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.FileRepMalware.16359.15944.exefalse
      • URL Reputation: safe
      		unknown
      http://www.pctattletale.com/members/autologinfirstrun.php?AuthKey=mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
        		unknown
        https://pctattletale.com/app/Authenticationv14.php/SendKeyStrokesmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
          		unknown
          https://pctattletale.com/app/Authenticationv14.php/CreateAccountmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
            		unknown
            http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://pctattletale.com/app/Authenticationv14.php/AddExclusionAccountmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
              		unknown
              http://pctattletale.com/amazonfix.phpmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
                		unknown
                https://pctattletale.com/app/Authenticationv14.php/DeleteComputermssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
                  		unknown
                  https://pctattletale.com:443/app/Authenticationv14.phpmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15941000.00000004.00000800.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2192544443.00000125CC3A1000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.drfalse
                    		unknown
                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ymssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html)AWSSDK.S3.dll.0.drfalse
                      		unknown
                      http://www.pctattletale.com/members/forgotpassword.phpmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
                        		unknown
                        https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://ip-ranges.amazonaws.com/ip-ranges.jsonAWSSDK.Core.dll.0.drfalse
                          		unknown
                          https://www.nuget.org/packages/Newtonsoft.Json.BsonNewtonsoft.Json.dll.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.pctattletale.com/removal.phpmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15AA7000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.drfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemssched.exe, 00000004.00000002.3322345709.000001FC15A14000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://169.254.169.254AWSSDK.Core.dll.0.drfalse
                              		unknown
                              https://pctattletale.com/members/signup.php?source=PCTTSiteWinDownloadqhttp://www.pctattletale.com/mmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
                                		unknown
                                https://pctattletale.com/app/Authenticationv14.php/GetComputerStatusmssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.drfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1542662
                                  Start date and time:2024-10-26 05:27:10 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 49s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                  Detection:MAL
                                  Classification:mal45.spyw.winEXE@7/13@0/0
                                  EGA Information:
                                  • Successful, ratio: 25%
                                  HCA Information:
                                  • Successful, ratio: 84%
                                  • Number of executed functions: 75
                                  • Number of non-executed functions: 28
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target KillProcPCTT.exe, PID 6332 because it is empty
                                  • Execution Graph export aborted for target mssched.exe, PID 1248 because it is empty
                                  • Execution Graph export aborted for target mssched.exe, PID 7108 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  05:28:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run scheduler C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dllBlueJeans.2.28.61m.msiGet hashmaliciousUnknownBrowse
                                    BlueJeansLauncher.exeGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):894464
                                      Entropy (8bit):5.713479259906917
                                      Encrypted:false
                                      SSDEEP:12288:6WrEpyvAlP4fs12DsSb6BGA6Aw80TK7nOhiQI+mFvJe:4yvUr12DsFJ6AwmOEQI+D
                                      MD5:EDFA1BC995251D29FA3E6F99898DECF5
                                      SHA1:85AA9E5ED37F836CE48E5F6B5239BC4E2E3875D6
                                      SHA-256:9B2A1FF6CC50A6D8B7B769CC33B59FDE3A6012E883DDCC687760342A0F9CB4BD
                                      SHA-512:51247719BFAF97DA4EB9361827D6AD750AB5346799EDB4FF894B503B313CE0090F7F4EEC170570A030F32A301D3D32CEFAAC24F5A9825AAA3DCFC0EDEA454FB0
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.t..........." ..0.................. ........... ....................................@.................................9...O...................................(...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................m.......H............g..............3.........................................."..(9...*....0..]........(;.....o3.....o3...oL...r...p(L...YoM...oN...&.o5...(T...t......o^.......r...psO...z..(....*....0..0.................o[...t....oe...o.......(.........(....}P.......o[...t....oe...o....}Q.......o[...t....oe...o.....(....}R.......o[...t....oe...o......[(....}S.......o[...t....oe...o......[(....}T.......o[...t....oe...o......[(....}U.......o[...t....oe...o......[(....}V.......o[...t.

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):578048
                                      Entropy (8bit):5.894096286070584
                                      Encrypted:false
                                      SSDEEP:6144:Vr/byUy5V+S1hjy4Sonw7MNEe3rE4KAgWpuJ8e0v3cH9FNsm8p5A8w7632Sviyp:1/byD1hYMy7Spe0xBt
                                      MD5:1065840AF40D9BB580368D58F314667E
                                      SHA1:D36372E8CA9C2C7C72B6633CB56A28AA3BCA7634
                                      SHA-256:6E2C1B665A258B1C2AF50ADEBCBE4C4D2344D6B1BDBFCE2F01B9A6A1D005AEF8
                                      SHA-512:D94CA71ADEB0DA7B4A3730786A3D1ECFB4CCAF48BEA0EAF3AC8C508B5BEA282EB58E48F3F34C0FF1B77B44356B9624248908EAA1A3CA564AFDA61918CA2E4869
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k..........." ..0.............J.... ........... .......................@......+.....@.....................................O............................ ..........T............................................ ............... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................,.......H...........\...................d........................................0.................(....r...p(5.....(6...-..(7...(....s8...r9..po9.....-.*.s......o....,9.o......o:...o;...,%.o........(<...,..o........(=...(....*.~....*6.(..........*.~....*.......*..0..*........(>...., .o?...s@...sA...%.oB.......oC...*F.r9..p(D...t....*6.r9..p.(E...*..(>...*^.(>....,...oF....oC...*F.r?..p(D........*J.r?..p......(E...*..0...........(G...u(.....,...oH....(I...*....0..N........(J...-.ri..

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):10896
                                      Entropy (8bit):6.283358337533618
                                      Encrypted:false
                                      SSDEEP:96:8MkHgCmLN5waVRaEZ6VAxzNtf0Cvh3PIKfhigYpHp7isNeV9gfMfOJ6lHDs8gZ5h:HkA/fDTR5pPIKfhigk7ip9gfDQC52U
                                      MD5:58AB737BC9B7870455589C683CBBE7D9
                                      SHA1:6D29DB3CC4B5930F1790FAD0F02A4A2F71625A2C
                                      SHA-256:E998892C3C44BC036FD728A0FEAB970C9B57ECE2B2F1B3B60570B944775F73F8
                                      SHA-512:85376F9B36FEF6D45DC6C3CCC17EA8D202017F26A2675271BE1C74DB3125A1049157CFB44EF24139EF9D8EBA1232C75A25B14CE5A18722816063544F9FA4A81E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............*... ...@....@.. ...............................V....`.................................9*..O....@.......................`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................m*......H.......|!...............................................................0..-.........(........&....r...p(.....(.....rC..p(.....*....................0.._..........(......rU..p(....s.......o.......+0........o....rm..po...........,.....o.........X....i2.+.*..0..^........r...p(..........+.......o........X....i2.r...p(............+...........o.........X.......i2.*".(.....*.BSJB............v4.0.30319......l...\...#~......,...#Strings............#US.........#GUID.......l...#Blob...

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):487848
                                      Entropy (8bit):6.0690443951540844
                                      Encrypted:false
                                      SSDEEP:6144:gPcKvY/K2XApxA4Q6cVP1c81CQhGwMJVKGfZoUalqBu87egsAuiAP3:AS/KFnA96cw81nMBEMBsAsP3
                                      MD5:80F862778817F5E76D80172D4500D99A
                                      SHA1:920800ADD4D4F137096B64544D91809653DD9DE2
                                      SHA-256:F4FD69C5758CDF429B029186BD4763F1E0A61D55B5A86C4802702B6F89D9CF5E
                                      SHA-512:8217C269B3355CD1E43A906446F403440F23FB53304200A7C1BC2CA53675342BA5B12A540C74DF15BEB4D608D41D113F3F2AD45285CB076DCECE242FB3EF9CD6
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: BlueJeans.2.28.61m.msi, Detection: malicious, Browse
                                      • Filename: BlueJeansLauncher.exe, Detection: malicious, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..H...........e... ........... ....................................@.................................|e..O....................R...............d..T............................................ ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............P..............@..B.................e......H........'.. =..................,d........................................(....*..(....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{.....3...{.......(....,...{....*..{........-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+%.{.....3..{.....o....,..{....*.{......-....(....*.0..H.........{.

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):16528
                                      Entropy (8bit):6.223701720184252
                                      Encrypted:false
                                      SSDEEP:384:RLmDicgGVIzP0K0w5RaA5mIufiLWu0+pwKI7igDQs6De:/t8KchD9L
                                      MD5:4363EC070B653180D86FE34205897676
                                      SHA1:DB0E10DF7F066CD49C4150655611A474D0B57B1E
                                      SHA-256:64199356C5DA71302881FC02E93F136D1C3BE0E7239AAE7758F598A09158A47F
                                      SHA-512:DC6D9F12E356130D307CECD5A864B39C797924B68D15AE5D5D9970A11286943CDD2D6CD509BE3A0618FD056593B0210788E5D9FF58205EDA5FE1C2A1BD00F2F6
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 25%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.a.........."...0.."...........A... ...`....@.. ...................................`..................................A..O....`...............,..............H@............................................... ............... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B.................A......H.......<'...............>..p..............................................}.....(.......(.......(.......(.....*.0..!.........(......%o.... ....`o.......+..*....0...........r...p(............,...(......*..0..#..........o....(....&...&.....&.......+..*..............................0...........(....o....(.......r...p( ...(!...&r+..p("......(#...( ...(.......i..r[..p.o$...o%...ry..p.(&...('......)...%.r}..p.%..o$...o%....%.ry..p.%...%.("......(#....((...(........*...........2C.i

                                      C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1061520
                                      Entropy (8bit):7.4329456015921265
                                      Encrypted:false
                                      SSDEEP:24576:11Z1VCCWzZ3jawO1Z1FCCWzZ3jawj2CCWzZ30awc8:j/VAW5/FAWW2AdO
                                      MD5:DDD7094ECD63758C260126E8A8D7880F
                                      SHA1:6EA21F815AD5F4280972F94FA06F7169A9823F5F
                                      SHA-256:74730DAB8EF4EDD2B1351EABD9D7CF049167B648F79590FDAA99DD6C6F98F60D
                                      SHA-512:54D37F6F886CCB99D53E4281A3A87158680E3824B6220A11C4FC995F78A3B4F2D70668725871E027C9D7B919A9557AD30DA3C38D81F93E650268690F380E52C6
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 62%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.bc.........."...0..H..........Vg... ........@.. ...............................{....`..................................g..O.......0....................`.......e............................................... ............... ..H............text...\G... ...H.................. ..`.rsrc...0............J..............@..@.reloc.......`......................@..B................8g......H.....................................................................z..}......}.....("......(.....*...}......}.....("........(.....*.0................(........(......*..................0..)........{.........(#...t......|......(...+...3.*....0..)........{.........(%...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*....0..)........{.........(%...t......|......(...+...3.*....0..)........{.........(#...t......|......(...+...3.*....0..).......

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mssched.exe.log

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):1281
                                      Entropy (8bit):5.370111951859942
                                      Encrypted:false
                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                      MD5:12C61586CD59AA6F2A21DF30501F71BD
                                      SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                      SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                      SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KillProcPCTT.exe.log

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
                                      File Type:CSV text
                                      Category:modified
                                      Size (bytes):226
                                      Entropy (8bit):5.360398796477698
                                      Encrypted:false
                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                      MD5:3A8957C6382192B71471BD14359D0B12
                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\mssched.exe_Url_4gcyhmu3ku50ql3oveaqzgvl21ncnjvy\1.0.0.71\user.config (copy)

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1445
                                      Entropy (8bit):4.672900179777062
                                      Encrypted:false
                                      SSDEEP:24:2dqIK07E449sQK6E4Ev+XPmNMnvDXGnvMLSvODvbDvRRPEKpnv5/:crr7HKsQ7Hq4mNMnzGnWSWDTDpRPEAnN
                                      MD5:CA7323204F02466FBF74973C035EAC3D
                                      SHA1:7DAA3B01A3F7C3B3B836AC430A7D47DA08840064
                                      SHA-256:BF53CA0E0DE0CD30F39F780E4240F2A5A491DC51AC69323ACD56922C5066E61D
                                      SHA-512:8CD24D0FA96725463A44CA65409FC2F024B95906E46AD36FF7C7BFCD047A93F0C330B324B7C62BD45B7E7BFD80701EE0804D41A5A136407E9E3FA4B7E0853514
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="PCTTRecorder.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <PCTTRecorder.Properties.Settings>.. <setting name="TimeCardAppDate" serializeAs="String">.. <value>2024-10-25</value>.. </setting>.. <setting name="LogKeyStrokes" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="TimeCardAppSecondsLogged" serializeAs="String">.. <value>0</value>.. </set

                                      C:\Users\user\AppData\Local\Microsoft\mssched.exe_Url_4gcyhmu3ku50ql3oveaqzgvl21ncnjvy\1.0.0.71\xonhjdd2.newcfg

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1445
                                      Entropy (8bit):4.672900179777062
                                      Encrypted:false
                                      SSDEEP:24:2dqIK07E449sQK6E4Ev+XPmNMnvDXGnvMLSvODvbDvRRPEKpnv5/:crr7HKsQ7Hq4mNMnzGnWSWDTDpRPEAnN
                                      MD5:CA7323204F02466FBF74973C035EAC3D
                                      SHA1:7DAA3B01A3F7C3B3B836AC430A7D47DA08840064
                                      SHA-256:BF53CA0E0DE0CD30F39F780E4240F2A5A491DC51AC69323ACD56922C5066E61D
                                      SHA-512:8CD24D0FA96725463A44CA65409FC2F024B95906E46AD36FF7C7BFCD047A93F0C330B324B7C62BD45B7E7BFD80701EE0804D41A5A136407E9E3FA4B7E0853514
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="PCTTRecorder.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <PCTTRecorder.Properties.Settings>.. <setting name="TimeCardAppDate" serializeAs="String">.. <value>2024-10-25</value>.. </setting>.. <setting name="LogKeyStrokes" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="TimeCardAppSecondsLogged" serializeAs="String">.. <value>0</value>.. </set

                                      C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):87040
                                      Entropy (8bit):6.321191870855878
                                      Encrypted:false
                                      SSDEEP:1536:X/Zjm/1nZ12+XrMX7uf9RX22LurfSECjSeeWSKQUDs0OsWPIcdA2kUlTeJ:XyQ7I22Lur67jKKQA2kmTeJ
                                      MD5:7BA49F3F086DC16A2863B0F9E704916C
                                      SHA1:A3045477D3AF46E31D12479F02A1B64666BA8BE2
                                      SHA-256:263FE61F2F50CFFA5356AF07B027A691C6640A04245E88EA9734DD84BD735289
                                      SHA-512:3EA076B68126A7D451703DBB58F616BF272788FCBCEB02C6B12855FCD4F204C0A94A4486B73F4DAAC6002A74F4F0F51F941654AD11AF56EC38E5EB6CDD3FCB2D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.............D.O.....D.M....D.L.....]Q......]Q......]Q.............-.u............EQ......EQ......EQA.....EQ......Rich....................PE..L...x..\...........!.................5....................................................@..........................9......l>..P...............................(...@2..p............................2..@...............4............................text............................... ..`.rdata..Te.......f..................@..@.data........P.......6..............@....gfids.......p.......>..............@..@.rsrc................@..............@..@.reloc..(............B..............@..B................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\376483\user_ebteme\1729898892.jpg

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                      Category:dropped
                                      Size (bytes):44444
                                      Entropy (8bit):7.252705879208812
                                      Encrypted:false
                                      SSDEEP:768:KuovvoqQ+Joy2GJDCvwuLmrbGpOnzGIH3I25bapgD9ta:KDf2GVCvrSMOZHhap4ta
                                      MD5:B8A1D2CBFE36452EC963AB5F89C66223
                                      SHA1:9BCD8624F77B2E653D65629AE697C50477741E7F
                                      SHA-256:A535A88891A4552C092FF367070AE2684D3B7E3378835DF2126D78E72AB467A5
                                      SHA-512:7D93ED70D8A6AB28CB45FCFC4D94B9CF27696C2B6B6F0C11A15065D17ADB07368D274450259457E51DA62E59F4C8F0893894E545FEE0C5C935F007B971DD8A23
                                      Malicious:false
                                      Preview:......JFIF.....`.`.....C. ..... ...$" &0P40,,0bFJ:Ptfzxrfpn........np........|............C."$$0*0^44^.p.............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.m.Q^......n....u$...I.....dF.>.>.....X.c..hn...Ndd..E6....(...(..... ..}.~.....}.>..b..s...z....v\...P....L.....E.V...Q@..U..h.......O.L..\!..P..>.m..<....G.m...<k/n..}].1.*..E2 .n .L.*.k..+.....E-%Q.E.P.E.P0..(...(...(.(...(...(...(...(...(....QE.%....QE..QE..QE..RR.P.E.P0..(...(...(...(.(...(...(..c.JZJ.(..@.QE..QE..QE.%....(...(...J)i(...(.QE..RR.@.E.P.E.P.E.P1(

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):44
                                      Entropy (8bit):4.172404562203418
                                      Encrypted:false
                                      SSDEEP:3:rJ7K4Fh3vY+9n:rAIhwqn
                                      MD5:2B1E83201F0924931C63EAA9D6CB0F3B
                                      SHA1:0C42B092CEA0C05DC05E4015F7EC001038A6E6AF
                                      SHA-256:6E9563CBA1ABD6D6F1B90B9611285E0B2EAE05792B299EA95655565B3B51A6AE
                                      SHA-512:B4018F81F090F68CCC846321E7252D270C480F681B48A8FF9096023153530A7DF757055DC02EFD2721733E1F8963E4FBCDC128D143039323E941B2F0DFC4AAB9
                                      Malicious:false
                                      Preview:Shutting down older pcTattletale..Complete..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.992219926892812
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      File size:1'585'816 bytes
                                      MD5:1ef81575c0f526800283239b2469818d
                                      SHA1:16509b0ae23980c3d49afe176d61e770affd8112
                                      SHA256:bf5ae3f1cfe10e6772e1ca445a9a49280141746d9a5a72bccfe3eb5786a6c9a0
                                      SHA512:41e615a67ae73e16da9a21039bc26be5986b83f124594da9905df8f8045e3dfc5497092764abd848a182b81daf31d2f92d49876cbd2cb77f2c1c839920202330
                                      SSDEEP:49152:pkKkIKb+dIUxkNTGVv8M6lR4vDfD0Hu2qlv76:pvBdIU8Gt8M6lWDfQHuFlm
                                      TLSH:26753385F20C8726EC9246769E7180ACC2B3793AA96A7C4D43CC5D497EC35143EFE5B2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                                      File Icon

                                      Icon Hash:3d2e0f95332b3399

                                      Static PE Info

                                      General

                                      Entrypoint:0x40352d
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                      Authenticode Signature

                                      Signature Valid:true
                                      Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                      Signature Validation Error:The operation completed successfully
                                      Error Number:0
                                      Not Before, Not After
                                      • 22/03/2023 01:00:00 22/03/2024 00:59:59
                                      Subject Chain
                                      • CN="Fleming Technologies, LLC", O="Fleming Technologies, LLC", S=Michigan, C=US
                                      Version:3
                                      Thumbprint MD5:78BD57CDF30F9AC05DECB3F534AC68A7
                                      Thumbprint SHA-1:80F9E3506228F28AC7B95B85B43FAF1CF6E1FC4C
                                      Thumbprint SHA-256:ABBEC2D9C41B98096825FDD0117879549A1E59C311DF7CE17D6959926DC99CE1
                                      Serial:551D55E73720C480501627F8068DF8CB

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 000003F4h
                                      push ebx
                                      push esi
                                      push edi
                                      push 00000020h
                                      pop edi
                                      xor ebx, ebx
                                      push 00008001h
                                      mov dword ptr [ebp-14h], ebx
                                      mov dword ptr [ebp-04h], 0040A2E0h
                                      mov dword ptr [ebp-10h], ebx
                                      call dword ptr [004080CCh]
                                      mov esi, dword ptr [004080D0h]
                                      lea eax, dword ptr [ebp-00000140h]
                                      push eax
                                      mov dword ptr [ebp-0000012Ch], ebx
                                      mov dword ptr [ebp-2Ch], ebx
                                      mov dword ptr [ebp-28h], ebx
                                      mov dword ptr [ebp-00000140h], 0000011Ch
                                      call esi
                                      test eax, eax
                                      jne 00007F24795A545Ah
                                      lea eax, dword ptr [ebp-00000140h]
                                      mov dword ptr [ebp-00000140h], 00000114h
                                      push eax
                                      call esi
                                      mov ax, word ptr [ebp-0000012Ch]
                                      mov ecx, dword ptr [ebp-00000112h]
                                      sub ax, 00000053h
                                      add ecx, FFFFFFD0h
                                      neg ax
                                      sbb eax, eax
                                      mov byte ptr [ebp-26h], 00000004h
                                      not eax
                                      and eax, ecx
                                      mov word ptr [ebp-2Ch], ax
                                      cmp dword ptr [ebp-0000013Ch], 0Ah
                                      jnc 00007F24795A542Ah
                                      and word ptr [ebp-00000132h], 0000h
                                      mov eax, dword ptr [ebp-00000134h]
                                      movzx ecx, byte ptr [ebp-00000138h]
                                      mov dword ptr [00434FB8h], eax
                                      xor eax, eax
                                      mov ah, byte ptr [ebp-0000013Ch]
                                      movzx eax, ax
                                      or eax, ecx
                                      xor ecx, ecx
                                      mov ch, byte ptr [ebp-2Ch]
                                      movzx ecx, cx
                                      shl eax, 10h
                                      or eax, ecx

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000xa60.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x181e080x1490
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x68970x6a00ce9df19df15aa7bfbc0a8d0af0b841d0False0.6661261792452831data6.458398214928006IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x14a60x1600a118375c929d970903c1204233b7583dFalse0.4392755681818182data5.024109281264143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x2b0180x60082a10c59a8679bb952fc8316070b8a6cFalse0.521484375data4.15458210408643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x360000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x490000xa600xc000e42cd951eda0fea5d6d51c0ee3c76d3False0.4033203125data4.201606800234224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x491900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                      RT_DIALOG0x494780x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x495780x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x496980x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x496f80x14dataEnglishUnited States1.2
                                      RT_MANIFEST0x497100x349XML 1.0 document, ASCII text, with very long lines (841), with no line terminatorsEnglishUnited States0.5517241379310345

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 26, 2024 05:28:27.033814907 CEST53595341.1.1.1192.168.2.5

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:23:28:05
                                      Start date:25/10/2024
                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe"
                                      Imagebase:0x400000
                                      File size:1'585'816 bytes
                                      MD5 hash:1EF81575C0F526800283239B2469818D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:23:28:05
                                      Start date:25/10/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
                                      Imagebase:0x3c0000
                                      File size:10'896 bytes
                                      MD5 hash:58AB737BC9B7870455589C683CBBE7D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:23:28:06
                                      Start date:25/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:23:28:07
                                      Start date:25/10/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe
                                      Imagebase:0x1fc13c70000
                                      File size:1'061'520 bytes
                                      MD5 hash:DDD7094ECD63758C260126E8A8D7880F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 62%, ReversingLabs
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:6
                                      Start time:23:28:17
                                      Start date:25/10/2024
                                      Path:C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe"
                                      Imagebase:0x125ca5b0000
                                      File size:1'061'520 bytes
                                      MD5 hash:DDD7094ECD63758C260126E8A8D7880F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:25.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:16.7%
                                        Total number of Nodes:1345
                                        Total number of Limit Nodes:23
                                        execution_graph 2913 4015c1 2932 402da6 2913->2932 2917 401631 2919 401663 2917->2919 2920 401636 2917->2920 2922 401423 24 API calls 2919->2922 2956 401423 2920->2956 2929 40165b 2922->2929 2927 40164a SetCurrentDirectoryW 2927->2929 2928 401617 GetFileAttributesW 2930 4015d1 2928->2930 2930->2917 2930->2928 2944 405e39 2930->2944 2948 405b08 2930->2948 2951 405a6e CreateDirectoryW 2930->2951 2960 405aeb CreateDirectoryW 2930->2960 2933 402db2 2932->2933 2963 40657a 2933->2963 2936 4015c8 2938 405eb7 CharNextW CharNextW 2936->2938 2939 405ed4 2938->2939 2942 405ee6 2938->2942 2941 405ee1 CharNextW 2939->2941 2939->2942 2940 405f0a 2940->2930 2941->2940 2942->2940 2943 405e39 CharNextW 2942->2943 2943->2942 2945 405e3f 2944->2945 2946 405e55 2945->2946 2947 405e46 CharNextW 2945->2947 2946->2930 2947->2945 3001 40690a GetModuleHandleA 2948->3001 2952 405abb 2951->2952 2953 405abf GetLastError 2951->2953 2952->2930 2953->2952 2954 405ace SetFileSecurityW 2953->2954 2954->2952 2955 405ae4 GetLastError 2954->2955 2955->2952 3010 40559f 2956->3010 2959 40653d lstrcpynW 2959->2927 2961 405afb 2960->2961 2962 405aff GetLastError 2960->2962 2961->2930 2962->2961 2967 406587 2963->2967 2964 4067aa 2965 402dd3 2964->2965 2996 40653d lstrcpynW 2964->2996 2965->2936 2980 4067c4 2965->2980 2967->2964 2968 406778 lstrlenW 2967->2968 2971 40657a 10 API calls 2967->2971 2972 40668f GetSystemDirectoryW 2967->2972 2974 4066a2 GetWindowsDirectoryW 2967->2974 2975 406719 lstrcatW 2967->2975 2976 40657a 10 API calls 2967->2976 2977 4067c4 5 API calls 2967->2977 2978 4066d1 SHGetSpecialFolderLocation 2967->2978 2989 40640b 2967->2989 2994 406484 wsprintfW 2967->2994 2995 40653d lstrcpynW 2967->2995 2968->2967 2971->2968 2972->2967 2974->2967 2975->2967 2976->2967 2977->2967 2978->2967 2979 4066e9 SHGetPathFromIDListW CoTaskMemFree 2978->2979 2979->2967 2986 4067d1 2980->2986 2981 406847 2982 40684c CharPrevW 2981->2982 2984 40686d 2981->2984 2982->2981 2983 40683a CharNextW 2983->2981 2983->2986 2984->2936 2985 405e39 CharNextW 2985->2986 2986->2981 2986->2983 2986->2985 2987 406826 CharNextW 2986->2987 2988 406835 CharNextW 2986->2988 2987->2986 2988->2983 2997 4063aa 2989->2997 2992 40646f 2992->2967 2993 40643f RegQueryValueExW RegCloseKey 2993->2992 2994->2967 2995->2967 2996->2965 2998 4063b9 2997->2998 2999 4063c2 RegOpenKeyExW 2998->2999 3000 4063bd 2998->3000 2999->3000 3000->2992 3000->2993 3002 406930 GetProcAddress 3001->3002 3003 406926 3001->3003 3005 405b0f 3002->3005 3007 40689a GetSystemDirectoryW 3003->3007 3005->2930 3006 40692c 3006->3002 3006->3005 3008 4068bc wsprintfW LoadLibraryExW 3007->3008 3008->3006 3011 4055ba 3010->3011 3020 401431 3010->3020 3012 4055d6 lstrlenW 3011->3012 3013 40657a 17 API calls 3011->3013 3014 4055e4 lstrlenW 3012->3014 3015 4055ff 3012->3015 3013->3012 3016 4055f6 lstrcatW 3014->3016 3014->3020 3017 405612 3015->3017 3018 405605 SetWindowTextW 3015->3018 3016->3015 3019 405618 SendMessageW SendMessageW SendMessageW 3017->3019 3017->3020 3018->3017 3019->3020 3020->2959 3021 401941 3022 401943 3021->3022 3023 402da6 17 API calls 3022->3023 3024 401948 3023->3024 3027 405c49 3024->3027 3063 405f14 3027->3063 3030 405c71 DeleteFileW 3061 401951 3030->3061 3031 405c88 3032 405da8 3031->3032 3077 40653d lstrcpynW 3031->3077 3032->3061 3095 406873 FindFirstFileW 3032->3095 3034 405cae 3035 405cc1 3034->3035 3036 405cb4 lstrcatW 3034->3036 3078 405e58 lstrlenW 3035->3078 3038 405cc7 3036->3038 3040 405cd7 lstrcatW 3038->3040 3042 405ce2 lstrlenW FindFirstFileW 3038->3042 3040->3042 3042->3032 3054 405d04 3042->3054 3045 405d8b FindNextFileW 3049 405da1 FindClose 3045->3049 3045->3054 3046 405c01 5 API calls 3048 405de3 3046->3048 3050 405de7 3048->3050 3051 405dfd 3048->3051 3049->3032 3055 40559f 24 API calls 3050->3055 3050->3061 3053 40559f 24 API calls 3051->3053 3053->3061 3054->3045 3056 405c49 60 API calls 3054->3056 3058 40559f 24 API calls 3054->3058 3060 40559f 24 API calls 3054->3060 3082 40653d lstrcpynW 3054->3082 3083 405c01 3054->3083 3091 4062fd MoveFileExW 3054->3091 3057 405df4 3055->3057 3056->3054 3059 4062fd 36 API calls 3057->3059 3058->3045 3059->3061 3060->3054 3101 40653d lstrcpynW 3063->3101 3065 405f25 3066 405eb7 4 API calls 3065->3066 3067 405f2b 3066->3067 3068 405c69 3067->3068 3069 4067c4 5 API calls 3067->3069 3068->3030 3068->3031 3075 405f3b 3069->3075 3070 405f6c lstrlenW 3071 405f77 3070->3071 3070->3075 3073 405e0c 3 API calls 3071->3073 3072 406873 2 API calls 3072->3075 3074 405f7c GetFileAttributesW 3073->3074 3074->3068 3075->3068 3075->3070 3075->3072 3076 405e58 2 API calls 3075->3076 3076->3070 3077->3034 3079 405e66 3078->3079 3080 405e78 3079->3080 3081 405e6c CharPrevW 3079->3081 3080->3038 3081->3079 3081->3080 3082->3054 3102 406008 GetFileAttributesW 3083->3102 3086 405c2e 3086->3054 3087 405c24 DeleteFileW 3089 405c2a 3087->3089 3088 405c1c RemoveDirectoryW 3088->3089 3089->3086 3090 405c3a SetFileAttributesW 3089->3090 3090->3086 3092 40631e 3091->3092 3093 406311 3091->3093 3092->3054 3105 406183 3093->3105 3096 405dcd 3095->3096 3097 406889 FindClose 3095->3097 3096->3061 3098 405e0c lstrlenW CharPrevW 3096->3098 3097->3096 3099 405dd7 3098->3099 3100 405e28 lstrcatW 3098->3100 3099->3046 3100->3099 3101->3065 3103 405c0d 3102->3103 3104 40601a SetFileAttributesW 3102->3104 3103->3086 3103->3087 3103->3088 3104->3103 3106 4061b3 3105->3106 3107 4061d9 GetShortPathNameW 3105->3107 3132 40602d GetFileAttributesW CreateFileW 3106->3132 3108 4062f8 3107->3108 3109 4061ee 3107->3109 3108->3092 3109->3108 3112 4061f6 wsprintfA 3109->3112 3111 4061bd CloseHandle GetShortPathNameW 3111->3108 3113 4061d1 3111->3113 3114 40657a 17 API calls 3112->3114 3113->3107 3113->3108 3115 40621e 3114->3115 3133 40602d GetFileAttributesW CreateFileW 3115->3133 3117 40622b 3117->3108 3118 40623a GetFileSize GlobalAlloc 3117->3118 3119 4062f1 CloseHandle 3118->3119 3120 40625c 3118->3120 3119->3108 3134 4060b0 ReadFile 3120->3134 3125 40627b lstrcpyA 3128 40629d 3125->3128 3126 40628f 3127 405f92 4 API calls 3126->3127 3127->3128 3129 4062d4 SetFilePointer 3128->3129 3141 4060df WriteFile 3129->3141 3132->3111 3133->3117 3135 4060ce 3134->3135 3135->3119 3136 405f92 lstrlenA 3135->3136 3137 405fd3 lstrlenA 3136->3137 3138 405fdb 3137->3138 3139 405fac lstrcmpiA 3137->3139 3138->3125 3138->3126 3139->3138 3140 405fca CharNextA 3139->3140 3140->3137 3142 4060fd GlobalFree 3141->3142 3142->3119 3711 404943 3712 404953 3711->3712 3713 404979 3711->3713 3714 404499 18 API calls 3712->3714 3715 404500 8 API calls 3713->3715 3717 404960 SetDlgItemTextW 3714->3717 3716 404985 3715->3716 3717->3713 3718 401c43 3719 402d84 17 API calls 3718->3719 3720 401c4a 3719->3720 3721 402d84 17 API calls 3720->3721 3722 401c57 3721->3722 3723 401c6c 3722->3723 3724 402da6 17 API calls 3722->3724 3725 402da6 17 API calls 3723->3725 3729 401c7c 3723->3729 3724->3723 3725->3729 3726 401cd3 3728 402da6 17 API calls 3726->3728 3727 401c87 3730 402d84 17 API calls 3727->3730 3732 401cd8 3728->3732 3729->3726 3729->3727 3731 401c8c 3730->3731 3733 402d84 17 API calls 3731->3733 3734 402da6 17 API calls 3732->3734 3735 401c98 3733->3735 3736 401ce1 FindWindowExW 3734->3736 3737 401cc3 SendMessageW 3735->3737 3738 401ca5 SendMessageTimeoutW 3735->3738 3739 401d03 3736->3739 3737->3739 3738->3739 3740 4028c4 3741 4028ca 3740->3741 3742 4028d2 FindClose 3741->3742 3743 402c2a 3741->3743 3742->3743 3223 4014cb 3224 40559f 24 API calls 3223->3224 3225 4014d2 3224->3225 3744 4016cc 3745 402da6 17 API calls 3744->3745 3746 4016d2 GetFullPathNameW 3745->3746 3747 4016ec 3746->3747 3753 40170e 3746->3753 3750 406873 2 API calls 3747->3750 3747->3753 3748 401723 GetShortPathNameW 3749 402c2a 3748->3749 3751 4016fe 3750->3751 3751->3753 3754 40653d lstrcpynW 3751->3754 3753->3748 3753->3749 3754->3753 3755 401e4e GetDC 3756 402d84 17 API calls 3755->3756 3757 401e60 GetDeviceCaps MulDiv ReleaseDC 3756->3757 3758 402d84 17 API calls 3757->3758 3759 401e91 3758->3759 3760 40657a 17 API calls 3759->3760 3761 401ece CreateFontIndirectW 3760->3761 3762 402638 3761->3762 3763 4045cf lstrcpynW lstrlenW 3764 402950 3765 402da6 17 API calls 3764->3765 3767 40295c 3765->3767 3766 402972 3769 406008 2 API calls 3766->3769 3767->3766 3768 402da6 17 API calls 3767->3768 3768->3766 3770 402978 3769->3770 3792 40602d GetFileAttributesW CreateFileW 3770->3792 3772 402985 3773 402a3b 3772->3773 3774 4029a0 GlobalAlloc 3772->3774 3775 402a23 3772->3775 3776 402a42 DeleteFileW 3773->3776 3777 402a55 3773->3777 3774->3775 3778 4029b9 3774->3778 3779 4032b4 31 API calls 3775->3779 3776->3777 3793 4034e5 SetFilePointer 3778->3793 3781 402a30 CloseHandle 3779->3781 3781->3773 3782 4029bf 3783 4034cf ReadFile 3782->3783 3784 4029c8 GlobalAlloc 3783->3784 3785 4029d8 3784->3785 3786 402a0c 3784->3786 3787 4032b4 31 API calls 3785->3787 3788 4060df WriteFile 3786->3788 3791 4029e5 3787->3791 3789 402a18 GlobalFree 3788->3789 3789->3775 3790 402a03 GlobalFree 3790->3786 3791->3790 3792->3772 3793->3782 3794 401956 3795 402da6 17 API calls 3794->3795 3796 40195d lstrlenW 3795->3796 3797 402638 3796->3797 3529 4014d7 3530 402d84 17 API calls 3529->3530 3531 4014dd Sleep 3530->3531 3533 402c2a 3531->3533 3534 4020d8 3535 4020ea 3534->3535 3545 40219c 3534->3545 3536 402da6 17 API calls 3535->3536 3538 4020f1 3536->3538 3537 401423 24 API calls 3543 4022f6 3537->3543 3539 402da6 17 API calls 3538->3539 3540 4020fa 3539->3540 3541 402110 LoadLibraryExW 3540->3541 3542 402102 GetModuleHandleW 3540->3542 3544 402121 3541->3544 3541->3545 3542->3541 3542->3544 3554 406979 3544->3554 3545->3537 3548 402132 3551 401423 24 API calls 3548->3551 3552 402142 3548->3552 3549 40216b 3550 40559f 24 API calls 3549->3550 3550->3552 3551->3552 3552->3543 3553 40218e FreeLibrary 3552->3553 3553->3543 3559 40655f WideCharToMultiByte 3554->3559 3556 406996 3557 40699d GetProcAddress 3556->3557 3558 40212c 3556->3558 3557->3558 3558->3548 3558->3549 3559->3556 3798 404658 3799 404670 3798->3799 3805 40478a 3798->3805 3806 404499 18 API calls 3799->3806 3800 4047f4 3801 4048be 3800->3801 3802 4047fe GetDlgItem 3800->3802 3807 404500 8 API calls 3801->3807 3803 404818 3802->3803 3804 40487f 3802->3804 3803->3804 3811 40483e SendMessageW LoadCursorW SetCursor 3803->3811 3804->3801 3812 404891 3804->3812 3805->3800 3805->3801 3808 4047c5 GetDlgItem SendMessageW 3805->3808 3809 4046d7 3806->3809 3810 4048b9 3807->3810 3831 4044bb KiUserCallbackDispatcher 3808->3831 3814 404499 18 API calls 3809->3814 3835 404907 3811->3835 3817 4048a7 3812->3817 3818 404897 SendMessageW 3812->3818 3815 4046e4 CheckDlgButton 3814->3815 3829 4044bb KiUserCallbackDispatcher 3815->3829 3817->3810 3822 4048ad SendMessageW 3817->3822 3818->3817 3819 4047ef 3832 4048e3 3819->3832 3822->3810 3824 404702 GetDlgItem 3830 4044ce SendMessageW 3824->3830 3826 404718 SendMessageW 3827 404735 GetSysColor 3826->3827 3828 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3826->3828 3827->3828 3828->3810 3829->3824 3830->3826 3831->3819 3833 4048f1 3832->3833 3834 4048f6 SendMessageW 3832->3834 3833->3834 3834->3800 3838 405b63 ShellExecuteExW 3835->3838 3837 40486d LoadCursorW SetCursor 3837->3804 3838->3837 3839 402b59 3840 402b60 3839->3840 3841 402bab 3839->3841 3844 402d84 17 API calls 3840->3844 3847 402ba9 3840->3847 3842 40690a 5 API calls 3841->3842 3843 402bb2 3842->3843 3845 402da6 17 API calls 3843->3845 3846 402b6e 3844->3846 3848 402bbb 3845->3848 3849 402d84 17 API calls 3846->3849 3848->3847 3850 402bbf IIDFromString 3848->3850 3852 402b7a 3849->3852 3850->3847 3851 402bce 3850->3851 3851->3847 3857 40653d lstrcpynW 3851->3857 3856 406484 wsprintfW 3852->3856 3855 402beb CoTaskMemFree 3855->3847 3856->3847 3857->3855 3656 40175c 3657 402da6 17 API calls 3656->3657 3658 401763 3657->3658 3659 40605c 2 API calls 3658->3659 3660 40176a 3659->3660 3661 40605c 2 API calls 3660->3661 3661->3660 3858 401d5d 3859 402d84 17 API calls 3858->3859 3860 401d6e SetWindowLongW 3859->3860 3861 402c2a 3860->3861 3662 4056de 3663 405888 3662->3663 3664 4056ff GetDlgItem GetDlgItem GetDlgItem 3662->3664 3666 405891 GetDlgItem CreateThread CloseHandle 3663->3666 3667 4058b9 3663->3667 3707 4044ce SendMessageW 3664->3707 3666->3667 3710 405672 5 API calls 3666->3710 3669 4058e4 3667->3669 3671 4058d0 ShowWindow ShowWindow 3667->3671 3672 405909 3667->3672 3668 40576f 3676 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3668->3676 3670 405944 3669->3670 3673 4058f8 3669->3673 3674 40591e ShowWindow 3669->3674 3670->3672 3683 405952 SendMessageW 3670->3683 3709 4044ce SendMessageW 3671->3709 3675 404500 8 API calls 3672->3675 3678 404472 SendMessageW 3673->3678 3679 405930 3674->3679 3680 40593e 3674->3680 3688 405917 3675->3688 3681 4057e4 3676->3681 3682 4057c8 SendMessageW SendMessageW 3676->3682 3678->3672 3684 40559f 24 API calls 3679->3684 3685 404472 SendMessageW 3680->3685 3686 4057f7 3681->3686 3687 4057e9 SendMessageW 3681->3687 3682->3681 3683->3688 3689 40596b CreatePopupMenu 3683->3689 3684->3680 3685->3670 3691 404499 18 API calls 3686->3691 3687->3686 3690 40657a 17 API calls 3689->3690 3692 40597b AppendMenuW 3690->3692 3693 405807 3691->3693 3694 405998 GetWindowRect 3692->3694 3695 4059ab TrackPopupMenu 3692->3695 3696 405810 ShowWindow 3693->3696 3697 405844 GetDlgItem SendMessageW 3693->3697 3694->3695 3695->3688 3698 4059c6 3695->3698 3699 405833 3696->3699 3700 405826 ShowWindow 3696->3700 3697->3688 3701 40586b SendMessageW SendMessageW 3697->3701 3702 4059e2 SendMessageW 3698->3702 3708 4044ce SendMessageW 3699->3708 3700->3699 3701->3688 3702->3702 3703 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3702->3703 3705 405a24 SendMessageW 3703->3705 3705->3705 3706 405a4d GlobalUnlock SetClipboardData CloseClipboard 3705->3706 3706->3688 3707->3668 3708->3697 3709->3669 3862 4028de 3863 4028e6 3862->3863 3864 4028ea FindNextFileW 3863->3864 3867 4028fc 3863->3867 3865 402943 3864->3865 3864->3867 3868 40653d lstrcpynW 3865->3868 3868->3867 3869 404ce0 3870 404cf0 3869->3870 3871 404d0c 3869->3871 3880 405b81 GetDlgItemTextW 3870->3880 3873 404d12 SHGetPathFromIDListW 3871->3873 3874 404d3f 3871->3874 3876 404d22 3873->3876 3879 404d29 SendMessageW 3873->3879 3875 404cfd SendMessageW 3875->3871 3878 40140b 2 API calls 3876->3878 3878->3879 3879->3874 3880->3875 3881 401563 3882 402ba4 3881->3882 3885 406484 wsprintfW 3882->3885 3884 402ba9 3885->3884 3886 401968 3887 402d84 17 API calls 3886->3887 3888 40196f 3887->3888 3889 402d84 17 API calls 3888->3889 3890 40197c 3889->3890 3891 402da6 17 API calls 3890->3891 3892 401993 lstrlenW 3891->3892 3893 4019a4 3892->3893 3897 4019e5 3893->3897 3898 40653d lstrcpynW 3893->3898 3895 4019d5 3896 4019da lstrlenW 3895->3896 3895->3897 3896->3897 3898->3895 3899 40166a 3900 402da6 17 API calls 3899->3900 3901 401670 3900->3901 3902 406873 2 API calls 3901->3902 3903 401676 3902->3903 3904 402aeb 3905 402d84 17 API calls 3904->3905 3906 402af1 3905->3906 3907 40657a 17 API calls 3906->3907 3908 40292e 3906->3908 3907->3908 3909 4026ec 3910 402d84 17 API calls 3909->3910 3917 4026fb 3910->3917 3911 402838 3912 402745 ReadFile 3912->3911 3912->3917 3913 4060b0 ReadFile 3913->3917 3915 402785 MultiByteToWideChar 3915->3917 3916 40283a 3931 406484 wsprintfW 3916->3931 3917->3911 3917->3912 3917->3913 3917->3915 3917->3916 3919 4027ab SetFilePointer MultiByteToWideChar 3917->3919 3920 40284b 3917->3920 3922 40610e SetFilePointer 3917->3922 3919->3917 3920->3911 3921 40286c SetFilePointer 3920->3921 3921->3911 3923 40612a 3922->3923 3926 406142 3922->3926 3924 4060b0 ReadFile 3923->3924 3925 406136 3924->3925 3925->3926 3927 406173 SetFilePointer 3925->3927 3928 40614b SetFilePointer 3925->3928 3926->3917 3927->3926 3928->3927 3929 406156 3928->3929 3930 4060df WriteFile 3929->3930 3930->3926 3931->3911 3472 40176f 3473 402da6 17 API calls 3472->3473 3474 401776 3473->3474 3475 401796 3474->3475 3476 40179e 3474->3476 3511 40653d lstrcpynW 3475->3511 3512 40653d lstrcpynW 3476->3512 3479 40179c 3483 4067c4 5 API calls 3479->3483 3480 4017a9 3481 405e0c 3 API calls 3480->3481 3482 4017af lstrcatW 3481->3482 3482->3479 3500 4017bb 3483->3500 3484 406873 2 API calls 3484->3500 3485 406008 2 API calls 3485->3500 3487 4017cd CompareFileTime 3487->3500 3488 40188d 3490 40559f 24 API calls 3488->3490 3489 401864 3491 40559f 24 API calls 3489->3491 3495 401879 3489->3495 3493 401897 3490->3493 3491->3495 3492 40653d lstrcpynW 3492->3500 3494 4032b4 31 API calls 3493->3494 3496 4018aa 3494->3496 3497 4018be SetFileTime 3496->3497 3498 4018d0 CloseHandle 3496->3498 3497->3498 3498->3495 3501 4018e1 3498->3501 3499 40657a 17 API calls 3499->3500 3500->3484 3500->3485 3500->3487 3500->3488 3500->3489 3500->3492 3500->3499 3506 405b9d MessageBoxIndirectW 3500->3506 3510 40602d GetFileAttributesW CreateFileW 3500->3510 3502 4018e6 3501->3502 3503 4018f9 3501->3503 3504 40657a 17 API calls 3502->3504 3505 40657a 17 API calls 3503->3505 3507 4018ee lstrcatW 3504->3507 3508 401901 3505->3508 3506->3500 3507->3508 3509 405b9d MessageBoxIndirectW 3508->3509 3509->3495 3510->3500 3511->3479 3512->3480 3932 401a72 3933 402d84 17 API calls 3932->3933 3934 401a7b 3933->3934 3935 402d84 17 API calls 3934->3935 3936 401a20 3935->3936 3524 401573 3525 401583 ShowWindow 3524->3525 3526 40158c 3524->3526 3525->3526 3527 402c2a 3526->3527 3528 40159a ShowWindow 3526->3528 3528->3527 3937 4023f4 3938 402da6 17 API calls 3937->3938 3939 402403 3938->3939 3940 402da6 17 API calls 3939->3940 3941 40240c 3940->3941 3942 402da6 17 API calls 3941->3942 3943 402416 GetPrivateProfileStringW 3942->3943 3944 4014f5 SetForegroundWindow 3945 402c2a 3944->3945 3946 401ff6 3947 402da6 17 API calls 3946->3947 3948 401ffd 3947->3948 3949 406873 2 API calls 3948->3949 3950 402003 3949->3950 3952 402014 3950->3952 3953 406484 wsprintfW 3950->3953 3953->3952 3954 401b77 3955 402da6 17 API calls 3954->3955 3956 401b7e 3955->3956 3957 402d84 17 API calls 3956->3957 3958 401b87 wsprintfW 3957->3958 3959 402c2a 3958->3959 3960 40167b 3961 402da6 17 API calls 3960->3961 3962 401682 3961->3962 3963 402da6 17 API calls 3962->3963 3964 40168b 3963->3964 3965 402da6 17 API calls 3964->3965 3966 401694 MoveFileW 3965->3966 3967 4016a7 3966->3967 3973 4016a0 3966->3973 3969 406873 2 API calls 3967->3969 3971 4022f6 3967->3971 3968 401423 24 API calls 3968->3971 3970 4016b6 3969->3970 3970->3971 3972 4062fd 36 API calls 3970->3972 3972->3973 3973->3968 3974 4019ff 3975 402da6 17 API calls 3974->3975 3976 401a06 3975->3976 3977 402da6 17 API calls 3976->3977 3978 401a0f 3977->3978 3979 401a16 lstrcmpiW 3978->3979 3980 401a28 lstrcmpW 3978->3980 3981 401a1c 3979->3981 3980->3981 3982 4022ff 3983 402da6 17 API calls 3982->3983 3984 402305 3983->3984 3985 402da6 17 API calls 3984->3985 3986 40230e 3985->3986 3987 402da6 17 API calls 3986->3987 3988 402317 3987->3988 3989 406873 2 API calls 3988->3989 3990 402320 3989->3990 3991 402331 lstrlenW lstrlenW 3990->3991 3995 402324 3990->3995 3992 40559f 24 API calls 3991->3992 3994 40236f SHFileOperationW 3992->3994 3993 40559f 24 API calls 3996 40232c 3993->3996 3994->3995 3994->3996 3995->3993 3995->3996 3997 401000 3998 401037 BeginPaint GetClientRect 3997->3998 3999 40100c DefWindowProcW 3997->3999 4001 4010f3 3998->4001 4004 401179 3999->4004 4002 401073 CreateBrushIndirect FillRect DeleteObject 4001->4002 4003 4010fc 4001->4003 4002->4001 4005 401102 CreateFontIndirectW 4003->4005 4006 401167 EndPaint 4003->4006 4005->4006 4007 401112 6 API calls 4005->4007 4006->4004 4007->4006 4008 401d81 4009 401d94 GetDlgItem 4008->4009 4010 401d87 4008->4010 4012 401d8e 4009->4012 4011 402d84 17 API calls 4010->4011 4011->4012 4013 402da6 17 API calls 4012->4013 4016 401dd5 GetClientRect LoadImageW SendMessageW 4012->4016 4013->4016 4015 401e33 4017 401e38 DeleteObject 4015->4017 4018 401e3f 4015->4018 4016->4015 4016->4018 4017->4018 4019 401503 4020 40150b 4019->4020 4022 40151e 4019->4022 4021 402d84 17 API calls 4020->4021 4021->4022 4023 402383 4024 40238a 4023->4024 4027 40239d 4023->4027 4025 40657a 17 API calls 4024->4025 4026 402397 4025->4026 4028 405b9d MessageBoxIndirectW 4026->4028 4028->4027 4029 402c05 SendMessageW 4030 402c2a 4029->4030 4031 402c1f InvalidateRect 4029->4031 4031->4030 4032 404f06 GetDlgItem GetDlgItem 4033 404f58 7 API calls 4032->4033 4039 40517d 4032->4039 4034 404ff2 SendMessageW 4033->4034 4035 404fff DeleteObject 4033->4035 4034->4035 4036 405008 4035->4036 4037 40503f 4036->4037 4040 40657a 17 API calls 4036->4040 4041 404499 18 API calls 4037->4041 4038 40525f 4042 40530b 4038->4042 4052 4052b8 SendMessageW 4038->4052 4072 405170 4038->4072 4039->4038 4043 4051ec 4039->4043 4086 404e54 SendMessageW 4039->4086 4046 405021 SendMessageW SendMessageW 4040->4046 4047 405053 4041->4047 4044 405315 SendMessageW 4042->4044 4045 40531d 4042->4045 4043->4038 4048 405251 SendMessageW 4043->4048 4044->4045 4054 405336 4045->4054 4055 40532f ImageList_Destroy 4045->4055 4070 405346 4045->4070 4046->4036 4051 404499 18 API calls 4047->4051 4048->4038 4049 404500 8 API calls 4053 40550c 4049->4053 4065 405064 4051->4065 4057 4052cd SendMessageW 4052->4057 4052->4072 4058 40533f GlobalFree 4054->4058 4054->4070 4055->4054 4056 4054c0 4061 4054d2 ShowWindow GetDlgItem ShowWindow 4056->4061 4056->4072 4060 4052e0 4057->4060 4058->4070 4059 40513f GetWindowLongW SetWindowLongW 4062 405158 4059->4062 4071 4052f1 SendMessageW 4060->4071 4061->4072 4063 405175 4062->4063 4064 40515d ShowWindow 4062->4064 4085 4044ce SendMessageW 4063->4085 4084 4044ce SendMessageW 4064->4084 4065->4059 4066 40513a 4065->4066 4069 4050b7 SendMessageW 4065->4069 4073 4050f5 SendMessageW 4065->4073 4074 405109 SendMessageW 4065->4074 4066->4059 4066->4062 4069->4065 4070->4056 4077 405381 4070->4077 4091 404ed4 4070->4091 4071->4042 4072->4049 4073->4065 4074->4065 4076 40548b 4078 405496 InvalidateRect 4076->4078 4081 4054a2 4076->4081 4079 4053af SendMessageW 4077->4079 4080 4053c5 4077->4080 4078->4081 4079->4080 4080->4076 4082 405439 SendMessageW SendMessageW 4080->4082 4081->4056 4100 404e0f 4081->4100 4082->4080 4084->4072 4085->4039 4087 404eb3 SendMessageW 4086->4087 4088 404e77 GetMessagePos ScreenToClient SendMessageW 4086->4088 4090 404eab 4087->4090 4089 404eb0 4088->4089 4088->4090 4089->4087 4090->4043 4103 40653d lstrcpynW 4091->4103 4093 404ee7 4104 406484 wsprintfW 4093->4104 4095 404ef1 4096 40140b 2 API calls 4095->4096 4097 404efa 4096->4097 4105 40653d lstrcpynW 4097->4105 4099 404f01 4099->4077 4106 404d46 4100->4106 4102 404e24 4102->4056 4103->4093 4104->4095 4105->4099 4107 404d5f 4106->4107 4108 40657a 17 API calls 4107->4108 4109 404dc3 4108->4109 4110 40657a 17 API calls 4109->4110 4111 404dce 4110->4111 4112 40657a 17 API calls 4111->4112 4113 404de4 lstrlenW wsprintfW SetDlgItemTextW 4112->4113 4113->4102 4114 404609 lstrlenW 4115 404628 4114->4115 4116 40462a WideCharToMultiByte 4114->4116 4115->4116 3171 40248a 3172 402da6 17 API calls 3171->3172 3173 40249c 3172->3173 3174 402da6 17 API calls 3173->3174 3175 4024a6 3174->3175 3188 402e36 3175->3188 3178 40292e 3179 4024de 3181 4024ea 3179->3181 3192 402d84 3179->3192 3180 402da6 17 API calls 3182 4024d4 lstrlenW 3180->3182 3184 402509 RegSetValueExW 3181->3184 3195 4032b4 3181->3195 3182->3179 3185 40251f RegCloseKey 3184->3185 3185->3178 3189 402e51 3188->3189 3215 4063d8 3189->3215 3193 40657a 17 API calls 3192->3193 3194 402d99 3193->3194 3194->3181 3196 4032cd 3195->3196 3197 4032fb 3196->3197 3222 4034e5 SetFilePointer 3196->3222 3219 4034cf 3197->3219 3201 403468 3203 4034aa 3201->3203 3207 40346c 3201->3207 3202 403318 GetTickCount 3209 403452 3202->3209 3214 403367 3202->3214 3204 4034cf ReadFile 3203->3204 3204->3209 3205 4034cf ReadFile 3205->3214 3206 4034cf ReadFile 3206->3207 3207->3206 3208 4060df WriteFile 3207->3208 3207->3209 3208->3207 3209->3184 3210 4033bd GetTickCount 3210->3214 3211 4033e2 MulDiv wsprintfW 3212 40559f 24 API calls 3211->3212 3212->3214 3213 4060df WriteFile 3213->3214 3214->3205 3214->3209 3214->3210 3214->3211 3214->3213 3216 4063e7 3215->3216 3217 4063f2 RegCreateKeyExW 3216->3217 3218 4024b6 3216->3218 3217->3218 3218->3178 3218->3179 3218->3180 3220 4060b0 ReadFile 3219->3220 3221 403306 3220->3221 3221->3201 3221->3202 3221->3209 3222->3197 4117 40498a 4118 4049b6 4117->4118 4119 4049c7 4117->4119 4178 405b81 GetDlgItemTextW 4118->4178 4121 4049d3 GetDlgItem 4119->4121 4126 404a32 4119->4126 4123 4049e7 4121->4123 4122 4049c1 4125 4067c4 5 API calls 4122->4125 4128 4049fb SetWindowTextW 4123->4128 4133 405eb7 4 API calls 4123->4133 4124 404b16 4176 404cc5 4124->4176 4180 405b81 GetDlgItemTextW 4124->4180 4125->4119 4126->4124 4130 40657a 17 API calls 4126->4130 4126->4176 4131 404499 18 API calls 4128->4131 4129 404b46 4134 405f14 18 API calls 4129->4134 4135 404aa6 SHBrowseForFolderW 4130->4135 4136 404a17 4131->4136 4132 404500 8 API calls 4137 404cd9 4132->4137 4138 4049f1 4133->4138 4139 404b4c 4134->4139 4135->4124 4140 404abe CoTaskMemFree 4135->4140 4141 404499 18 API calls 4136->4141 4138->4128 4142 405e0c 3 API calls 4138->4142 4181 40653d lstrcpynW 4139->4181 4143 405e0c 3 API calls 4140->4143 4144 404a25 4141->4144 4142->4128 4145 404acb 4143->4145 4179 4044ce SendMessageW 4144->4179 4148 404b02 SetDlgItemTextW 4145->4148 4153 40657a 17 API calls 4145->4153 4148->4124 4149 404a2b 4151 40690a 5 API calls 4149->4151 4150 404b63 4152 40690a 5 API calls 4150->4152 4151->4126 4160 404b6a 4152->4160 4154 404aea lstrcmpiW 4153->4154 4154->4148 4157 404afb lstrcatW 4154->4157 4155 404bab 4182 40653d lstrcpynW 4155->4182 4157->4148 4158 404bb2 4159 405eb7 4 API calls 4158->4159 4161 404bb8 GetDiskFreeSpaceW 4159->4161 4160->4155 4163 405e58 2 API calls 4160->4163 4165 404c03 4160->4165 4164 404bdc MulDiv 4161->4164 4161->4165 4163->4160 4164->4165 4166 404c74 4165->4166 4167 404e0f 20 API calls 4165->4167 4168 404c97 4166->4168 4169 40140b 2 API calls 4166->4169 4170 404c61 4167->4170 4183 4044bb KiUserCallbackDispatcher 4168->4183 4169->4168 4172 404c76 SetDlgItemTextW 4170->4172 4173 404c66 4170->4173 4172->4166 4175 404d46 20 API calls 4173->4175 4174 404cb3 4174->4176 4177 4048e3 SendMessageW 4174->4177 4175->4166 4176->4132 4177->4176 4178->4122 4179->4149 4180->4129 4181->4150 4182->4158 4183->4174 4184 40290b 4185 402da6 17 API calls 4184->4185 4186 402912 FindFirstFileW 4185->4186 4187 40293a 4186->4187 4190 402925 4186->4190 4192 406484 wsprintfW 4187->4192 4189 402943 4193 40653d lstrcpynW 4189->4193 4192->4189 4193->4190 4194 40190c 4195 401943 4194->4195 4196 402da6 17 API calls 4195->4196 4197 401948 4196->4197 4198 405c49 67 API calls 4197->4198 4199 401951 4198->4199 4200 40190f 4201 402da6 17 API calls 4200->4201 4202 401916 4201->4202 4203 405b9d MessageBoxIndirectW 4202->4203 4204 40191f 4203->4204 4205 401491 4206 40559f 24 API calls 4205->4206 4207 401498 4206->4207 4208 402891 4209 402898 4208->4209 4211 402ba9 4208->4211 4210 402d84 17 API calls 4209->4210 4212 40289f 4210->4212 4213 4028ae SetFilePointer 4212->4213 4213->4211 4214 4028be 4213->4214 4216 406484 wsprintfW 4214->4216 4216->4211 3513 403b12 3514 403b2a 3513->3514 3515 403b1c CloseHandle 3513->3515 3520 403b57 3514->3520 3515->3514 3518 405c49 67 API calls 3519 403b3b 3518->3519 3522 403b65 3520->3522 3521 403b2f 3521->3518 3522->3521 3523 403b6a FreeLibrary GlobalFree 3522->3523 3523->3521 3523->3523 4217 401f12 4218 402da6 17 API calls 4217->4218 4219 401f18 4218->4219 4220 402da6 17 API calls 4219->4220 4221 401f21 4220->4221 4222 402da6 17 API calls 4221->4222 4223 401f2a 4222->4223 4224 402da6 17 API calls 4223->4224 4225 401f33 4224->4225 4226 401423 24 API calls 4225->4226 4227 401f3a 4226->4227 4234 405b63 ShellExecuteExW 4227->4234 4229 401f82 4230 40292e 4229->4230 4231 4069b5 5 API calls 4229->4231 4232 401f9f CloseHandle 4231->4232 4232->4230 4234->4229 4235 405513 4236 405523 4235->4236 4237 405537 4235->4237 4238 405580 4236->4238 4239 405529 4236->4239 4240 40553f IsWindowVisible 4237->4240 4246 405556 4237->4246 4241 405585 CallWindowProcW 4238->4241 4242 4044e5 SendMessageW 4239->4242 4240->4238 4243 40554c 4240->4243 4244 405533 4241->4244 4242->4244 4245 404e54 5 API calls 4243->4245 4245->4246 4246->4241 4247 404ed4 4 API calls 4246->4247 4247->4238 4248 402f93 4249 402fa5 SetTimer 4248->4249 4250 402fbe 4248->4250 4249->4250 4251 403013 4250->4251 4252 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4250->4252 4252->4251 4253 401d17 4254 402d84 17 API calls 4253->4254 4255 401d1d IsWindow 4254->4255 4256 401a20 4255->4256 3560 403f9a 3561 403fb2 3560->3561 3562 404113 3560->3562 3561->3562 3563 403fbe 3561->3563 3564 404164 3562->3564 3565 404124 GetDlgItem GetDlgItem 3562->3565 3566 403fc9 SetWindowPos 3563->3566 3567 403fdc 3563->3567 3569 4041be 3564->3569 3580 401389 2 API calls 3564->3580 3568 404499 18 API calls 3565->3568 3566->3567 3571 403fe5 ShowWindow 3567->3571 3572 404027 3567->3572 3573 40414e SetClassLongW 3568->3573 3570 4044e5 SendMessageW 3569->3570 3574 40410e 3569->3574 3603 4041d0 3570->3603 3575 404100 3571->3575 3576 404005 GetWindowLongW 3571->3576 3577 404046 3572->3577 3578 40402f DestroyWindow 3572->3578 3579 40140b 2 API calls 3573->3579 3642 404500 3575->3642 3576->3575 3582 40401e ShowWindow 3576->3582 3584 40404b SetWindowLongW 3577->3584 3585 40405c 3577->3585 3583 404422 3578->3583 3579->3564 3586 404196 3580->3586 3582->3572 3583->3574 3591 404453 ShowWindow 3583->3591 3584->3574 3585->3575 3589 404068 GetDlgItem 3585->3589 3586->3569 3590 40419a SendMessageW 3586->3590 3587 40140b 2 API calls 3587->3603 3588 404424 DestroyWindow KiUserCallbackDispatcher 3588->3583 3592 404096 3589->3592 3593 404079 SendMessageW IsWindowEnabled 3589->3593 3590->3574 3591->3574 3595 4040a3 3592->3595 3596 4040ea SendMessageW 3592->3596 3597 4040b6 3592->3597 3606 40409b 3592->3606 3593->3574 3593->3592 3594 40657a 17 API calls 3594->3603 3595->3596 3595->3606 3596->3575 3600 4040d3 3597->3600 3601 4040be 3597->3601 3599 404499 18 API calls 3599->3603 3605 40140b 2 API calls 3600->3605 3604 40140b 2 API calls 3601->3604 3602 4040d1 3602->3575 3603->3574 3603->3587 3603->3588 3603->3594 3603->3599 3624 404364 DestroyWindow 3603->3624 3633 404499 3603->3633 3604->3606 3607 4040da 3605->3607 3639 404472 3606->3639 3607->3575 3607->3606 3609 40424b GetDlgItem 3610 404260 3609->3610 3611 404268 ShowWindow KiUserCallbackDispatcher 3609->3611 3610->3611 3636 4044bb KiUserCallbackDispatcher 3611->3636 3613 404292 EnableWindow 3618 4042a6 3613->3618 3614 4042ab GetSystemMenu EnableMenuItem SendMessageW 3615 4042db SendMessageW 3614->3615 3614->3618 3615->3618 3617 403f7b 18 API calls 3617->3618 3618->3614 3618->3617 3637 4044ce SendMessageW 3618->3637 3638 40653d lstrcpynW 3618->3638 3620 40430a lstrlenW 3621 40657a 17 API calls 3620->3621 3622 404320 SetWindowTextW 3621->3622 3623 401389 2 API calls 3622->3623 3623->3603 3624->3583 3625 40437e CreateDialogParamW 3624->3625 3625->3583 3626 4043b1 3625->3626 3627 404499 18 API calls 3626->3627 3628 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3627->3628 3629 401389 2 API calls 3628->3629 3630 404402 3629->3630 3630->3574 3631 40440a ShowWindow 3630->3631 3632 4044e5 SendMessageW 3631->3632 3632->3583 3634 40657a 17 API calls 3633->3634 3635 4044a4 SetDlgItemTextW 3634->3635 3635->3609 3636->3613 3637->3618 3638->3620 3640 404479 3639->3640 3641 40447f SendMessageW 3639->3641 3640->3641 3641->3602 3643 4045c3 3642->3643 3644 404518 GetWindowLongW 3642->3644 3643->3574 3644->3643 3645 40452d 3644->3645 3645->3643 3646 40455a GetSysColor 3645->3646 3647 40455d 3645->3647 3646->3647 3648 404563 SetTextColor 3647->3648 3649 40456d SetBkMode 3647->3649 3648->3649 3650 404585 GetSysColor 3649->3650 3651 40458b 3649->3651 3650->3651 3652 404592 SetBkColor 3651->3652 3653 40459c 3651->3653 3652->3653 3653->3643 3654 4045b6 CreateBrushIndirect 3653->3654 3655 4045af DeleteObject 3653->3655 3654->3643 3655->3654 4257 401b9b 4258 401ba8 4257->4258 4259 401bec 4257->4259 4262 401c31 4258->4262 4267 401bbf 4258->4267 4260 401bf1 4259->4260 4261 401c16 GlobalAlloc 4259->4261 4273 40239d 4260->4273 4278 40653d lstrcpynW 4260->4278 4264 40657a 17 API calls 4261->4264 4263 40657a 17 API calls 4262->4263 4262->4273 4265 402397 4263->4265 4264->4262 4270 405b9d MessageBoxIndirectW 4265->4270 4276 40653d lstrcpynW 4267->4276 4268 401c03 GlobalFree 4268->4273 4270->4273 4271 401bce 4277 40653d lstrcpynW 4271->4277 4274 401bdd 4279 40653d lstrcpynW 4274->4279 4276->4271 4277->4274 4278->4268 4279->4273 4280 40261c 4281 402da6 17 API calls 4280->4281 4282 402623 4281->4282 4285 40602d GetFileAttributesW CreateFileW 4282->4285 4284 40262f 4285->4284 4286 40149e 4287 4014ac PostQuitMessage 4286->4287 4288 40239d 4286->4288 4287->4288 4289 40259e 4299 402de6 4289->4299 4292 402d84 17 API calls 4293 4025b1 4292->4293 4294 40292e 4293->4294 4295 4025d9 RegEnumValueW 4293->4295 4296 4025cd RegEnumKeyW 4293->4296 4297 4025ee RegCloseKey 4295->4297 4296->4297 4297->4294 4300 402da6 17 API calls 4299->4300 4301 402dfd 4300->4301 4302 4063aa RegOpenKeyExW 4301->4302 4303 4025a8 4302->4303 4303->4292 4304 4015a3 4305 402da6 17 API calls 4304->4305 4306 4015aa SetFileAttributesW 4305->4306 4307 4015bc 4306->4307 3143 401fa4 3144 402da6 17 API calls 3143->3144 3145 401faa 3144->3145 3146 40559f 24 API calls 3145->3146 3147 401fb4 3146->3147 3158 405b20 CreateProcessW 3147->3158 3150 401fdd CloseHandle 3153 40292e 3150->3153 3154 401fcf 3155 401fd4 3154->3155 3156 401fdf 3154->3156 3166 406484 wsprintfW 3155->3166 3156->3150 3159 405b53 CloseHandle 3158->3159 3160 401fba 3158->3160 3159->3160 3160->3150 3160->3153 3161 4069b5 WaitForSingleObject 3160->3161 3162 4069cf 3161->3162 3163 4069e1 GetExitCodeProcess 3162->3163 3167 406946 3162->3167 3163->3154 3166->3150 3168 406963 PeekMessageW 3167->3168 3169 406973 WaitForSingleObject 3168->3169 3170 406959 DispatchMessageW 3168->3170 3169->3162 3170->3168 4308 40202a 4309 402da6 17 API calls 4308->4309 4310 402031 4309->4310 4311 40690a 5 API calls 4310->4311 4312 402040 4311->4312 4313 4020cc 4312->4313 4314 40205c GlobalAlloc 4312->4314 4314->4313 4315 402070 4314->4315 4316 40690a 5 API calls 4315->4316 4317 402077 4316->4317 4318 40690a 5 API calls 4317->4318 4319 402081 4318->4319 4319->4313 4323 406484 wsprintfW 4319->4323 4321 4020ba 4324 406484 wsprintfW 4321->4324 4323->4321 4324->4313 4325 40252a 4326 402de6 17 API calls 4325->4326 4327 402534 4326->4327 4328 402da6 17 API calls 4327->4328 4329 40253d 4328->4329 4330 402548 RegQueryValueExW 4329->4330 4331 40292e 4329->4331 4332 402568 4330->4332 4335 40256e RegCloseKey 4330->4335 4332->4335 4336 406484 wsprintfW 4332->4336 4335->4331 4336->4335 4337 4021aa 4338 402da6 17 API calls 4337->4338 4339 4021b1 4338->4339 4340 402da6 17 API calls 4339->4340 4341 4021bb 4340->4341 4342 402da6 17 API calls 4341->4342 4343 4021c5 4342->4343 4344 402da6 17 API calls 4343->4344 4345 4021cf 4344->4345 4346 402da6 17 API calls 4345->4346 4347 4021d9 4346->4347 4348 402218 CoCreateInstance 4347->4348 4349 402da6 17 API calls 4347->4349 4352 402237 4348->4352 4349->4348 4350 401423 24 API calls 4351 4022f6 4350->4351 4352->4350 4352->4351 4353 403baa 4354 403bb5 4353->4354 4355 403bbc GlobalAlloc 4354->4355 4356 403bb9 4354->4356 4355->4356 3226 40352d SetErrorMode GetVersionExW 3227 4035b7 3226->3227 3228 40357f GetVersionExW 3226->3228 3229 403610 3227->3229 3230 40690a 5 API calls 3227->3230 3228->3227 3231 40689a 3 API calls 3229->3231 3230->3229 3232 403626 lstrlenA 3231->3232 3232->3229 3233 403636 3232->3233 3234 40690a 5 API calls 3233->3234 3235 40363d 3234->3235 3236 40690a 5 API calls 3235->3236 3237 403644 3236->3237 3238 40690a 5 API calls 3237->3238 3242 403650 #17 OleInitialize SHGetFileInfoW 3238->3242 3241 40369d GetCommandLineW 3317 40653d lstrcpynW 3241->3317 3316 40653d lstrcpynW 3242->3316 3244 4036af 3245 405e39 CharNextW 3244->3245 3246 4036d5 CharNextW 3245->3246 3258 4036e6 3246->3258 3247 4037e4 3248 4037f8 GetTempPathW 3247->3248 3318 4034fc 3248->3318 3250 403810 3252 403814 GetWindowsDirectoryW lstrcatW 3250->3252 3253 40386a DeleteFileW 3250->3253 3251 405e39 CharNextW 3251->3258 3254 4034fc 12 API calls 3252->3254 3328 40307d GetTickCount GetModuleFileNameW 3253->3328 3256 403830 3254->3256 3256->3253 3259 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3256->3259 3257 40387d 3261 403a59 ExitProcess CoUninitialize 3257->3261 3263 403932 3257->3263 3271 405e39 CharNextW 3257->3271 3258->3247 3258->3251 3260 4037e6 3258->3260 3262 4034fc 12 API calls 3259->3262 3412 40653d lstrcpynW 3260->3412 3265 403a69 3261->3265 3266 403a7e 3261->3266 3270 403862 3262->3270 3356 403bec 3263->3356 3417 405b9d 3265->3417 3268 403a86 GetCurrentProcess OpenProcessToken 3266->3268 3269 403afc ExitProcess 3266->3269 3274 403acc 3268->3274 3275 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3268->3275 3270->3253 3270->3261 3285 40389f 3271->3285 3278 40690a 5 API calls 3274->3278 3275->3274 3276 403941 3276->3261 3281 403ad3 3278->3281 3279 403908 3282 405f14 18 API calls 3279->3282 3280 403949 3284 405b08 5 API calls 3280->3284 3283 403ae8 ExitWindowsEx 3281->3283 3287 403af5 3281->3287 3286 403914 3282->3286 3283->3269 3283->3287 3288 40394e lstrcatW 3284->3288 3285->3279 3285->3280 3286->3261 3413 40653d lstrcpynW 3286->3413 3421 40140b 3287->3421 3289 40396a lstrcatW lstrcmpiW 3288->3289 3290 40395f lstrcatW 3288->3290 3289->3276 3292 40398a 3289->3292 3290->3289 3294 403996 3292->3294 3295 40398f 3292->3295 3298 405aeb 2 API calls 3294->3298 3297 405a6e 4 API calls 3295->3297 3296 403927 3414 40653d lstrcpynW 3296->3414 3300 403994 3297->3300 3301 40399b SetCurrentDirectoryW 3298->3301 3300->3301 3302 4039b8 3301->3302 3303 4039ad 3301->3303 3416 40653d lstrcpynW 3302->3416 3415 40653d lstrcpynW 3303->3415 3306 40657a 17 API calls 3307 4039fa DeleteFileW 3306->3307 3308 403a06 CopyFileW 3307->3308 3313 4039c5 3307->3313 3308->3313 3309 403a50 3311 4062fd 36 API calls 3309->3311 3310 4062fd 36 API calls 3310->3313 3311->3276 3312 40657a 17 API calls 3312->3313 3313->3306 3313->3309 3313->3310 3313->3312 3314 405b20 2 API calls 3313->3314 3315 403a3a CloseHandle 3313->3315 3314->3313 3315->3313 3316->3241 3317->3244 3319 4067c4 5 API calls 3318->3319 3321 403508 3319->3321 3320 403512 3320->3250 3321->3320 3322 405e0c 3 API calls 3321->3322 3323 40351a 3322->3323 3324 405aeb 2 API calls 3323->3324 3325 403520 3324->3325 3424 40605c 3325->3424 3428 40602d GetFileAttributesW CreateFileW 3328->3428 3330 4030bd 3348 4030cd 3330->3348 3429 40653d lstrcpynW 3330->3429 3332 4030e3 3333 405e58 2 API calls 3332->3333 3334 4030e9 3333->3334 3430 40653d lstrcpynW 3334->3430 3336 4030f4 GetFileSize 3337 4031ee 3336->3337 3355 40310b 3336->3355 3431 403019 3337->3431 3339 4031f7 3341 403227 GlobalAlloc 3339->3341 3339->3348 3443 4034e5 SetFilePointer 3339->3443 3340 4034cf ReadFile 3340->3355 3442 4034e5 SetFilePointer 3341->3442 3343 40325a 3345 403019 6 API calls 3343->3345 3345->3348 3346 403210 3349 4034cf ReadFile 3346->3349 3347 403242 3350 4032b4 31 API calls 3347->3350 3348->3257 3351 40321b 3349->3351 3353 40324e 3350->3353 3351->3341 3351->3348 3352 403019 6 API calls 3352->3355 3353->3348 3353->3353 3354 40328b SetFilePointer 3353->3354 3354->3348 3355->3337 3355->3340 3355->3343 3355->3348 3355->3352 3357 40690a 5 API calls 3356->3357 3358 403c00 3357->3358 3359 403c06 GetUserDefaultUILanguage 3358->3359 3360 403c18 3358->3360 3444 406484 wsprintfW 3359->3444 3362 40640b 3 API calls 3360->3362 3363 403c48 3362->3363 3365 403c67 lstrcatW 3363->3365 3366 40640b 3 API calls 3363->3366 3364 403c16 3445 403ec2 3364->3445 3365->3364 3366->3365 3369 405f14 18 API calls 3370 403c99 3369->3370 3371 403d2d 3370->3371 3373 40640b 3 API calls 3370->3373 3372 405f14 18 API calls 3371->3372 3374 403d33 3372->3374 3375 403ccb 3373->3375 3376 403d43 LoadImageW 3374->3376 3379 40657a 17 API calls 3374->3379 3375->3371 3383 403cec lstrlenW 3375->3383 3387 405e39 CharNextW 3375->3387 3377 403de9 3376->3377 3378 403d6a RegisterClassW 3376->3378 3382 40140b 2 API calls 3377->3382 3380 403da0 SystemParametersInfoW CreateWindowExW 3378->3380 3381 403df3 3378->3381 3379->3376 3380->3377 3381->3276 3386 403def 3382->3386 3384 403d20 3383->3384 3385 403cfa lstrcmpiW 3383->3385 3390 405e0c 3 API calls 3384->3390 3385->3384 3389 403d0a GetFileAttributesW 3385->3389 3386->3381 3392 403ec2 18 API calls 3386->3392 3388 403ce9 3387->3388 3388->3383 3391 403d16 3389->3391 3393 403d26 3390->3393 3391->3384 3394 405e58 2 API calls 3391->3394 3395 403e00 3392->3395 3460 40653d lstrcpynW 3393->3460 3394->3384 3397 403e0c ShowWindow 3395->3397 3398 403e8f 3395->3398 3400 40689a 3 API calls 3397->3400 3453 405672 OleInitialize 3398->3453 3402 403e24 3400->3402 3401 403e95 3403 403eb1 3401->3403 3404 403e99 3401->3404 3405 403e32 GetClassInfoW 3402->3405 3409 40689a 3 API calls 3402->3409 3408 40140b 2 API calls 3403->3408 3404->3381 3411 40140b 2 API calls 3404->3411 3406 403e46 GetClassInfoW RegisterClassW 3405->3406 3407 403e5c DialogBoxParamW 3405->3407 3406->3407 3410 40140b 2 API calls 3407->3410 3408->3381 3409->3405 3410->3381 3411->3381 3412->3248 3413->3296 3414->3263 3415->3302 3416->3313 3418 405bb2 3417->3418 3419 405bc6 MessageBoxIndirectW 3418->3419 3420 403a76 ExitProcess 3418->3420 3419->3420 3422 401389 2 API calls 3421->3422 3423 401420 3422->3423 3423->3269 3425 406069 GetTickCount GetTempFileNameW 3424->3425 3426 40352b 3425->3426 3427 40609f 3425->3427 3426->3250 3427->3425 3427->3426 3428->3330 3429->3332 3430->3336 3432 403022 3431->3432 3433 40303a 3431->3433 3434 403032 3432->3434 3435 40302b DestroyWindow 3432->3435 3436 403042 3433->3436 3437 40304a GetTickCount 3433->3437 3434->3339 3435->3434 3438 406946 2 API calls 3436->3438 3439 403058 CreateDialogParamW ShowWindow 3437->3439 3440 40307b 3437->3440 3441 403048 3438->3441 3439->3440 3440->3339 3441->3339 3442->3347 3443->3346 3444->3364 3446 403ed6 3445->3446 3461 406484 wsprintfW 3446->3461 3448 403f47 3462 403f7b 3448->3462 3450 403c77 3450->3369 3451 403f4c 3451->3450 3452 40657a 17 API calls 3451->3452 3452->3451 3465 4044e5 3453->3465 3455 4056bc 3456 4044e5 SendMessageW 3455->3456 3458 4056ce CoUninitialize 3456->3458 3457 405695 3457->3455 3468 401389 3457->3468 3458->3401 3460->3371 3461->3448 3463 40657a 17 API calls 3462->3463 3464 403f89 SetWindowTextW 3463->3464 3464->3451 3466 4044fd 3465->3466 3467 4044ee SendMessageW 3465->3467 3466->3457 3467->3466 3470 401390 3468->3470 3469 4013fe 3469->3457 3470->3469 3471 4013cb MulDiv SendMessageW 3470->3471 3471->3470 4357 401a30 4358 402da6 17 API calls 4357->4358 4359 401a39 ExpandEnvironmentStringsW 4358->4359 4360 401a4d 4359->4360 4362 401a60 4359->4362 4361 401a52 lstrcmpW 4360->4361 4360->4362 4361->4362 4368 4023b2 4369 4023ba 4368->4369 4371 4023c0 4368->4371 4370 402da6 17 API calls 4369->4370 4370->4371 4372 402da6 17 API calls 4371->4372 4373 4023ce 4371->4373 4372->4373 4374 4023dc 4373->4374 4375 402da6 17 API calls 4373->4375 4376 402da6 17 API calls 4374->4376 4375->4374 4377 4023e5 WritePrivateProfileStringW 4376->4377 4378 402434 4379 402467 4378->4379 4380 40243c 4378->4380 4381 402da6 17 API calls 4379->4381 4382 402de6 17 API calls 4380->4382 4383 40246e 4381->4383 4384 402443 4382->4384 4389 402e64 4383->4389 4386 402da6 17 API calls 4384->4386 4387 40247b 4384->4387 4388 402454 RegDeleteValueW RegCloseKey 4386->4388 4388->4387 4390 402e71 4389->4390 4391 402e78 4389->4391 4390->4387 4391->4390 4393 402ea9 4391->4393 4394 4063aa RegOpenKeyExW 4393->4394 4395 402ed7 4394->4395 4396 402ee7 RegEnumValueW 4395->4396 4403 402f0a 4395->4403 4404 402f81 4395->4404 4398 402f71 RegCloseKey 4396->4398 4396->4403 4397 402f46 RegEnumKeyW 4399 402f4f RegCloseKey 4397->4399 4397->4403 4398->4404 4400 40690a 5 API calls 4399->4400 4402 402f5f 4400->4402 4401 402ea9 6 API calls 4401->4403 4402->4404 4405 402f63 RegDeleteKeyW 4402->4405 4403->4397 4403->4398 4403->4399 4403->4401 4404->4390 4405->4404 4406 401735 4407 402da6 17 API calls 4406->4407 4408 40173c SearchPathW 4407->4408 4409 401757 4408->4409 4410 401d38 4411 402d84 17 API calls 4410->4411 4412 401d3f 4411->4412 4413 402d84 17 API calls 4412->4413 4414 401d4b GetDlgItem 4413->4414 4415 402638 4414->4415 4416 4014b8 4417 4014be 4416->4417 4418 401389 2 API calls 4417->4418 4419 4014c6 4418->4419 4420 40263e 4421 402652 4420->4421 4422 40266d 4420->4422 4423 402d84 17 API calls 4421->4423 4424 402672 4422->4424 4425 40269d 4422->4425 4432 402659 4423->4432 4426 402da6 17 API calls 4424->4426 4427 402da6 17 API calls 4425->4427 4429 402679 4426->4429 4428 4026a4 lstrlenW 4427->4428 4428->4432 4437 40655f WideCharToMultiByte 4429->4437 4431 40268d lstrlenA 4431->4432 4433 4026d1 4432->4433 4434 4026e7 4432->4434 4436 40610e 5 API calls 4432->4436 4433->4434 4435 4060df WriteFile 4433->4435 4435->4434 4436->4433 4437->4431

                                        Executed Functions

                                        Function 0040352D Relevance: 89.7, APIs: 34, Strings: 17, Instructions: 450stringfilecomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 ExitProcess CoUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 72 403a69-403a78 call 405b9d ExitProcess 65->72 73 403a7e-403a84 65->73 66->54 66->67 67->54 88 4038f9-403906 69->88 89 4038a9-4038de 69->89 84 403941-403944 70->84 75 403a86-403a9b GetCurrentProcess OpenProcessToken 73->75 76 403afc-403b04 73->76 81 403acc-403ada call 40690a 75->81 82 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 85 403b06 76->85 86 403b09-403b0c ExitProcess 76->86 95 403ae8-403af3 ExitWindowsEx 81->95 96 403adc-403ae6 81->96 82->81 84->65 85->86 90 403908-403916 call 405f14 88->90 91 403949-40395d call 405b08 lstrcatW 88->91 93 4038e0-4038e4 89->93 90->65 106 40391c-403932 call 40653d * 2 90->106 104 40396a-403984 lstrcatW lstrcmpiW 91->104 105 40395f-403965 lstrcatW 91->105 98 4038e6-4038eb 93->98 99 4038ed-4038f5 93->99 95->76 102 403af5-403af7 call 40140b 95->102 96->95 96->102 98->99 100 4038f7 98->100 99->93 99->100 100->88 102->76 109 403a57 104->109 110 40398a-40398d 104->110 105->104 106->70 109->65 112 403996 call 405aeb 110->112 113 40398f-403994 call 405a6e 110->113 119 40399b-4039ab SetCurrentDirectoryW 112->119 113->119 121 4039b8-4039e4 call 40653d 119->121 122 4039ad-4039b3 call 40653d 119->122 126 4039e9-403a04 call 40657a DeleteFileW 121->126 122->121 129 403a44-403a4e 126->129 130 403a06-403a16 CopyFileW 126->130 129->126 132 403a50-403a52 call 4062fd 129->132 130->129 131 403a18-403a38 call 4062fd call 40657a call 405b20 130->131 131->129 140 403a3a-403a41 CloseHandle 131->140 132->109 140->129
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                        • GetVersionExW.KERNEL32(?), ref: 00403579
                                        • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                        • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                        • OleInitialize.OLE32(00000000), ref: 0040366A
                                        • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                        • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                        • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000000), ref: 004036D6
                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
                                        • DeleteFileW.KERNELBASE(1033), ref: 0040386F
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000000,?), ref: 00403956
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000000,?), ref: 00403965
                                          • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000000,?), ref: 00403970
                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe",00000000,?), ref: 0040397C
                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
                                        • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,0042AA28,00000001), ref: 00403A0E
                                        • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                        • ExitProcess.KERNEL32(?), ref: 00403A59
                                        • CoUninitialize.COMBASE(?), ref: 00403A5E
                                        • ExitProcess.KERNEL32 ref: 00403A78
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                        • ExitProcess.KERNEL32 ref: 00403B0C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe"$.tmp$1033$C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler$C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                        • API String ID: 2292928366-2531529280
                                        • Opcode ID: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
                                        • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                        • Opcode Fuzzy Hash: 7a788a85b9786d5a7ebd132106c546d121407ab0fc20c65c93ef4011eb75cbdd
                                        • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                        Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 141 4056de-4056f9 142 405888-40588f 141->142 143 4056ff-4057c6 GetDlgItem * 3 call 4044ce call 404e27 GetClientRect GetSystemMetrics SendMessageW * 2 141->143 145 405891-4058b3 GetDlgItem CreateThread CloseHandle 142->145 146 4058b9-4058c6 142->146 165 4057e4-4057e7 143->165 166 4057c8-4057e2 SendMessageW * 2 143->166 145->146 148 4058e4-4058ee 146->148 149 4058c8-4058ce 146->149 150 4058f0-4058f6 148->150 151 405944-405948 148->151 153 4058d0-4058df ShowWindow * 2 call 4044ce 149->153 154 405909-405912 call 404500 149->154 155 4058f8-405904 call 404472 150->155 156 40591e-40592e ShowWindow 150->156 151->154 159 40594a-405950 151->159 153->148 162 405917-40591b 154->162 155->154 163 405930-405939 call 40559f 156->163 164 40593e-40593f call 404472 156->164 159->154 167 405952-405965 SendMessageW 159->167 163->164 164->151 170 4057f7-40580e call 404499 165->170 171 4057e9-4057f5 SendMessageW 165->171 166->165 172 405a67-405a69 167->172 173 40596b-405996 CreatePopupMenu call 40657a AppendMenuW 167->173 180 405810-405824 ShowWindow 170->180 181 405844-405865 GetDlgItem SendMessageW 170->181 171->170 172->162 178 405998-4059a8 GetWindowRect 173->178 179 4059ab-4059c0 TrackPopupMenu 173->179 178->179 179->172 182 4059c6-4059dd 179->182 183 405833 180->183 184 405826-405831 ShowWindow 180->184 181->172 185 40586b-405883 SendMessageW * 2 181->185 186 4059e2-4059fd SendMessageW 182->186 187 405839-40583f call 4044ce 183->187 184->187 185->172 186->186 188 4059ff-405a22 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 186->188 187->181 190 405a24-405a4b SendMessageW 188->190 190->190 191 405a4d-405a61 GlobalUnlock SetClipboardData CloseClipboard 190->191 191->172
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                        • GetClientRect.USER32(?,?), ref: 00405788
                                        • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                        • ShowWindow.USER32(?,00000008), ref: 0040582B
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                        • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                          • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                        • CloseHandle.KERNELBASE(00000000), ref: 004058B3
                                        • ShowWindow.USER32(00000000), ref: 004058D7
                                        • ShowWindow.USER32(?,00000008), ref: 004058DC
                                        • ShowWindow.USER32(00000008), ref: 00405926
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                        • CreatePopupMenu.USER32 ref: 0040596B
                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                        • GetWindowRect.USER32(?,?), ref: 0040599F
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                        • OpenClipboard.USER32(00000000), ref: 00405A00
                                        • EmptyClipboard.USER32 ref: 00405A06
                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                        • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                        • CloseClipboard.USER32 ref: 00405A61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID: {
                                        • API String ID: 590372296-366298937
                                        • Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
                                        • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                        • Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
                                        • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                        Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 439 405c49-405c6f call 405f14 442 405c71-405c83 DeleteFileW 439->442 443 405c88-405c8f 439->443 444 405e05-405e09 442->444 445 405c91-405c93 443->445 446 405ca2-405cb2 call 40653d 443->446 447 405db3-405db8 445->447 448 405c99-405c9c 445->448 454 405cc1-405cc2 call 405e58 446->454 455 405cb4-405cbf lstrcatW 446->455 447->444 450 405dba-405dbd 447->450 448->446 448->447 452 405dc7-405dcf call 406873 450->452 453 405dbf-405dc5 450->453 452->444 463 405dd1-405de5 call 405e0c call 405c01 452->463 453->444 457 405cc7-405ccb 454->457 455->457 459 405cd7-405cdd lstrcatW 457->459 460 405ccd-405cd5 457->460 462 405ce2-405cfe lstrlenW FindFirstFileW 459->462 460->459 460->462 464 405d04-405d0c 462->464 465 405da8-405dac 462->465 479 405de7-405dea 463->479 480 405dfd-405e00 call 40559f 463->480 467 405d2c-405d40 call 40653d 464->467 468 405d0e-405d16 464->468 465->447 470 405dae 465->470 481 405d42-405d4a 467->481 482 405d57-405d62 call 405c01 467->482 471 405d18-405d20 468->471 472 405d8b-405d9b FindNextFileW 468->472 470->447 471->467 475 405d22-405d2a 471->475 472->464 478 405da1-405da2 FindClose 472->478 475->467 475->472 478->465 479->453 485 405dec-405dfb call 40559f call 4062fd 479->485 480->444 481->472 486 405d4c-405d55 call 405c49 481->486 490 405d83-405d86 call 40559f 482->490 491 405d64-405d67 482->491 485->444 486->472 490->472 494 405d69-405d79 call 40559f call 4062fd 491->494 495 405d7b-405d81 491->495 494->472 495->472
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBA
                                        • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CDD
                                        • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                                        • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                                        • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                        • FindClose.KERNEL32(00000000), ref: 00405DA2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsl5176.tmp\*.*$\*.*
                                        • API String ID: 2035342205-1558109550
                                        • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                        • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                        • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                        • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                        Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNELBASE(75923420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                                        • FindClose.KERNEL32(00000000), ref: 0040688A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: C:\
                                        • API String ID: 2295610775-3404278061
                                        • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                        • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                        • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                        • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                        Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 192 403f9a-403fac 193 403fb2-403fb8 192->193 194 404113-404122 192->194 193->194 195 403fbe-403fc7 193->195 196 404171-404186 194->196 197 404124-40416c GetDlgItem * 2 call 404499 SetClassLongW call 40140b 194->197 198 403fc9-403fd6 SetWindowPos 195->198 199 403fdc-403fe3 195->199 201 4041c6-4041cb call 4044e5 196->201 202 404188-40418b 196->202 197->196 198->199 204 403fe5-403fff ShowWindow 199->204 205 404027-40402d 199->205 210 4041d0-4041eb 201->210 207 40418d-404198 call 401389 202->207 208 4041be-4041c0 202->208 211 404100-40410e call 404500 204->211 212 404005-404018 GetWindowLongW 204->212 213 404046-404049 205->213 214 40402f-404041 DestroyWindow 205->214 207->208 233 40419a-4041b9 SendMessageW 207->233 208->201 209 404466 208->209 221 404468-40446f 209->221 218 4041f4-4041fa 210->218 219 4041ed-4041ef call 40140b 210->219 211->221 212->211 220 40401e-404021 ShowWindow 212->220 224 40404b-404057 SetWindowLongW 213->224 225 40405c-404062 213->225 222 404443-404449 214->222 230 404200-40420b 218->230 231 404424-40443d DestroyWindow KiUserCallbackDispatcher 218->231 219->218 220->205 222->209 229 40444b-404451 222->229 224->221 225->211 232 404068-404077 GetDlgItem 225->232 229->209 234 404453-40445c ShowWindow 229->234 230->231 235 404211-40425e call 40657a call 404499 * 3 GetDlgItem 230->235 231->222 236 404096-404099 232->236 237 404079-404090 SendMessageW IsWindowEnabled 232->237 233->221 234->209 264 404260-404265 235->264 265 404268-4042a4 ShowWindow KiUserCallbackDispatcher call 4044bb EnableWindow 235->265 239 40409b-40409c 236->239 240 40409e-4040a1 236->240 237->209 237->236 244 4040cc-4040d1 call 404472 239->244 241 4040a3-4040a9 240->241 242 4040af-4040b4 240->242 245 4040ea-4040fa SendMessageW 241->245 246 4040ab-4040ad 241->246 242->245 247 4040b6-4040bc 242->247 244->211 245->211 246->244 250 4040d3-4040dc call 40140b 247->250 251 4040be-4040c4 call 40140b 247->251 250->211 261 4040de-4040e8 250->261 260 4040ca 251->260 260->244 261->260 264->265 268 4042a6-4042a7 265->268 269 4042a9 265->269 270 4042ab-4042d9 GetSystemMenu EnableMenuItem SendMessageW 268->270 269->270 271 4042db-4042ec SendMessageW 270->271 272 4042ee 270->272 273 4042f4-404333 call 4044ce call 403f7b call 40653d lstrlenW call 40657a SetWindowTextW call 401389 271->273 272->273 273->210 284 404339-40433b 273->284 284->210 285 404341-404345 284->285 286 404364-404378 DestroyWindow 285->286 287 404347-40434d 285->287 286->222 289 40437e-4043ab CreateDialogParamW 286->289 287->209 288 404353-404359 287->288 288->210 290 40435f 288->290 289->222 291 4043b1-404408 call 404499 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 289->291 290->209 291->209 296 40440a-40441d ShowWindow call 4044e5 291->296 298 404422 296->298 298->222
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                        • ShowWindow.USER32(?), ref: 00403FF6
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                        • ShowWindow.USER32(?,00000004), ref: 00404021
                                        • DestroyWindow.USER32 ref: 00404035
                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                        • GetDlgItem.USER32(?,?), ref: 0040406D
                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                        • IsWindowEnabled.USER32(00000000), ref: 00404088
                                        • GetDlgItem.USER32(?,00000001), ref: 00404133
                                        • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                        • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                        • ShowWindow.USER32(00000000,?), ref: 0040426F
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
                                        • EnableWindow.USER32(?,?), ref: 0040429C
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                        • EnableMenuItem.USER32(00000000), ref: 004042B9
                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                        • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                        • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                        • ShowWindow.USER32(?,0000000A), ref: 00404456
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                        • String ID:
                                        • API String ID: 121052019-0
                                        • Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
                                        • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                        • Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
                                        • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                        Function 00403BEC Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 299 403bec-403c04 call 40690a 302 403c06-403c11 GetUserDefaultUILanguage call 406484 299->302 303 403c18-403c4f call 40640b 299->303 307 403c16 302->307 308 403c51-403c62 call 40640b 303->308 309 403c67-403c6d lstrcatW 303->309 310 403c72-403c9b call 403ec2 call 405f14 307->310 308->309 309->310 316 403ca1-403ca6 310->316 317 403d2d-403d35 call 405f14 310->317 316->317 318 403cac-403cc6 call 40640b 316->318 323 403d43-403d68 LoadImageW 317->323 324 403d37-403d3e call 40657a 317->324 322 403ccb-403cd4 318->322 322->317 327 403cd6-403cda 322->327 325 403de9-403df1 call 40140b 323->325 326 403d6a-403d9a RegisterClassW 323->326 324->323 341 403df3-403df6 325->341 342 403dfb-403e06 call 403ec2 325->342 329 403da0-403de4 SystemParametersInfoW CreateWindowExW 326->329 330 403eb8 326->330 332 403cec-403cf8 lstrlenW 327->332 333 403cdc-403ce9 call 405e39 327->333 329->325 334 403eba-403ec1 330->334 335 403d20-403d28 call 405e0c call 40653d 332->335 336 403cfa-403d08 lstrcmpiW 332->336 333->332 335->317 336->335 340 403d0a-403d14 GetFileAttributesW 336->340 344 403d16-403d18 340->344 345 403d1a-403d1b call 405e58 340->345 341->334 351 403e0c-403e26 ShowWindow call 40689a 342->351 352 403e8f-403e90 call 405672 342->352 344->335 344->345 345->335 359 403e32-403e44 GetClassInfoW 351->359 360 403e28-403e2d call 40689a 351->360 355 403e95-403e97 352->355 357 403eb1-403eb3 call 40140b 355->357 358 403e99-403e9f 355->358 357->330 358->341 363 403ea5-403eac call 40140b 358->363 361 403e46-403e56 GetClassInfoW RegisterClassW 359->361 362 403e5c-403e7f DialogBoxParamW call 40140b 359->362 360->359 361->362 368 403e84-403e8d call 403b3c 362->368 363->341 368->334
                                        APIs
                                          • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                          • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                        • GetUserDefaultUILanguage.KERNELBASE(00000002,75923420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C06
                                          • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                        • lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C6D
                                        • lstrlenW.KERNEL32(00432EA0,?,?,?,00432EA0,00000000,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75923420), ref: 00403CED
                                        • lstrcmpiW.KERNEL32(00432E98,.exe,00432EA0,?,?,?,00432EA0,00000000,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                        • GetFileAttributesW.KERNEL32(00432EA0,?,00000000,?), ref: 00403D0B
                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\), ref: 00403D54
                                        • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                        • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                        • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                        • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                        • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                        • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$elete file:
                                        • API String ID: 606308-3923983357
                                        • Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
                                        • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                        • Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
                                        • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                        Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 372 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 375 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 372->375 376 4030cd-4030d2 372->376 384 4031f0-4031fe call 403019 375->384 385 40310b 375->385 377 4032ad-4032b1 376->377 391 403200-403203 384->391 392 403253-403258 384->392 387 403110-403127 385->387 389 403129 387->389 390 40312b-403134 call 4034cf 387->390 389->390 398 40325a-403262 call 403019 390->398 399 40313a-403141 390->399 394 403205-40321d call 4034e5 call 4034cf 391->394 395 403227-403251 GlobalAlloc call 4034e5 call 4032b4 391->395 392->377 394->392 418 40321f-403225 394->418 395->392 423 403264-403275 395->423 398->392 403 403143-403157 call 405fe8 399->403 404 4031bd-4031c1 399->404 409 4031cb-4031d1 403->409 421 403159-403160 403->421 408 4031c3-4031ca call 403019 404->408 404->409 408->409 414 4031e0-4031e8 409->414 415 4031d3-4031dd call 4069f7 409->415 414->387 422 4031ee 414->422 415->414 418->392 418->395 421->409 427 403162-403169 421->427 422->384 424 403277 423->424 425 40327d-403282 423->425 424->425 428 403283-403289 425->428 427->409 429 40316b-403172 427->429 428->428 430 40328b-4032a6 SetFilePointer call 405fe8 428->430 429->409 431 403174-40317b 429->431 435 4032ab 430->435 431->409 432 40317d-40319d 431->432 432->392 434 4031a3-4031a7 432->434 436 4031a9-4031ad 434->436 437 4031af-4031b7 434->437 435->377 436->422 436->437 437->409 438 4031b9-4031bb 437->438 438->409
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 0040308E
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                          • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                          • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                        • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                        • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                        • API String ID: 2803837635-163011212
                                        • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                        • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                        • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                        • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                        Function 004032B4 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 503 4032b4-4032cb 504 4032d4-4032dd 503->504 505 4032cd 503->505 506 4032e6-4032eb 504->506 507 4032df 504->507 505->504 508 4032fb-403308 call 4034cf 506->508 509 4032ed-4032f6 call 4034e5 506->509 507->506 513 4034bd 508->513 514 40330e-403312 508->514 509->508 515 4034bf-4034c0 513->515 516 403468-40346a 514->516 517 403318-403361 GetTickCount 514->517 520 4034c8-4034cc 515->520 518 4034aa-4034ad 516->518 519 40346c-40346f 516->519 521 4034c5 517->521 522 403367-40336f 517->522 523 4034b2-4034bb call 4034cf 518->523 524 4034af 518->524 519->521 525 403471 519->525 521->520 526 403371 522->526 527 403374-403382 call 4034cf 522->527 523->513 536 4034c2 523->536 524->523 529 403474-40347a 525->529 526->527 527->513 535 403388-403391 527->535 533 40347c 529->533 534 40347e-40348c call 4034cf 529->534 533->534 534->513 540 40348e-40349a call 4060df 534->540 538 403397-4033b7 call 406a65 535->538 536->521 545 403460-403462 538->545 546 4033bd-4033d0 GetTickCount 538->546 547 403464-403466 540->547 548 40349c-4034a6 540->548 545->515 549 4033d2-4033da 546->549 550 40341b-40341d 546->550 547->515 548->529 551 4034a8 548->551 552 4033e2-403413 MulDiv wsprintfW call 40559f 549->552 553 4033dc-4033e0 549->553 554 403454-403458 550->554 555 40341f-403423 550->555 551->521 561 403418 552->561 553->550 553->552 554->522 556 40345e 554->556 558 403425-40342c call 4060df 555->558 559 40343a-403445 555->559 556->521 564 403431-403433 558->564 560 403448-40344c 559->560 560->538 563 403452 560->563 561->550 563->521 564->547 565 403435-403438 564->565 565->560
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: *B$ A$ A$... %d%%$/4B$} } }, "s3" : { "defaults" : { "signatureVersions" : [ "s3v4" ] }, "endpoints" : { "us-iso-east-1" : { "protocols" : [ "http", "https" ], "signatureVersions" : [ "s3v4" ] $}8@
                                        • API String ID: 551687249-328096470
                                        • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                        • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                        • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                        • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                        Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 566 40657a-406585 567 406587-406596 566->567 568 406598-4065ae 566->568 567->568 569 4065b0-4065bd 568->569 570 4065c6-4065cf 568->570 569->570 571 4065bf-4065c2 569->571 572 4065d5 570->572 573 4067aa-4067b5 570->573 571->570 574 4065da-4065e7 572->574 575 4067c0-4067c1 573->575 576 4067b7-4067bb call 40653d 573->576 574->573 577 4065ed-4065f6 574->577 576->575 579 406788 577->579 580 4065fc-406639 577->580 583 406796-406799 579->583 584 40678a-406794 579->584 581 40672c-406731 580->581 582 40663f-406646 580->582 588 406733-406739 581->588 589 406764-406769 581->589 585 406648-40664a 582->585 586 40664b-40664d 582->586 587 40679b-4067a4 583->587 584->587 585->586 590 40668a-40668d 586->590 591 40664f-40666d call 40640b 586->591 587->573 594 4065d7 587->594 595 406749-406755 call 40653d 588->595 596 40673b-406747 call 406484 588->596 592 406778-406786 lstrlenW 589->592 593 40676b-406773 call 40657a 589->593 600 40669d-4066a0 590->600 601 40668f-40669b GetSystemDirectoryW 590->601 605 406672-406676 591->605 592->587 593->592 594->574 604 40675a-406760 595->604 596->604 607 4066a2-4066b0 GetWindowsDirectoryW 600->607 608 406709-40670b 600->608 606 40670d-406711 601->606 604->592 609 406762 604->609 611 406713-406717 605->611 612 40667c-406685 call 40657a 605->612 606->611 613 406724-40672a call 4067c4 606->613 607->608 608->606 610 4066b2-4066ba 608->610 609->613 617 4066d1-4066e7 SHGetSpecialFolderLocation 610->617 618 4066bc-4066c5 610->618 611->613 614 406719-40671f lstrcatW 611->614 612->606 613->592 614->613 619 406705 617->619 620 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 617->620 623 4066cd-4066cf 618->623 619->608 620->606 620->619 623->606 623->617
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(00432EA0,00000400), ref: 00406695
                                        • GetWindowsDirectoryW.KERNEL32(00432EA0,00000400,00000000,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,00000000,0042342F,759223A0), ref: 004066A8
                                        • lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                        • lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000), ref: 00406779
                                        Strings
                                        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
                                        • C:\Users\user\AppData\Local\Temp\nsl5176.tmp\, xrefs: 0040659F
                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Directory$SystemWindowslstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 4260037668-1140045403
                                        • Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
                                        • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                        • Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
                                        • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                        Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 624 40176f-401794 call 402da6 call 405e83 629 401796-40179c call 40653d 624->629 630 40179e-4017b0 call 40653d call 405e0c lstrcatW 624->630 635 4017b5-4017b6 call 4067c4 629->635 630->635 639 4017bb-4017bf 635->639 640 4017c1-4017cb call 406873 639->640 641 4017f2-4017f5 639->641 648 4017dd-4017ef 640->648 649 4017cd-4017db CompareFileTime 640->649 642 4017f7-4017f8 call 406008 641->642 643 4017fd-401819 call 40602d 641->643 642->643 651 40181b-40181e 643->651 652 40188d-4018b6 call 40559f call 4032b4 643->652 648->641 649->648 653 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 651->653 654 40186f-401879 call 40559f 651->654 664 4018b8-4018bc 652->664 665 4018be-4018ca SetFileTime 652->665 653->639 686 401864-401865 653->686 666 401882-401888 654->666 664->665 668 4018d0-4018db CloseHandle 664->668 665->668 669 402c33 666->669 672 4018e1-4018e4 668->672 673 402c2a-402c2d 668->673 674 402c35-402c39 669->674 676 4018e6-4018f7 call 40657a lstrcatW 672->676 677 4018f9-4018fc call 40657a 672->677 673->669 683 401901-4023a2 call 405b9d 676->683 677->683 683->673 683->674 686->666 688 401867-401868 686->688 688->654
                                        APIs
                                        • lstrcatW.KERNEL32(00000000,00000000,"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler,?,?,00000031), ref: 004017B0
                                        • CompareFileTime.KERNEL32(-00000014,?,"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe,"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe,00000000,00000000,"C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler,?,?,00000031), ref: 004017D5
                                          • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                          • Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00403418,00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0), ref: 004055FA
                                          • Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\), ref: 0040560C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID: "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe$C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                        • API String ID: 1941528284-3651343164
                                        • Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
                                        • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                        • Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
                                        • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                        Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 690 40559f-4055b4 691 4055ba-4055cb 690->691 692 40566b-40566f 690->692 693 4055d6-4055e2 lstrlenW 691->693 694 4055cd-4055d1 call 40657a 691->694 696 4055e4-4055f4 lstrlenW 693->696 697 4055ff-405603 693->697 694->693 696->692 698 4055f6-4055fa lstrcatW 696->698 699 405612-405616 697->699 700 405605-40560c SetWindowTextW 697->700 698->697 701 405618-40565a SendMessageW * 3 699->701 702 40565c-40565e 699->702 700->699 701->702 702->692 703 405660-405663 702->703 703->692
                                        APIs
                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                        • lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00403418,00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0), ref: 004055FA
                                        • SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\), ref: 0040560C
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                          • Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                          • Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000), ref: 00406779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\
                                        • API String ID: 1495540970-3611396640
                                        • Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
                                        • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                        • Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
                                        • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                        Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 704 40689a-4068ba GetSystemDirectoryW 705 4068bc 704->705 706 4068be-4068c0 704->706 705->706 707 4068d1-4068d3 706->707 708 4068c2-4068cb 706->708 710 4068d4-406907 wsprintfW LoadLibraryExW 707->710 708->707 709 4068cd-4068cf 708->709 709->710
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                        • wsprintfW.USER32 ref: 004068EC
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%S.dll$UXTHEME$\
                                        • API String ID: 2200240437-1946221925
                                        • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                        • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                        • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                        Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 711 405a6e-405ab9 CreateDirectoryW 712 405abb-405abd 711->712 713 405abf-405acc GetLastError 711->713 714 405ae6-405ae8 712->714 713->714 715 405ace-405ae2 SetFileSecurityW 713->715 715->712 716 405ae4 GetLastError 715->716 716->714
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                        • GetLastError.KERNEL32 ref: 00405AC5
                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                        • GetLastError.KERNEL32 ref: 00405AE4
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 3449924974-823278215
                                        • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                        • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                        • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                        • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                        Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 717 405f14-405f2f call 40653d call 405eb7 722 405f31-405f33 717->722 723 405f35-405f42 call 4067c4 717->723 724 405f8d-405f8f 722->724 727 405f52-405f56 723->727 728 405f44-405f4a 723->728 729 405f6c-405f75 lstrlenW 727->729 728->722 730 405f4c-405f50 728->730 731 405f77-405f8b call 405e0c GetFileAttributesW 729->731 732 405f58-405f5f call 406873 729->732 730->722 730->727 731->724 737 405f61-405f64 732->737 738 405f66-405f67 call 405e58 732->738 737->722 737->738 738->729
                                        APIs
                                          • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                          • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                          • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                          • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                        • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
                                        • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: C:\$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 3248276644-1964270705
                                        • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                        • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                        • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                        • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                        Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 740 40605c-406068 741 406069-40609d GetTickCount GetTempFileNameW 740->741 742 4060ac-4060ae 741->742 743 40609f-4060a1 741->743 745 4060a6-4060a9 742->745 743->741 744 4060a3 743->744 744->745
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 0040607A
                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-44229769
                                        • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                        • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                        • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                        Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 746 4015c1-4015d5 call 402da6 call 405eb7 751 401631-401634 746->751 752 4015d7-4015ea call 405e39 746->752 754 401663-4022f6 call 401423 751->754 755 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 751->755 760 401604-401607 call 405aeb 752->760 761 4015ec-4015ef 752->761 767 402c2a-402c39 754->767 755->767 773 40165b-40165e 755->773 770 40160c-40160e 760->770 761->760 764 4015f1-4015f8 call 405b08 761->764 764->760 779 4015fa-4015fd call 405a6e 764->779 774 401610-401615 770->774 775 401627-40162f 770->775 773->767 776 401624 774->776 777 401617-401622 GetFileAttributesW 774->777 775->751 775->752 776->775 777->775 777->776 781 401602 779->781 781->770
                                        APIs
                                          • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                          • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                          • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                          • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                        • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler,?,00000000,000000F0), ref: 0040164D
                                        Strings
                                        • C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler, xrefs: 00401640
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                        • String ID: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler
                                        • API String ID: 1892508949-372905971
                                        • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                        • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                        • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                        • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                        Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                          • Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00403418,00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0), ref: 004055FA
                                          • Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\), ref: 0040560C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                        • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 334405425-0
                                        • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                        • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                        • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                        • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                        Function 0040248A Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(0040B5F0,00000023,00000011,00000002), ref: 004024D5
                                        • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5F0,00000000,00000011,00000002), ref: 00402515
                                        • RegCloseKey.ADVAPI32(?,?,?,0040B5F0,00000000,00000011,00000002), ref: 004025FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CloseValuelstrlen
                                        • String ID:
                                        • API String ID: 2655323295-0
                                        • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                        • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                        • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                        • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                        Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                          • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                        • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                        • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: File$Attributes$DeleteDirectoryRemove
                                        • String ID:
                                        • API String ID: 1655745494-0
                                        • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                        • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                        • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                        • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                        Function 0040640B Relevance: 3.0, APIs: 2, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExW.KERNELBASE(00650000,00650000,00000000,00000000,00432EA0,00000800,00000000,?,00000000,00650000,00650000,00432EA0,?,?,00406672,80000002), ref: 00406451
                                        • RegCloseKey.ADVAPI32(00650000,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,00650000,00432EA0,00650000,00000000,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\), ref: 0040645C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID:
                                        • API String ID: 3356406503-0
                                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                        • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                        • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                        • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                        • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                        Function 00405672 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 00405682
                                          • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                        • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 004056CE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: InitializeMessageSendUninitialize
                                        • String ID:
                                        • API String ID: 2896919175-0
                                        • Opcode ID: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                                        • Instruction ID: 6be4ff692d487ef8b3e25caebddd25c5d55207980f196ef2193ccf2f8785d180
                                        • Opcode Fuzzy Hash: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                                        • Instruction Fuzzy Hash: B3F0F0765006009AE6115B95A901BA677A8EBD4316F49883AEF88632E0CB365C418A1C
                                        Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                        • CloseHandle.KERNEL32(?), ref: 00405B56
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleProcess
                                        • String ID:
                                        • API String ID: 3712363035-0
                                        • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                        • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                        • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                        • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                        Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 9830f19a5ada20b5c39db0360587226410169cce59dca2e5f379f63bd844bbb1
                                        • Instruction ID: a156d7c756385a3c588793d51facb92f34767ed8181f20582b2048d309791e4b
                                        • Opcode Fuzzy Hash: 9830f19a5ada20b5c39db0360587226410169cce59dca2e5f379f63bd844bbb1
                                        • Instruction Fuzzy Hash: 25E04F76B101149BCB05DFA8ED908AEB3A6EB84311314483BE502B3290D675AD048B18
                                        Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                          • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                          • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                          • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                        • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                        • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                        • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                        Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                        • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                        • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                        • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                        Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                        • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                        • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                        • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                        Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsl5176.tmp\, xrefs: 00403B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\
                                        • API String ID: 2962429428-3611396640
                                        • Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                        • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                                        • Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                        • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                                        Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                        • GetLastError.KERNEL32 ref: 00405AFF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                        • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                        • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                        • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                        Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                        • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                        • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                        • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                        Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                        • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                        Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                        • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                        Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00650000,00432EA0,?,00650000,?,00406438,?,00000000,00650000,00650000,00432EA0,?), ref: 004063CE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                        • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                        • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                        • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                        Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
                                        • Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
                                        • Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
                                        • Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C
                                        Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
                                        • Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
                                        • Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
                                        • Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08
                                        Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                        Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
                                        • Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
                                        • Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
                                        • Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D
                                        Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                          • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                          • Part of subcall function 0040559F: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00403418,00403418,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000,0042342F,759223A0), ref: 004055FA
                                          • Part of subcall function 0040559F: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\), ref: 0040560C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                          • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                          • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                          • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                          • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                          • Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8
                                          • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                        • String ID:
                                        • API String ID: 2972824698-0
                                        • Opcode ID: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
                                        • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                        • Opcode Fuzzy Hash: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
                                        • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                        Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00000000), ref: 004014EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                        • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                        • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                        • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

                                        Non-executed Functions

                                        Function 0040498A Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                        • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                        • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                        • lstrcmpiW.KERNEL32(00432EA0,0042D268,00000000,?,?), ref: 00404AF1
                                        • lstrcatW.KERNEL32(?,00432EA0), ref: 00404AFD
                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                          • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                          • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                                          • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                                          • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                                          • Part of subcall function 004067C4: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                                        • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                          • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                          • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                          • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                        Strings
                                        • A, xrefs: 00404AAD
                                        • C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\, xrefs: 00404ADA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: A$C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\
                                        • API String ID: 2624150263-34098319
                                        • Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
                                        • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                        • Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
                                        • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                        Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                        Strings
                                        • C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler, xrefs: 00402269
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CreateInstance
                                        • String ID: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler
                                        • API String ID: 542301482-372905971
                                        • Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                        • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                        • Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                        • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                        Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                        • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                        • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                        • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                        Function 00406D85 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                                        • Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
                                        • Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                                        • Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45
                                        Function 0040755C Relevance: .3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                                        • Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
                                        • Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                                        • Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95
                                        Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                        • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                        • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                        • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                        • DeleteObject.GDI32(00000000), ref: 00405000
                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                          • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                        • ShowWindow.USER32(?,00000005), ref: 00405162
                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                        • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                        • GlobalFree.KERNEL32(?), ref: 00405340
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                        • ShowWindow.USER32(?,00000000), ref: 004054EA
                                        • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                        • ShowWindow.USER32(00000000), ref: 004054FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 2564846305-813528018
                                        • Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
                                        • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                        • Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
                                        • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                        Function 00404658 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                        • GetSysColor.USER32(?), ref: 00404738
                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                        • lstrlenW.KERNEL32(?), ref: 00404759
                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                        • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                        • SendMessageW.USER32(00000000), ref: 004047DB
                                        • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                        • SetCursor.USER32(00000000), ref: 0040485A
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                        • SetCursor.USER32(00000000), ref: 00404876
                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: N
                                        • API String ID: 3103080414-1130791706
                                        • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                        • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                        • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                        • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                        • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                        • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                        • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                        Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                        • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                          • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                          • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                        • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                        • wsprintfA.USER32 ref: 00406202
                                        • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                        • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                        • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                          • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                          • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %ls=%ls$[Rename]
                                        • API String ID: 2171350718-461813615
                                        • Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
                                        • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                        • Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
                                        • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                        Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                        • GetSysColor.USER32(00000000), ref: 0040455B
                                        • SetTextColor.GDI32(?,00000000), ref: 00404567
                                        • SetBkMode.GDI32(?,?), ref: 00404573
                                        • GetSysColor.USER32(?), ref: 00404586
                                        • SetBkColor.GDI32(?,?), ref: 00404596
                                        • DeleteObject.GDI32(?), ref: 004045B0
                                        • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                        • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                        • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                        • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                        Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                          • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                        • String ID: 9
                                        • API String ID: 163830602-2366072709
                                        • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                        • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                        • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                        • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                        Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                                        • CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                                        • CharNextW.USER32(?,00000000,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                                        • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-1201062745
                                        • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                        • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                        • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                        • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                        Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                        • GetMessagePos.USER32 ref: 00404E77
                                        • ScreenToClient.USER32(?,?), ref: 00404E91
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                        • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                        • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                        • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                        Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                        • MulDiv.KERNEL32(00181E00,00000064,00183298), ref: 00402FDC
                                        • wsprintfW.USER32 ref: 00402FEC
                                        • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402FE6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                        • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                        • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                        • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                        Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                        • GlobalFree.KERNEL32(?), ref: 00402A06
                                        • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                        • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                        • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                        • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                        Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CloseEnum$DeleteValue
                                        • String ID:
                                        • API String ID: 1354259210-0
                                        • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                        • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                        • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                        • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                        Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00401D9A
                                        • GetClientRect.USER32(?,?), ref: 00401DE5
                                        • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                        • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                        • DeleteObject.GDI32(00000000), ref: 00401E39
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                        • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                        • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                        • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                        Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00401E51
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                        • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                          • Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                          • Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,?,004055D6,C:\Users\user\AppData\Local\Temp\nsl5176.tmp\,00000000), ref: 00406779
                                        • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2584051700-0
                                        • Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
                                        • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                        • Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
                                        • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                        Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                        • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                        • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                        • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                        Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                        • wsprintfW.USER32 ref: 00404DF0
                                        • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
                                        • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                        • Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
                                        • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                        Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                                        • CharNextW.USER32(00000000), ref: 00405ECA
                                        • CharNextW.USER32(00000000), ref: 00405EE2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: C:\
                                        • API String ID: 3213498283-3404278061
                                        • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                        • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                        • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                        • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                        Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
                                        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
                                        • lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-823278215
                                        • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                        • Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
                                        • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                        • Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD
                                        Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                        • GetTickCount.KERNEL32 ref: 0040304A
                                        • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                        • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                        • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                        • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                        • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                        Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00405542
                                        • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                          • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                        • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                        • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                        • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                        Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                                        • GlobalFree.KERNEL32(?), ref: 00403B78
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: Free$GlobalLibrary
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 1100898210-823278215
                                        • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                        • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                        • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                        • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                        Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                        • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe,80000000,00000003), ref: 00405E6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-1246513382
                                        • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                        • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                        • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                        • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                        Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                        • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2092512933.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2092495447.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092531995.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092551285.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2092652651.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                        • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                        • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                        • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

                                        Executed Functions

                                        Function 025004E8 Relevance: .5, Instructions: 469COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2074279860.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2500000_KillProcPCTT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2361c4c3e3699fcbc0b8fae69837703c9d70d3f45182e35f69db2d561248af20
                                        • Instruction ID: 552d56d99ef1b442d3471e9d14b693b5e43f01f3f85c1b7496ca6aa1907e872a
                                        • Opcode Fuzzy Hash: 2361c4c3e3699fcbc0b8fae69837703c9d70d3f45182e35f69db2d561248af20
                                        • Instruction Fuzzy Hash: D001F9309441408FC719AF68DC7D6FABB75FF87311F0418AAC485A76A1CB219815CB95
                                        Function 025008B8 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2074279860.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2500000_KillProcPCTT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44215844aa9e11d763f02198ed195b260d590fb4dcd54e3f71d47e353077136c
                                        • Instruction ID: baab73e3e9b8bac619d4c3f43c3988426445bd159a23650c4ea469a7cd65cf5b
                                        • Opcode Fuzzy Hash: 44215844aa9e11d763f02198ed195b260d590fb4dcd54e3f71d47e353077136c
                                        • Instruction Fuzzy Hash: E541F274E012099FDB04DFA9C880AEEBBF2BF89300F249569D405B7394DB349A46CF54
                                        Function 02500848 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2074279860.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_2500000_KillProcPCTT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab9c2e129ab8c231e109166a03667f84729d8bedb33b87605d81f99a981db5cc
                                        • Instruction ID: a7b22f7945c6c4139985b093190a43c1dabd5751f6ddbe605422160e5e041379
                                        • Opcode Fuzzy Hash: ab9c2e129ab8c231e109166a03667f84729d8bedb33b87605d81f99a981db5cc
                                        • Instruction Fuzzy Hash: CFF0A730D4110487D7087B64E82C5F9B77AFBC6711F006869D50567294CB719828CAD9

                                        Executed Functions

                                        Function 00007FF848E75D5F Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H
                                        • API String ID: 0-2852464175
                                        • Opcode ID: b4463eccdea9effbaf045f7002d2d408b4e5d8a38bca2e7abccf8975fb20cf36
                                        • Instruction ID: 93d27dce908dd8ffdb6cff7f86e3b24218e283db3b8ea3258d7e9250bb0d10cd
                                        • Opcode Fuzzy Hash: b4463eccdea9effbaf045f7002d2d408b4e5d8a38bca2e7abccf8975fb20cf36
                                        • Instruction Fuzzy Hash: 7D321C3090964E8FDB99EF28C895AE977B1FF59344F5001F9D00ED76A6CB35A982CB40
                                        Function 00007FF848E754DC Relevance: .4, Instructions: 351COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25049fac087c7d3c4d97d0208befa5a6ed5f12453cd981fdeaae1f9d3a8ed585
                                        • Instruction ID: 27232c530ad8e3223c9ec597697b60ce67a13c7777c40b3d57cbfdd64dfbb6d5
                                        • Opcode Fuzzy Hash: 25049fac087c7d3c4d97d0208befa5a6ed5f12453cd981fdeaae1f9d3a8ed585
                                        • Instruction Fuzzy Hash: 44D12B70909A4D8FDB99EF28C895AE977F1FF59300F1441EDD04ED76A2CA359A86CB00
                                        Function 00007FF848E72A75 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98c1bfc9f761a0af8e0d274aed329731bb1e1ed965a9c1cf0c298d8f601e83cb
                                        • Instruction ID: 62573d355d9f6e4f6f626770032b228f2ee05a3a9f26d9f86e6e777b9b6b02c8
                                        • Opcode Fuzzy Hash: 98c1bfc9f761a0af8e0d274aed329731bb1e1ed965a9c1cf0c298d8f601e83cb
                                        • Instruction Fuzzy Hash: 4C118571C0A60ECFEB55AFA0D4442FDBBB1FF4A341F4414BAD10AA7282DB38A548CB44
                                        Function 00007FF848E70A7A Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 510a998fdcc86076a6a080a4bb7abdd5becba1b856031aef25bb1bc552461066
                                        • Instruction ID: fbd2f465a53c82f6102174423df7120db11651802b401f0b2ba90aedf3a8de5d
                                        • Opcode Fuzzy Hash: 510a998fdcc86076a6a080a4bb7abdd5becba1b856031aef25bb1bc552461066
                                        • Instruction Fuzzy Hash: AE113531C0961EDEEB25AFA4D4042FEB6B1FF4A341F401579D00AB2282DF39A584CB98
                                        Function 00007FF848E7065D Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <N_^$N_^Q
                                        • API String ID: 0-3778861457
                                        • Opcode ID: cac1eaadd1f9f13163509ee426ef8e836194e3b614bdeb79e9991da1e96bb3e2
                                        • Instruction ID: bca628199678b1972781e152a56be2e665faed0d21092189a195ba408a87996e
                                        • Opcode Fuzzy Hash: cac1eaadd1f9f13163509ee426ef8e836194e3b614bdeb79e9991da1e96bb3e2
                                        • Instruction Fuzzy Hash: 3081FBA758E5A53ED30977BCB8510F93B50EF423B9F0C51B7D1CC8A053DA18608A8BA9
                                        Function 00007FF848E706D3 Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <N_^$N_^c
                                        • API String ID: 0-703301649
                                        • Opcode ID: 99cc61ab0a997e2448ba9b08abef5dfa5fbd5c8abfdbd84a94c03ea7092ddedb
                                        • Instruction ID: ae21a3f9b5afc814d336b89773bf6d2ba89d18d6e61e0e29cb720b25cf3ed626
                                        • Opcode Fuzzy Hash: 99cc61ab0a997e2448ba9b08abef5dfa5fbd5c8abfdbd84a94c03ea7092ddedb
                                        • Instruction Fuzzy Hash: B071ABA658F5953EE30A77BCB8660F93F50EF422B9F0C51B7D18C8A053DD18504A8BA9
                                        Function 00007FF848E73AB4 Relevance: .5, Instructions: 549COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9003e390f96e5863ef1af0585e8b57bbdefa81b3bc4010cec093ed0455406a8
                                        • Instruction ID: 42c95cb3acc44c14a272b08a7a4e3b3f8af82452bf30d42631f6bae0489c2e41
                                        • Opcode Fuzzy Hash: d9003e390f96e5863ef1af0585e8b57bbdefa81b3bc4010cec093ed0455406a8
                                        • Instruction Fuzzy Hash: 8D12E630A0894D8FDB99EF18C895AE973A2FF59345F5405B8E40EC7296CB35ED82CB40
                                        Function 00007FF848E70CE5 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 711c05f68e235640af6eef9900cc9ba3d64f88a45b30a32373c80281f11e3626
                                        • Instruction ID: 4682b1d229558830e41dac57f70dcf0d159e30c95914a5ebe8db5e32205d4648
                                        • Opcode Fuzzy Hash: 711c05f68e235640af6eef9900cc9ba3d64f88a45b30a32373c80281f11e3626
                                        • Instruction Fuzzy Hash: B9A1793091A61A8FDB99EB64C4997E9B7F1FF05300F5004EDC04A9B296CB39AD86CF04
                                        Function 00007FF848E7552E Relevance: .2, Instructions: 192COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec6787843f5be575e23a51431f1b73ef2f3995368ac95af3be52b81ee779775f
                                        • Instruction ID: 281a4570296c9ef8ef022535108b2901b2cd1dfd7d3f09cba023f49c8b18c93b
                                        • Opcode Fuzzy Hash: ec6787843f5be575e23a51431f1b73ef2f3995368ac95af3be52b81ee779775f
                                        • Instruction Fuzzy Hash: 6C714C70908A498FDB99EB28C895AE977F1FF59300F1401EDD40ED76A1CB35AE82CB04
                                        Function 00007FF848E70658 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c6312527719d700ebfe515594a02f8e45d3348ac9e761e0ab2b42344ac679e1
                                        • Instruction ID: 7ff948462ac5241c9e760a5352d1c6ad27beca3eee4b0d43cbb2d7cee579a47e
                                        • Opcode Fuzzy Hash: 1c6312527719d700ebfe515594a02f8e45d3348ac9e761e0ab2b42344ac679e1
                                        • Instruction Fuzzy Hash: E151FE70909A4D9FDB51EFB8C449AEDBBF1FF19301F1400A9D449D7265DB34A881CB50
                                        Function 00007FF848E7315A Relevance: .2, Instructions: 165COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc0fed7587e339946fc6223e02e3c658f6f5621a5cd3991c31a710cc42d3e295
                                        • Instruction ID: 2f03673380713009ae60340bf82d96eb6ad442fd326cc14fc0774f2cbc7d9dcf
                                        • Opcode Fuzzy Hash: fc0fed7587e339946fc6223e02e3c658f6f5621a5cd3991c31a710cc42d3e295
                                        • Instruction Fuzzy Hash: CF512071D2894E9FEBE8EA18D855AF9B3A1FF94340F4042B6D00DD358ACF346D828B54
                                        Function 00007FF848E72B3D Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 014c9152f5c8395510e959b7eb47c5142fbb99cd33835f2cf8ebefbcbdb1b30e
                                        • Instruction ID: 765758f1724d5d0a1a23e5b2f530a3f43f8d55750145b11008df6b249d3a498c
                                        • Opcode Fuzzy Hash: 014c9152f5c8395510e959b7eb47c5142fbb99cd33835f2cf8ebefbcbdb1b30e
                                        • Instruction Fuzzy Hash: 5F416B3090C64C8FDB59DFA8D885BEDBBF0FB5A310F1441AED049E7252DA34A886CB51
                                        Function 00007FF848E70A6A Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d70216a43816e68f29341376afe066af639909f09f972d0b9283f2f49d0683e
                                        • Instruction ID: c1a48a2f28ff485bfcf0c16e6518e9c60b2b24d9908dcdcc4670d4920e108bdd
                                        • Opcode Fuzzy Hash: 8d70216a43816e68f29341376afe066af639909f09f972d0b9283f2f49d0683e
                                        • Instruction Fuzzy Hash: C541F870908A0C9FDB58EF98D885AEDBBF0FB59310F10416ED44AE7252DA70A886CB45
                                        Function 00007FF848E705A5 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a59d78577f425ccd97c97c6e0f3d6a9c44c2b8da2a2cc4be98466a7b2aa56c6d
                                        • Instruction ID: c8dde79ed086826d8c72ffbfeb2887e3626e538e8050b95e7791cd3d8b4bd50e
                                        • Opcode Fuzzy Hash: a59d78577f425ccd97c97c6e0f3d6a9c44c2b8da2a2cc4be98466a7b2aa56c6d
                                        • Instruction Fuzzy Hash: 64310772E0D99A4FE755EBACE8542FDBBA0FF443A0F04007BE088D3182DA349844C795
                                        Function 00007FF848E72870 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b372c316804fc3c6c0c24fde14ac03ac6ec5c10ace49367779d0826cb8e58045
                                        • Instruction ID: fcba39c0bbb570b7ea7b6adf806caf910c798f6a6822e9eafb9c9827cc39edb7
                                        • Opcode Fuzzy Hash: b372c316804fc3c6c0c24fde14ac03ac6ec5c10ace49367779d0826cb8e58045
                                        • Instruction Fuzzy Hash: E5315D71D0894E8FEB98EF58D841AE9B7B1FF58340F1001BAD00ED7296DF34A8818B80
                                        Function 00007FF848E74649 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a25d57ec4faf6f90cc491f0d9b6d96a286eae6cc4eef405d9686436a75db5acd
                                        • Instruction ID: ae7fda9b5a3382b7c462a89a97459aea73cff37788b8d88b6b523e8e9ea5b196
                                        • Opcode Fuzzy Hash: a25d57ec4faf6f90cc491f0d9b6d96a286eae6cc4eef405d9686436a75db5acd
                                        • Instruction Fuzzy Hash: E531B27090968D8FDB95EB68C855AE977E1FF56340F0401F9D40DCB2A2CB39AD86CB04
                                        Function 00007FF848E74677 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1b9769de2e90d666fcc4ce16b8b8175ef174424d3fb179057879900507fe4b7
                                        • Instruction ID: d79ed8a56ff417e5f6adbdfe8ec13673e2f0e3deb2864fe463779873ddf993ff
                                        • Opcode Fuzzy Hash: f1b9769de2e90d666fcc4ce16b8b8175ef174424d3fb179057879900507fe4b7
                                        • Instruction Fuzzy Hash: 94314A31A09A8D8FDB95EF28D855BE973E1FF55300F5405B9D40EDB296CA39A982CB00
                                        Function 00007FF848E70FD7 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bca19587e3fb24ff51b9ef334d3ef6ccdfc03bd27af20e59f7bc48dbff8ef1b0
                                        • Instruction ID: f91b3f7555a66ee36cc95bcb798e095fee7a23be827fe1ea5c2e3682e05b1bf3
                                        • Opcode Fuzzy Hash: bca19587e3fb24ff51b9ef334d3ef6ccdfc03bd27af20e59f7bc48dbff8ef1b0
                                        • Instruction Fuzzy Hash: 32318C3091E65A9FE751EB34C85ABA9B7F1FF06340F5040E9C04D9B2A6DB38A981CF01
                                        Function 00007FF848E7114C Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec7e189f48396e7d17384d9dc7f99d4fd6e662150853b6317e55b4f2ba27c868
                                        • Instruction ID: b89b3bef4633a24102d51c17b314aa73c4d1d338273ddb62b85c017f71ecc50f
                                        • Opcode Fuzzy Hash: ec7e189f48396e7d17384d9dc7f99d4fd6e662150853b6317e55b4f2ba27c868
                                        • Instruction Fuzzy Hash: 4031A43091961A8FEB95FB68C499AE977B1FF59341F5004E9D00CD7292CB35A981CF00
                                        Function 00007FF848E728D0 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d91517e3a6b4f2ec81e171d011e6eef65228ee9b9c3b468088f12cc7121e2eeb
                                        • Instruction ID: 274951c8aba43169d47b7bf33d7a4e86e42754c9390d54c61acd14dcb55ea35b
                                        • Opcode Fuzzy Hash: d91517e3a6b4f2ec81e171d011e6eef65228ee9b9c3b468088f12cc7121e2eeb
                                        • Instruction Fuzzy Hash: E721083090894E8FDB98EF68C851BE9B7B2FF58340F5041B9D00ED7296DE34A882CB40
                                        Function 00007FF848E7463C Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf083282d25466820d661c31878384dfce06aa2f2fb5f5f5724827d5a5750b2b
                                        • Instruction ID: cf8e772f7568e8c898a5e7f2fde434cd102485e3727dab6ebda0f307831b76bb
                                        • Opcode Fuzzy Hash: bf083282d25466820d661c31878384dfce06aa2f2fb5f5f5724827d5a5750b2b
                                        • Instruction Fuzzy Hash: 4A213D30909A8D8FDB95EF28D455AA973E1FF56300F5100F9D40DCB2A2DB39AD82CB00
                                        Function 00007FF848E72541 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 420be6e624824294f71f0dab164d6536941bd5a321b95bd4292d079b87d12ebc
                                        • Instruction ID: b4fb40e895e0d87fda6782362918805cd9b069d6b2253aa1d4b0a7f8644c73f2
                                        • Opcode Fuzzy Hash: 420be6e624824294f71f0dab164d6536941bd5a321b95bd4292d079b87d12ebc
                                        • Instruction Fuzzy Hash: A0113A70D18A8E8FEB85FF68C8686E97BA0FF55340F4501BAD809C7192DF34A9918741
                                        Function 00007FF848E7102D Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 071db885332b8a7fd0a3c47048317ce3b4ab15b0617586ce4d4bcc83164219d5
                                        • Instruction ID: e75437d35df13a8a425298f13f16b169b8e35e4fc3797486527d5fb9e35b9a6c
                                        • Opcode Fuzzy Hash: 071db885332b8a7fd0a3c47048317ce3b4ab15b0617586ce4d4bcc83164219d5
                                        • Instruction Fuzzy Hash: 9E21C27085E74A5FD751EB74C45AAA9BBF0FF06300F5040E9C04E9B1A2DB38A986CB04
                                        Function 00007FF848E70898 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f34e512ac8005a14a086f391f848f623e47f93ce8b104cbb829842596d0c4b7f
                                        • Instruction ID: 8f2ee8aaa028f37804ff70ef728af582a97b46ead933a86a5b9438f1d37cacc0
                                        • Opcode Fuzzy Hash: f34e512ac8005a14a086f391f848f623e47f93ce8b104cbb829842596d0c4b7f
                                        • Instruction Fuzzy Hash: 5C112BB584F6993ED705BBB8A4061FA7F50EF422A5F0C41BAD0CD4B053DA186049C799
                                        Function 00007FF848E713AC Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: adf0a0ac23fe7c14a65d8e32ad00bdc83aad9db7306e5f6f5590e60d107b13cd
                                        • Instruction ID: 44b59f8bf81373cf4f44567029b92ba461b42d50073df480065a03996a974a4a
                                        • Opcode Fuzzy Hash: adf0a0ac23fe7c14a65d8e32ad00bdc83aad9db7306e5f6f5590e60d107b13cd
                                        • Instruction Fuzzy Hash: B2210830D19A5A8FE7A8FA6888557B8B7B1FF54345F4004FAC00DE3292DF356D818B04
                                        Function 00007FF848E75CDD Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc4b4b0b757628dd2622118da50844d31ac863d6128751dfb413c586540be445
                                        • Instruction ID: 2bbf4ae44602b5607bded9108f2e4a46be246757ef69527a46948c753e076088
                                        • Opcode Fuzzy Hash: cc4b4b0b757628dd2622118da50844d31ac863d6128751dfb413c586540be445
                                        • Instruction Fuzzy Hash: CB01E970A0995E8FDB94EF18C894AD9B7F1FF59340F1542E4D009D7A56C734ED828B40
                                        Function 00007FF848E71A31 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ce02fed580d6308539a2eda77e8bb6568025c970770ceca44a081ca7498e75e
                                        • Instruction ID: c098e922bce87143e36ceaf8c89c322bed1f8976776803ffa573a24a3c82b98a
                                        • Opcode Fuzzy Hash: 1ce02fed580d6308539a2eda77e8bb6568025c970770ceca44a081ca7498e75e
                                        • Instruction Fuzzy Hash: FA01D17080E7C95FD742FF74491A5A97FA0EF17251F0902EED48A8B063D7698459C381
                                        Function 00007FF848E708E0 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6f3d797af6bee9f586ce7c12459275f6736171025c7c6342df5254fbd205a5f
                                        • Instruction ID: a30a17a32e440f258d6a638323cc4eb9e0ddfcb5f2d1664d26a914843f526ca9
                                        • Opcode Fuzzy Hash: c6f3d797af6bee9f586ce7c12459275f6736171025c7c6342df5254fbd205a5f
                                        • Instruction Fuzzy Hash: 6AF0907080E7896FD741EFB0490A6AABBA0EF06251F0406EDD49A87056D7289559C740
                                        Function 00007FF848E740AF Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9aa9cad59faf3c16633e1e8cc8e1af65d576e09e78dcf953def3e8eaf84048d
                                        • Instruction ID: dcd4f8c2207e7f9521281124d7283f58972213f60d3dafa5a1d21aae15f1a765
                                        • Opcode Fuzzy Hash: a9aa9cad59faf3c16633e1e8cc8e1af65d576e09e78dcf953def3e8eaf84048d
                                        • Instruction Fuzzy Hash: B1F07F70A189598FDB99EF18C895EA9B3B2FF59300F5140A8E01ED7266CA71ED81CF00

                                        Non-executed Functions

                                        Function 00007FF848E7165F Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.3328165433.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e70000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10e9338dfa0aa0fc5050fc523cd7bdf03d661315219d39c757e527e89f8a9ee4
                                        • Instruction ID: 1860e30552c03477f22371691481777731d839f8a07f502755ef9b2bb1ce7f6d
                                        • Opcode Fuzzy Hash: 10e9338dfa0aa0fc5050fc523cd7bdf03d661315219d39c757e527e89f8a9ee4
                                        • Instruction Fuzzy Hash: 2031C730D19A1D8FEB90EB68C859AE9B7B0FF5A341F5014E5D40DE72A2CB35A981CF04

                                        Executed Functions

                                        Function 00007FF848E91FB0 Relevance: .5, Instructions: 515COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2196845703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e90000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5c88f65a082529f14c337acd07a3e2de7c5a0b9a039ee0cee023921b174965b7
                                        • Instruction ID: 74c9ba182703c423e2428ac872837fbe2cbeaa9a534f1b78ba3f247febe39211
                                        • Opcode Fuzzy Hash: 5c88f65a082529f14c337acd07a3e2de7c5a0b9a039ee0cee023921b174965b7
                                        • Instruction Fuzzy Hash: 71418071D0CA498FEB49EBA8D8557E8BBB1FF56345F0400BAD009E7292CB799884CB14
                                        Function 00007FF848E9240E Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2196845703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e90000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d27d62ad88a03d11df21f0d74ceccf26e1321b06fcb26d6e79996ddb7d0e6d9
                                        • Instruction ID: dbfcc9c31add3e69a2c1d5283ee657c408a2f536a86e732d0fa2a5653a72c3d0
                                        • Opcode Fuzzy Hash: 2d27d62ad88a03d11df21f0d74ceccf26e1321b06fcb26d6e79996ddb7d0e6d9
                                        • Instruction Fuzzy Hash: CF319C35D0D6499FDB49EBA4D850AECBBF1FF4A304F1400B9D01AD7292CB7AA841CB14
                                        Function 00007FF848E91A31 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2196845703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e90000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0958e0dc9dd4a91f6a1986182b28a3a2f6584da034f31d0479a2be9fa6b2bdec
                                        • Instruction ID: f000ce50d74cbf577f79b430d3dc1dc0d46722603121ce1799ee26073d982d1d
                                        • Opcode Fuzzy Hash: 0958e0dc9dd4a91f6a1986182b28a3a2f6584da034f31d0479a2be9fa6b2bdec
                                        • Instruction Fuzzy Hash: 18115EB5E0D68D9FDB80EF68C8496A97BF0FF69350F0401A6D518CB251DBB9D9018B40
                                        Function 00007FF848E91989 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2196845703.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e90000_mssched.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d72b2687bbd4d1a6c708aedfa163e6248a45249b323f26e6caf6a32daabc5e2b
                                        • Instruction ID: aa7938b2c0c9893ebf90f4d04d99865ecb185c9cf906a5e799b8ea842ba6bf61
                                        • Opcode Fuzzy Hash: d72b2687bbd4d1a6c708aedfa163e6248a45249b323f26e6caf6a32daabc5e2b
                                        • Instruction Fuzzy Hash: 5AF08C3184D6884FD716AE2488512E57F60FF46240F0502A6D448C60D3DB6D9558C742