Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
y83WAR4vQc.exe

Overview

General Information

Sample name:y83WAR4vQc.exe
renamed because original name is a hash value
Original sample name:f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b.exe
Analysis ID:1562314
MD5:4effe13b0f91976bd70825f2eff1077a
SHA1:65990fc883bdd4c6c59cf039e5979c43d3d3d0d2
SHA256:f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b
Tags:exeuser-adrian__luca
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • y83WAR4vQc.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\y83WAR4vQc.exe" MD5: 4EFFE13B0F91976BD70825F2EFF1077A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: y83WAR4vQc.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: y83WAR4vQc.exeReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.7% probability
Source: y83WAR4vQc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00405629 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405629
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_004060E4 FindFirstFileW,FindClose,0_2_004060E4
Source: y83WAR4vQc.exe, 00000000.00000002.1362400372.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: y83WAR4vQc.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040518A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040518A
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00403229 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403229
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_004065470_2_00406547
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00406D1E0_2_00406D1E
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_004049C70_2_004049C7
Source: y83WAR4vQc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00404481 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404481
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
Source: C:\Users\user\Desktop\y83WAR4vQc.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmpJump to behavior
Source: y83WAR4vQc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\y83WAR4vQc.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: y83WAR4vQc.exeReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\y83WAR4vQc.exeFile read: C:\Users\user\Desktop\y83WAR4vQc.exeJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040610B
Source: y83WAR4vQc.exeStatic PE information: real checksum: 0xce445 should be: 0xa98e
Source: C:\Users\user\Desktop\y83WAR4vQc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\y83WAR4vQc.exeAPI coverage: 7.8 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00405629 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405629
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_004060E4 FindFirstFileW,FindClose,0_2_004060E4
Source: C:\Users\user\Desktop\y83WAR4vQc.exeAPI call chain: ExitProcess graph end nodegraph_0-2752
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_0040610B GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040610B
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\y83WAR4vQc.exeCode function: 0_2_00405DC3 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405DC3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory4
System Information Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
y83WAR4vQc.exe24%ReversingLabsWin32.Trojan.GuLoader
y83WAR4vQc.exe100%AviraTR/Crypt.XPACK.Gen2

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_Errory83WAR4vQc.exe, 00000000.00000002.1362400372.000000000062E000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrory83WAR4vQc.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1562314
      Start date and time:2024-11-25 13:53:34 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 3m 57s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:y83WAR4vQc.exe
      renamed because original name is a hash value
      Original Sample Name:f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b.exe
      Detection:MAL
      Classification:mal60.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 8
      • Number of non-executed functions: 42
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: y83WAR4vQc.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.155559768679113
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:y83WAR4vQc.exe
      File size:41'984 bytes
      MD5:4effe13b0f91976bd70825f2eff1077a
      SHA1:65990fc883bdd4c6c59cf039e5979c43d3d3d0d2
      SHA256:f9401786d00286b50c0d2228fa06d6777d0a5c32294470c297db161a8625ac5b
      SHA512:15b82f809439d255e1b43cf25e8c21e90dd326791fc1ce3370e56e7d3d96e76d1655a4f23a8b99c73f7b0fadeb709b979e974753f50cb9e2b132cc7fbbaec8bb
      SSDEEP:768:yWPCo6ws94NYoKqJ4rsmxsATghCS4w10D3kvySGQVzIc/I5a/W:xaDLGYUbUTghCi10DHYzIc/oa/W
      TLSH:A0137C41B7A0D423D6B346311936A77B8FBAF92064A06B1B57503F9D7D325C3EA0E392
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................b..........)2............@

      File Icon

      Icon Hash:1f9706b9f9391b86

      Static PE Info

      General

      Entrypoint:0x403229
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:TERMINAL_SERVER_AWARE
      Time Stamp:0x52BA66B8 [Wed Dec 25 05:01:44 2013 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:7ed0d71376e55d58ab36dc7d3ffda898

      Authenticode Signature

      Signature Valid:
      Signature Issuer:
      Signature Validation Error:
      Error Number:
      Not Before, Not After
        Subject Chain
          Version:
          Thumbprint MD5:
          Thumbprint SHA-1:
          Thumbprint SHA-256:
          Serial:

          Entrypoint Preview

          Instruction
          sub esp, 000002D4h
          push ebx
          push ebp
          push esi
          push edi
          push 00000020h
          xor ebp, ebp
          pop esi
          mov dword ptr [esp+14h], ebp
          mov dword ptr [esp+10h], 0040A2D8h
          mov dword ptr [esp+1Ch], ebp
          call dword ptr [00408034h]
          push 00008001h
          call dword ptr [00408134h]
          push ebp
          call dword ptr [004082ACh]
          push 00000008h
          mov dword ptr [00434F58h], eax
          call 00007F3FE0EF4294h
          mov dword ptr [00434EA4h], eax
          push ebp
          lea eax, dword ptr [esp+34h]
          push 000002B4h
          push eax
          push ebp
          push 0042B1B8h
          call dword ptr [0040817Ch]
          push 0040A2C0h
          push 00433EA0h
          call 00007F3FE0EF3EFFh
          call dword ptr [00408138h]
          mov ebx, 0043F000h
          push eax
          push ebx
          call 00007F3FE0EF3EEDh
          push ebp
          call dword ptr [0040810Ch]
          cmp word ptr [0043F000h], 0022h
          mov dword ptr [00434EA0h], eax
          mov eax, ebx
          jne 00007F3FE0EF13FAh
          push 00000022h
          mov eax, 0043F002h
          pop esi
          push esi
          push eax
          call 00007F3FE0EF393Eh
          push eax
          call dword ptr [00408240h]
          mov dword ptr [esp+18h], eax
          jmp 00007F3FE0EF14BEh
          push 00000020h
          pop edx
          cmp cx, dx
          jne 00007F3FE0EF13F9h
          inc eax
          inc eax
          cmp word ptr [eax], dx
          je 00007F3FE0EF13EBh
          add word ptr [eax], 0000h

          Rich Headers

          Programming Language:
          • [EXP] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x85a00xb4.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x650000x20b8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0xbee780x900
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x70000x62006b261bd7f45c2df7de2d0134c84421b7False0.6672114158163265data6.457067985385169IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x80000x20000x1600b09411ee7b449199058dfd4a79f91eb1False0.5182883522727273data5.339147539541255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .data0xa0000x2b0000x600326f796323fdc724ea91090eafbe9bdcFalse0.4856770833333333data3.795352750027872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .ndata0x350000x300000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x650000x20b80x220074b27a0083cbdcb566d993625801cb0eFalse0.5340073529411765data4.938841517310863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x652080x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4608, resolution 2833 x 2833 px/mEnglishUnited States0.5978490832157969
          RT_DIALOG0x668300x100dataEnglishUnited States0.5234375
          RT_DIALOG0x669300x11cdataEnglishUnited States0.6056338028169014
          RT_DIALOG0x66a500xc4dataEnglishUnited States0.5918367346938775
          RT_DIALOG0x66b180x60dataEnglishUnited States0.7291666666666666
          RT_GROUP_ICON0x66b780x14dataEnglishUnited States1.05
          RT_VERSION0x66b900x21cdataEnglishUnited States0.5314814814814814
          RT_MANIFEST0x66db00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

          Imports

          DLLImport
          KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, SetFileAttributesW, ExpandEnvironmentStringsW, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, SetErrorMode, GetCommandLineW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
          USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
          ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
          VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:07:54:33
          Start date:25/11/2024
          Path:C:\Users\user\Desktop\y83WAR4vQc.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\y83WAR4vQc.exe"
          Imagebase:0x400000
          File size:41'984 bytes
          MD5 hash:4EFFE13B0F91976BD70825F2EFF1077A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:5.3%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:21.6%
            Total number of Nodes:1254
            Total number of Limit Nodes:14
            execution_graph 3159 401d41 GetDC GetDeviceCaps 3167 402b1b 3159->3167 3161 401d5f MulDiv ReleaseDC 3162 402b1b 18 API calls 3161->3162 3163 401d7e 3162->3163 3164 405dc3 18 API calls 3163->3164 3165 401db7 CreateFontIndirectW 3164->3165 3166 4024e6 3165->3166 3168 405dc3 18 API calls 3167->3168 3169 402b2f 3168->3169 3169->3161 3170 401a42 3171 402b1b 18 API calls 3170->3171 3172 401a48 3171->3172 3173 402b1b 18 API calls 3172->3173 3174 4019f0 3173->3174 3175 402744 3176 40273f 3175->3176 3176->3175 3177 402754 FindNextFileW 3176->3177 3178 4027a6 3177->3178 3179 40275f 3177->3179 3181 405da1 lstrcpynW 3178->3181 3181->3179 3182 401cc6 3183 402b1b 18 API calls 3182->3183 3184 401cd9 SetWindowLongW 3183->3184 3185 4029c5 3184->3185 3186 4049c7 GetDlgItem GetDlgItem 3187 404a19 7 API calls 3186->3187 3201 404c32 3186->3201 3188 404abc DeleteObject 3187->3188 3189 404aaf SendMessageW 3187->3189 3190 404ac5 3188->3190 3189->3188 3192 404afc 3190->3192 3194 405dc3 18 API calls 3190->3194 3191 404d16 3193 404dc2 3191->3193 3197 404c25 3191->3197 3203 404d6f SendMessageW 3191->3203 3237 403fe6 3192->3237 3198 404dd4 3193->3198 3199 404dcc SendMessageW 3193->3199 3200 404ade SendMessageW SendMessageW 3194->3200 3196 404b10 3202 403fe6 19 API calls 3196->3202 3264 40404d 3197->3264 3210 404de6 ImageList_Destroy 3198->3210 3211 404ded 3198->3211 3216 404dfd 3198->3216 3199->3198 3200->3190 3201->3191 3215 404ca3 3201->3215 3242 404915 SendMessageW 3201->3242 3219 404b1e 3202->3219 3203->3197 3208 404d84 SendMessageW 3203->3208 3205 404d08 SendMessageW 3205->3191 3207 404f6c 3207->3197 3217 404f7e ShowWindow GetDlgItem ShowWindow 3207->3217 3214 404d97 3208->3214 3210->3211 3212 404df6 GlobalFree 3211->3212 3211->3216 3212->3216 3213 404bf3 GetWindowLongW SetWindowLongW 3218 404c0c 3213->3218 3224 404da8 SendMessageW 3214->3224 3215->3191 3215->3205 3216->3207 3233 404e38 3216->3233 3247 404995 3216->3247 3217->3197 3220 404c12 ShowWindow 3218->3220 3221 404c2a 3218->3221 3219->3213 3223 404b6e SendMessageW 3219->3223 3225 404bed 3219->3225 3227 404baa SendMessageW 3219->3227 3228 404bbb SendMessageW 3219->3228 3240 40401b SendMessageW 3220->3240 3241 40401b SendMessageW 3221->3241 3223->3219 3224->3193 3225->3213 3225->3218 3227->3219 3228->3219 3230 404f42 InvalidateRect 3230->3207 3231 404f58 3230->3231 3256 40482f 3231->3256 3232 404e66 SendMessageW 3235 404e7c 3232->3235 3233->3232 3233->3235 3235->3230 3236 404ef0 SendMessageW SendMessageW 3235->3236 3236->3235 3238 405dc3 18 API calls 3237->3238 3239 403ff1 SetDlgItemTextW 3238->3239 3239->3196 3240->3197 3241->3201 3243 404974 SendMessageW 3242->3243 3244 404938 GetMessagePos ScreenToClient SendMessageW 3242->3244 3245 40496c 3243->3245 3244->3245 3246 404971 3244->3246 3245->3215 3246->3243 3278 405da1 lstrcpynW 3247->3278 3249 4049a8 3279 405ce8 wsprintfW 3249->3279 3251 4049b2 3252 40140b 2 API calls 3251->3252 3253 4049bb 3252->3253 3280 405da1 lstrcpynW 3253->3280 3255 4049c2 3255->3233 3257 40484c 3256->3257 3258 405dc3 18 API calls 3257->3258 3259 404881 3258->3259 3260 405dc3 18 API calls 3259->3260 3261 40488c 3260->3261 3262 405dc3 18 API calls 3261->3262 3263 4048bd lstrlenW wsprintfW SetDlgItemTextW 3262->3263 3263->3207 3265 404065 GetWindowLongW 3264->3265 3266 4040ee 3264->3266 3265->3266 3267 404076 3265->3267 3268 404085 GetSysColor 3267->3268 3269 404088 3267->3269 3268->3269 3270 404098 SetBkMode 3269->3270 3271 40408e SetTextColor 3269->3271 3272 4040b0 GetSysColor 3270->3272 3273 4040b6 3270->3273 3271->3270 3272->3273 3274 4040c7 3273->3274 3275 4040bd SetBkColor 3273->3275 3274->3266 3276 4040e1 CreateBrushIndirect 3274->3276 3277 4040da DeleteObject 3274->3277 3275->3274 3276->3266 3277->3276 3278->3249 3279->3251 3280->3255 3281 401dc7 3282 402b1b 18 API calls 3281->3282 3283 401dcd 3282->3283 3284 402b1b 18 API calls 3283->3284 3285 401dd6 3284->3285 3286 401de8 EnableWindow 3285->3286 3287 401ddd ShowWindow 3285->3287 3288 4029c5 3286->3288 3287->3288 3289 4047c9 3290 4047f5 3289->3290 3291 4047d9 3289->3291 3292 404828 3290->3292 3293 4047fb SHGetPathFromIDListW 3290->3293 3300 405561 GetDlgItemTextW 3291->3300 3295 404812 SendMessageW 3293->3295 3296 40480b 3293->3296 3295->3292 3298 40140b 2 API calls 3296->3298 3297 4047e6 SendMessageW 3297->3290 3298->3295 3300->3297 3301 401bca 3302 402b1b 18 API calls 3301->3302 3303 401bd1 3302->3303 3304 402b1b 18 API calls 3303->3304 3305 401bdb 3304->3305 3310 401beb 3305->3310 3323 402b38 3305->3323 3307 402b38 18 API calls 3311 401bfb 3307->3311 3308 401c06 3312 402b1b 18 API calls 3308->3312 3309 401c4a 3313 402b38 18 API calls 3309->3313 3310->3307 3310->3311 3311->3308 3311->3309 3314 401c0b 3312->3314 3315 401c4f 3313->3315 3316 402b1b 18 API calls 3314->3316 3317 402b38 18 API calls 3315->3317 3319 401c14 3316->3319 3318 401c58 FindWindowExW 3317->3318 3322 401c7a 3318->3322 3320 401c3a SendMessageW 3319->3320 3321 401c1c SendMessageTimeoutW 3319->3321 3320->3322 3321->3322 3324 402b44 3323->3324 3325 405dc3 18 API calls 3324->3325 3326 402b65 3325->3326 3327 402b71 3326->3327 3328 406035 5 API calls 3326->3328 3327->3310 3328->3327 3329 4024ca 3330 402b38 18 API calls 3329->3330 3331 4024d1 3330->3331 3334 405a0d GetFileAttributesW CreateFileW 3331->3334 3333 4024dd 3334->3333 3335 40194b 3336 402b1b 18 API calls 3335->3336 3337 401952 3336->3337 3338 402b1b 18 API calls 3337->3338 3339 40195c 3338->3339 3340 402b38 18 API calls 3339->3340 3341 401965 3340->3341 3342 401979 lstrlenW 3341->3342 3343 4019b5 3341->3343 3344 401983 3342->3344 3344->3343 3348 405da1 lstrcpynW 3344->3348 3346 40199e 3346->3343 3347 4019ab lstrlenW 3346->3347 3347->3343 3348->3346 3352 4019cf 3353 402b38 18 API calls 3352->3353 3354 4019d6 3353->3354 3355 402b38 18 API calls 3354->3355 3356 4019df 3355->3356 3357 4019e6 lstrcmpiW 3356->3357 3358 4019f8 lstrcmpW 3356->3358 3359 4019ec 3357->3359 3358->3359 3360 401e51 3361 402b38 18 API calls 3360->3361 3362 401e57 3361->3362 3363 40504b 25 API calls 3362->3363 3364 401e61 3363->3364 3365 40551c 2 API calls 3364->3365 3366 401e67 3365->3366 3367 401ec6 CloseHandle 3366->3367 3368 401e77 WaitForSingleObject 3366->3368 3370 402791 3366->3370 3367->3370 3369 401e89 3368->3369 3371 401e9b GetExitCodeProcess 3369->3371 3372 406144 2 API calls 3369->3372 3373 401eb8 3371->3373 3374 401ead 3371->3374 3375 401e90 WaitForSingleObject 3372->3375 3373->3367 3377 405ce8 wsprintfW 3374->3377 3375->3369 3377->3373 3378 402251 3379 40225f 3378->3379 3380 402259 3378->3380 3382 402b38 18 API calls 3379->3382 3384 40226d 3379->3384 3381 402b38 18 API calls 3380->3381 3381->3379 3382->3384 3383 40227b 3386 402b38 18 API calls 3383->3386 3384->3383 3385 402b38 18 API calls 3384->3385 3385->3383 3387 402284 WritePrivateProfileStringW 3386->3387 3388 401752 3389 402b38 18 API calls 3388->3389 3390 401759 3389->3390 3391 401781 3390->3391 3392 401779 3390->3392 3427 405da1 lstrcpynW 3391->3427 3426 405da1 lstrcpynW 3392->3426 3395 40177f 3399 406035 5 API calls 3395->3399 3396 40178c 3397 4057ec 3 API calls 3396->3397 3398 401792 lstrcatW 3397->3398 3398->3395 3401 40179e 3399->3401 3400 4060e4 2 API calls 3400->3401 3401->3400 3402 4059e8 2 API calls 3401->3402 3404 4017b0 CompareFileTime 3401->3404 3405 401870 3401->3405 3407 401847 3401->3407 3410 405da1 lstrcpynW 3401->3410 3414 405dc3 18 API calls 3401->3414 3422 40557d MessageBoxIndirectW 3401->3422 3428 405a0d GetFileAttributesW CreateFileW 3401->3428 3402->3401 3404->3401 3406 40504b 25 API calls 3405->3406 3408 40187a 3406->3408 3409 40504b 25 API calls 3407->3409 3416 40185c 3407->3416 3411 402fa0 33 API calls 3408->3411 3409->3416 3410->3401 3412 40188d 3411->3412 3413 4018a1 SetFileTime 3412->3413 3415 4018b3 CloseHandle 3412->3415 3413->3415 3414->3401 3415->3416 3417 4018c4 3415->3417 3418 4018c9 3417->3418 3419 4018dc 3417->3419 3420 405dc3 18 API calls 3418->3420 3421 405dc3 18 API calls 3419->3421 3423 4018d1 lstrcatW 3420->3423 3424 4018e4 3421->3424 3422->3401 3423->3424 3425 40557d MessageBoxIndirectW 3424->3425 3425->3416 3426->3395 3427->3396 3428->3401 3429 402452 3439 402c42 3429->3439 3431 40245c 3432 402b1b 18 API calls 3431->3432 3433 402465 3432->3433 3434 402489 RegEnumValueW 3433->3434 3435 40247d RegEnumKeyW 3433->3435 3436 402791 3433->3436 3434->3436 3437 4024a2 RegCloseKey 3434->3437 3435->3437 3437->3436 3440 402b38 18 API calls 3439->3440 3441 402c5b 3440->3441 3442 402c69 RegOpenKeyExW 3441->3442 3442->3431 3443 4022d3 3444 402303 3443->3444 3445 4022d8 3443->3445 3447 402b38 18 API calls 3444->3447 3446 402c42 19 API calls 3445->3446 3449 4022df 3446->3449 3448 40230a 3447->3448 3454 402b78 RegOpenKeyExW 3448->3454 3450 402b38 18 API calls 3449->3450 3453 402320 3449->3453 3452 4022f0 RegDeleteValueW RegCloseKey 3450->3452 3452->3453 3460 402ba3 3454->3460 3462 402bef 3454->3462 3455 402bc9 RegEnumKeyW 3456 402bdb RegCloseKey 3455->3456 3455->3460 3458 40610b 3 API calls 3456->3458 3457 402c00 RegCloseKey 3457->3462 3461 402beb 3458->3461 3459 402b78 3 API calls 3459->3460 3460->3455 3460->3456 3460->3457 3460->3459 3461->3462 3463 402c1b RegDeleteKeyW 3461->3463 3462->3453 3463->3462 3464 401ed4 3465 402b38 18 API calls 3464->3465 3466 401edb 3465->3466 3467 4060e4 2 API calls 3466->3467 3468 401ee1 3467->3468 3470 401ef2 3468->3470 3471 405ce8 wsprintfW 3468->3471 3471->3470 3472 4014d7 3473 402b1b 18 API calls 3472->3473 3474 4014dd Sleep 3473->3474 3476 4029c5 3474->3476 3477 40155b 3478 40296b 3477->3478 3481 405ce8 wsprintfW 3478->3481 3480 402970 3481->3480 3482 40165e 3483 402b38 18 API calls 3482->3483 3484 401665 3483->3484 3485 402b38 18 API calls 3484->3485 3486 40166e 3485->3486 3487 402b38 18 API calls 3486->3487 3488 401677 MoveFileW 3487->3488 3489 401683 3488->3489 3490 40168a 3488->3490 3496 401423 3489->3496 3492 4060e4 2 API calls 3490->3492 3494 402195 3490->3494 3493 401699 3492->3493 3493->3494 3495 405c3b 40 API calls 3493->3495 3495->3489 3497 40504b 25 API calls 3496->3497 3498 401431 3497->3498 3498->3494 3499 4023de 3500 402c42 19 API calls 3499->3500 3501 4023e8 3500->3501 3502 402b38 18 API calls 3501->3502 3503 4023f1 3502->3503 3504 4023fc RegQueryValueExW 3503->3504 3507 402791 3503->3507 3505 402422 RegCloseKey 3504->3505 3506 40241c 3504->3506 3505->3507 3506->3505 3510 405ce8 wsprintfW 3506->3510 3510->3505 3511 401ce5 GetDlgItem GetClientRect 3512 402b38 18 API calls 3511->3512 3513 401d17 LoadImageW SendMessageW 3512->3513 3514 4029c5 3513->3514 3515 401d35 DeleteObject 3513->3515 3515->3514 3516 40206a 3517 402b38 18 API calls 3516->3517 3518 402071 3517->3518 3519 402b38 18 API calls 3518->3519 3520 40207b 3519->3520 3521 402b38 18 API calls 3520->3521 3522 402084 3521->3522 3523 402b38 18 API calls 3522->3523 3524 40208e 3523->3524 3525 402b38 18 API calls 3524->3525 3526 402098 3525->3526 3527 4020ac CoCreateInstance 3526->3527 3528 402b38 18 API calls 3526->3528 3531 4020cb 3527->3531 3528->3527 3529 401423 25 API calls 3530 402195 3529->3530 3531->3529 3531->3530 3532 40156b 3533 401584 3532->3533 3534 40157b ShowWindow 3532->3534 3535 401592 ShowWindow 3533->3535 3536 4029c5 3533->3536 3534->3533 3535->3536 3537 4024ec 3538 4024f1 3537->3538 3539 40250a 3537->3539 3540 402b1b 18 API calls 3538->3540 3541 402510 3539->3541 3542 40253c 3539->3542 3547 4024f8 3540->3547 3543 402b38 18 API calls 3541->3543 3544 402b38 18 API calls 3542->3544 3545 402517 WideCharToMultiByte lstrlenA 3543->3545 3546 402543 lstrlenW 3544->3546 3545->3547 3546->3547 3548 402565 WriteFile 3547->3548 3549 402791 3547->3549 3548->3549 3550 40276e 3551 402b38 18 API calls 3550->3551 3552 402775 FindFirstFileW 3551->3552 3553 402788 3552->3553 3554 40279d 3552->3554 3555 4027a6 3554->3555 3558 405ce8 wsprintfW 3554->3558 3559 405da1 lstrcpynW 3555->3559 3558->3555 3559->3553 3560 4018ef 3561 401926 3560->3561 3562 402b38 18 API calls 3561->3562 3563 40192b 3562->3563 3564 405629 71 API calls 3563->3564 3565 401934 3564->3565 3566 402571 3567 402b1b 18 API calls 3566->3567 3571 402580 3567->3571 3568 40269e 3569 4025c6 ReadFile 3569->3568 3569->3571 3570 405a90 ReadFile 3570->3571 3571->3568 3571->3569 3571->3570 3572 4026a0 3571->3572 3573 402606 MultiByteToWideChar 3571->3573 3575 4026b1 3571->3575 3576 40262c SetFilePointer MultiByteToWideChar 3571->3576 3578 405ce8 wsprintfW 3572->3578 3573->3571 3575->3568 3577 4026d2 SetFilePointer 3575->3577 3576->3571 3577->3568 3578->3568 3579 4014f1 SetForegroundWindow 3580 4029c5 3579->3580 3581 4018f2 3582 402b38 18 API calls 3581->3582 3583 4018f9 3582->3583 3584 40557d MessageBoxIndirectW 3583->3584 3585 401902 3584->3585 3586 401df3 3587 402b38 18 API calls 3586->3587 3588 401df9 3587->3588 3589 402b38 18 API calls 3588->3589 3590 401e02 3589->3590 3591 402b38 18 API calls 3590->3591 3592 401e0b 3591->3592 3593 402b38 18 API calls 3592->3593 3594 401e14 3593->3594 3595 401423 25 API calls 3594->3595 3596 401e1b ShellExecuteW 3595->3596 3597 401e4c 3596->3597 3603 4026f7 3604 4026fe 3603->3604 3606 402970 3603->3606 3605 402b1b 18 API calls 3604->3605 3607 402709 3605->3607 3608 402710 SetFilePointer 3607->3608 3608->3606 3609 402720 3608->3609 3611 405ce8 wsprintfW 3609->3611 3611->3606 3612 4040fa lstrcpynW lstrlenW 3613 402c7d 3614 402c8f SetTimer 3613->3614 3615 402ca8 3613->3615 3614->3615 3616 402cfd 3615->3616 3617 402cc2 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3615->3617 3617->3616 3618 4014ff 3619 401507 3618->3619 3621 40151a 3618->3621 3620 402b1b 18 API calls 3619->3620 3620->3621 3622 401000 3623 401037 BeginPaint GetClientRect 3622->3623 3624 40100c DefWindowProcW 3622->3624 3626 4010f3 3623->3626 3627 401179 3624->3627 3628 401073 CreateBrushIndirect FillRect DeleteObject 3626->3628 3629 4010fc 3626->3629 3628->3626 3630 401102 CreateFontIndirectW 3629->3630 3631 401167 EndPaint 3629->3631 3630->3631 3632 401112 6 API calls 3630->3632 3631->3627 3632->3631 3633 401a00 3634 402b38 18 API calls 3633->3634 3635 401a09 ExpandEnvironmentStringsW 3634->3635 3636 401a1d 3635->3636 3638 401a30 3635->3638 3637 401a22 lstrcmpW 3636->3637 3636->3638 3637->3638 3639 401b01 3640 402b38 18 API calls 3639->3640 3641 401b08 3640->3641 3642 402b1b 18 API calls 3641->3642 3643 401b11 wsprintfW 3642->3643 3644 4029c5 3643->3644 3645 404481 3646 4044ad 3645->3646 3647 4044be 3645->3647 3706 405561 GetDlgItemTextW 3646->3706 3649 4044ca GetDlgItem 3647->3649 3654 404529 3647->3654 3652 4044de 3649->3652 3650 40460d 3704 4047ae 3650->3704 3708 405561 GetDlgItemTextW 3650->3708 3651 4044b8 3653 406035 5 API calls 3651->3653 3656 4044f2 SetWindowTextW 3652->3656 3657 405897 4 API calls 3652->3657 3653->3647 3654->3650 3658 405dc3 18 API calls 3654->3658 3654->3704 3660 403fe6 19 API calls 3656->3660 3662 4044e8 3657->3662 3663 40459d SHBrowseForFolderW 3658->3663 3659 40463d 3664 4058f4 18 API calls 3659->3664 3665 40450e 3660->3665 3661 40404d 8 API calls 3666 4047c2 3661->3666 3662->3656 3670 4057ec 3 API calls 3662->3670 3663->3650 3667 4045b5 CoTaskMemFree 3663->3667 3668 404643 3664->3668 3669 403fe6 19 API calls 3665->3669 3671 4057ec 3 API calls 3667->3671 3709 405da1 lstrcpynW 3668->3709 3672 40451c 3669->3672 3670->3656 3673 4045c2 3671->3673 3707 40401b SendMessageW 3672->3707 3676 4045f9 SetDlgItemTextW 3673->3676 3681 405dc3 18 API calls 3673->3681 3676->3650 3677 404522 3679 40610b 3 API calls 3677->3679 3678 40465a 3680 40610b 3 API calls 3678->3680 3679->3654 3687 404662 3680->3687 3682 4045e1 lstrcmpiW 3681->3682 3682->3676 3685 4045f2 lstrcatW 3682->3685 3683 4046a1 3710 405da1 lstrcpynW 3683->3710 3685->3676 3686 4046a8 3688 405897 4 API calls 3686->3688 3687->3683 3691 405838 2 API calls 3687->3691 3693 4046f3 3687->3693 3689 4046ae GetDiskFreeSpaceW 3688->3689 3692 4046d1 MulDiv 3689->3692 3689->3693 3691->3687 3692->3693 3694 40475d 3693->3694 3696 40482f 21 API calls 3693->3696 3695 404780 3694->3695 3697 40140b 2 API calls 3694->3697 3711 404008 EnableWindow 3695->3711 3698 40474f 3696->3698 3697->3695 3700 404754 3698->3700 3701 40475f SetDlgItemTextW 3698->3701 3703 40482f 21 API calls 3700->3703 3701->3694 3702 40479c 3702->3704 3712 404416 3702->3712 3703->3694 3704->3661 3706->3651 3707->3677 3708->3659 3709->3678 3710->3686 3711->3702 3713 404424 3712->3713 3714 404429 SendMessageW 3712->3714 3713->3714 3714->3704 3715 404183 3716 4042b5 3715->3716 3718 40419b 3715->3718 3717 40431f 3716->3717 3719 4043f1 3716->3719 3724 4042f0 GetDlgItem SendMessageW 3716->3724 3717->3719 3720 404329 GetDlgItem 3717->3720 3721 403fe6 19 API calls 3718->3721 3726 40404d 8 API calls 3719->3726 3722 4043b2 3720->3722 3723 404343 3720->3723 3725 404202 3721->3725 3722->3719 3731 4043c4 3722->3731 3723->3722 3730 404369 6 API calls 3723->3730 3746 404008 EnableWindow 3724->3746 3728 403fe6 19 API calls 3725->3728 3729 4043ec 3726->3729 3733 40420f CheckDlgButton 3728->3733 3730->3722 3734 4043da 3731->3734 3735 4043ca SendMessageW 3731->3735 3732 40431a 3737 404416 SendMessageW 3732->3737 3744 404008 EnableWindow 3733->3744 3734->3729 3736 4043e0 SendMessageW 3734->3736 3735->3734 3736->3729 3737->3717 3739 40422d GetDlgItem 3745 40401b SendMessageW 3739->3745 3741 404243 SendMessageW 3742 404260 GetSysColor 3741->3742 3743 404269 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3741->3743 3742->3743 3743->3729 3744->3739 3745->3741 3746->3732 3747 401f08 3748 402b38 18 API calls 3747->3748 3749 401f0f GetFileVersionInfoSizeW 3748->3749 3750 401f36 GlobalAlloc 3749->3750 3753 401f8c 3749->3753 3751 401f4a GetFileVersionInfoW 3750->3751 3750->3753 3752 401f59 VerQueryValueW 3751->3752 3751->3753 3752->3753 3754 401f72 3752->3754 3758 405ce8 wsprintfW 3754->3758 3756 401f7e 3759 405ce8 wsprintfW 3756->3759 3758->3756 3759->3753 3760 40518a 3761 405336 3760->3761 3762 4051ab GetDlgItem GetDlgItem GetDlgItem 3760->3762 3764 405367 3761->3764 3765 40533f GetDlgItem CreateThread CloseHandle 3761->3765 3805 40401b SendMessageW 3762->3805 3767 405392 3764->3767 3768 4053b7 3764->3768 3769 40537e ShowWindow ShowWindow 3764->3769 3765->3764 3766 40521c 3774 405223 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3766->3774 3771 4053a6 3767->3771 3772 4053cc ShowWindow 3767->3772 3775 4053f2 3767->3775 3773 40404d 8 API calls 3768->3773 3807 40401b SendMessageW 3769->3807 3808 403fbf 3771->3808 3779 4053ec 3772->3779 3780 4053de 3772->3780 3778 4053c5 3773->3778 3781 405292 3774->3781 3782 405276 SendMessageW SendMessageW 3774->3782 3775->3768 3776 405400 SendMessageW 3775->3776 3776->3778 3783 405419 CreatePopupMenu 3776->3783 3787 403fbf SendMessageW 3779->3787 3786 40504b 25 API calls 3780->3786 3784 4052a5 3781->3784 3785 405297 SendMessageW 3781->3785 3782->3781 3788 405dc3 18 API calls 3783->3788 3789 403fe6 19 API calls 3784->3789 3785->3784 3786->3779 3787->3775 3790 405429 AppendMenuW 3788->3790 3791 4052b5 3789->3791 3792 405446 GetWindowRect 3790->3792 3793 405459 TrackPopupMenu 3790->3793 3794 4052f2 GetDlgItem SendMessageW 3791->3794 3795 4052be ShowWindow 3791->3795 3792->3793 3793->3778 3796 405474 3793->3796 3794->3778 3799 405319 SendMessageW SendMessageW 3794->3799 3797 4052e1 3795->3797 3798 4052d4 ShowWindow 3795->3798 3800 405490 SendMessageW 3796->3800 3806 40401b SendMessageW 3797->3806 3798->3797 3799->3778 3800->3800 3801 4054ad OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3800->3801 3803 4054d2 SendMessageW 3801->3803 3803->3803 3804 4054fb GlobalUnlock SetClipboardData CloseClipboard 3803->3804 3804->3778 3805->3766 3806->3794 3807->3767 3809 403fc6 3808->3809 3810 403fcc SendMessageW 3808->3810 3809->3810 3810->3768 3811 403b0e 3812 403c61 3811->3812 3813 403b26 3811->3813 3815 403c72 GetDlgItem GetDlgItem 3812->3815 3816 403cb2 3812->3816 3813->3812 3814 403b32 3813->3814 3817 403b50 3814->3817 3818 403b3d SetWindowPos 3814->3818 3819 403fe6 19 API calls 3815->3819 3820 403d0c 3816->3820 3825 401389 2 API calls 3816->3825 3822 403b55 ShowWindow 3817->3822 3823 403b6d 3817->3823 3818->3817 3824 403c9c SetClassLongW 3819->3824 3821 404032 SendMessageW 3820->3821 3842 403c5c 3820->3842 3840 403d1e 3821->3840 3822->3823 3826 403b75 DestroyWindow 3823->3826 3827 403b8f 3823->3827 3828 40140b 2 API calls 3824->3828 3829 403ce4 3825->3829 3878 403f6f 3826->3878 3830 403b94 SetWindowLongW 3827->3830 3831 403ba5 3827->3831 3828->3816 3829->3820 3832 403ce8 SendMessageW 3829->3832 3830->3842 3835 403bb1 GetDlgItem 3831->3835 3850 403c1c 3831->3850 3832->3842 3833 40140b 2 API calls 3833->3840 3834 403f71 DestroyWindow EndDialog 3834->3878 3836 403be1 3835->3836 3837 403bc4 SendMessageW IsWindowEnabled 3835->3837 3841 403be6 3836->3841 3844 403bee 3836->3844 3845 403c35 SendMessageW 3836->3845 3846 403c01 3836->3846 3837->3836 3837->3842 3838 40404d 8 API calls 3838->3842 3839 403fa0 ShowWindow 3839->3842 3840->3833 3840->3834 3840->3842 3843 405dc3 18 API calls 3840->3843 3852 403fe6 19 API calls 3840->3852 3854 403fe6 19 API calls 3840->3854 3869 403eb1 DestroyWindow 3840->3869 3847 403fbf SendMessageW 3841->3847 3841->3850 3843->3840 3844->3841 3844->3845 3845->3850 3848 403c09 3846->3848 3849 403c1e 3846->3849 3847->3850 3853 40140b 2 API calls 3848->3853 3851 40140b 2 API calls 3849->3851 3850->3838 3851->3841 3852->3840 3853->3841 3855 403d99 GetDlgItem 3854->3855 3856 403db6 ShowWindow EnableWindow 3855->3856 3857 403dae 3855->3857 3879 404008 EnableWindow 3856->3879 3857->3856 3859 403de0 EnableWindow 3862 403df4 3859->3862 3860 403df9 GetSystemMenu EnableMenuItem SendMessageW 3861 403e29 SendMessageW 3860->3861 3860->3862 3861->3862 3862->3860 3880 40401b SendMessageW 3862->3880 3881 405da1 lstrcpynW 3862->3881 3865 403e57 lstrlenW 3866 405dc3 18 API calls 3865->3866 3867 403e6d SetWindowTextW 3866->3867 3868 401389 2 API calls 3867->3868 3868->3840 3870 403ecb CreateDialogParamW 3869->3870 3869->3878 3871 403efe 3870->3871 3870->3878 3872 403fe6 19 API calls 3871->3872 3873 403f09 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3872->3873 3874 401389 2 API calls 3873->3874 3875 403f4f 3874->3875 3875->3842 3876 403f57 ShowWindow 3875->3876 3877 404032 SendMessageW 3876->3877 3877->3878 3878->3839 3878->3842 3879->3859 3880->3862 3881->3865 3882 401491 3883 40504b 25 API calls 3882->3883 3884 401498 3883->3884 3885 402293 3886 402b38 18 API calls 3885->3886 3887 4022a2 3886->3887 3888 402b38 18 API calls 3887->3888 3889 4022ab 3888->3889 3890 402b38 18 API calls 3889->3890 3891 4022b5 GetPrivateProfileStringW 3890->3891 3892 401718 3893 402b38 18 API calls 3892->3893 3894 40171f SearchPathW 3893->3894 3895 40173a 3894->3895 3896 401f98 3897 401faa 3896->3897 3907 40205c 3896->3907 3898 402b38 18 API calls 3897->3898 3900 401fb1 3898->3900 3899 401423 25 API calls 3905 402195 3899->3905 3901 402b38 18 API calls 3900->3901 3902 401fba 3901->3902 3903 401fd0 LoadLibraryExW 3902->3903 3904 401fc2 GetModuleHandleW 3902->3904 3906 401fe1 3903->3906 3903->3907 3904->3903 3904->3906 3916 406177 WideCharToMultiByte 3906->3916 3907->3899 3910 401ff2 3913 401423 25 API calls 3910->3913 3914 402002 3910->3914 3911 40202b 3912 40504b 25 API calls 3911->3912 3912->3914 3913->3914 3914->3905 3915 40204e FreeLibrary 3914->3915 3915->3905 3917 4061a1 GetProcAddress 3916->3917 3918 401fec 3916->3918 3917->3918 3918->3910 3918->3911 3919 40159b 3920 402b38 18 API calls 3919->3920 3921 4015a2 SetFileAttributesW 3920->3921 3922 4015b4 3921->3922 3923 40149e 3924 4014ac PostQuitMessage 3923->3924 3925 40223c 3923->3925 3924->3925 3926 40219e 3927 402b38 18 API calls 3926->3927 3928 4021a4 3927->3928 3929 402b38 18 API calls 3928->3929 3930 4021ad 3929->3930 3931 402b38 18 API calls 3930->3931 3932 4021b6 3931->3932 3933 4060e4 2 API calls 3932->3933 3934 4021bf 3933->3934 3935 4021d0 lstrlenW lstrlenW 3934->3935 3939 4021c3 3934->3939 3937 40504b 25 API calls 3935->3937 3936 40504b 25 API calls 3940 4021cb 3936->3940 3938 40220e SHFileOperationW 3937->3938 3938->3939 3938->3940 3939->3936 3939->3940 3941 4029a0 SendMessageW 3942 4029c5 3941->3942 3943 4029ba InvalidateRect 3941->3943 3943->3942 3944 401b22 3945 401b73 3944->3945 3946 401b2f 3944->3946 3948 401b78 3945->3948 3949 401b9d GlobalAlloc 3945->3949 3947 402229 3946->3947 3953 401b46 3946->3953 3951 405dc3 18 API calls 3947->3951 3955 401bb8 3948->3955 3965 405da1 lstrcpynW 3948->3965 3950 405dc3 18 API calls 3949->3950 3950->3955 3956 402236 3951->3956 3963 405da1 lstrcpynW 3953->3963 3954 401b8a GlobalFree 3954->3955 3958 40557d MessageBoxIndirectW 3956->3958 3958->3955 3959 401b55 3964 405da1 lstrcpynW 3959->3964 3961 401b64 3966 405da1 lstrcpynW 3961->3966 3963->3959 3964->3961 3965->3954 3966->3955 3967 402222 3968 402229 3967->3968 3970 40223c 3967->3970 3969 405dc3 18 API calls 3968->3969 3971 402236 3969->3971 3972 40557d MessageBoxIndirectW 3971->3972 3972->3970 3979 402727 3980 40272e 3979->3980 3982 4029c5 3979->3982 3981 402734 FindClose 3980->3981 3981->3982 2711 403229 #17 SetErrorMode OleInitialize 2788 40610b GetModuleHandleA 2711->2788 2715 403297 GetCommandLineW 2793 405da1 lstrcpynW 2715->2793 2717 4032a9 GetModuleHandleW 2718 4032c1 2717->2718 2794 405819 2718->2794 2721 4033b5 2722 4033c9 GetTempPathW 2721->2722 2798 4031f5 2722->2798 2724 4033e1 2725 4033e5 GetWindowsDirectoryW lstrcatW 2724->2725 2726 40343b DeleteFileW 2724->2726 2728 4031f5 11 API calls 2725->2728 2806 402d67 GetTickCount GetModuleFileNameW 2726->2806 2727 405819 CharNextW 2730 4032e0 2727->2730 2731 403401 2728->2731 2730->2721 2730->2727 2735 4033b7 2730->2735 2731->2726 2734 403405 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2731->2734 2733 4034eb 2836 403691 2733->2836 2739 4031f5 11 API calls 2734->2739 2847 405da1 lstrcpynW 2735->2847 2736 4034d7 2865 40376b 2736->2865 2743 403433 2739->2743 2740 405819 CharNextW 2744 40346a 2740->2744 2743->2726 2743->2733 2753 4034b1 2744->2753 2754 403516 lstrcatW lstrcmpiW 2744->2754 2745 4034e7 2745->2733 2746 403500 2843 40557d 2746->2843 2747 4035f6 2748 403679 2747->2748 2750 40610b 3 API calls 2747->2750 2751 403683 2748->2751 2752 403687 ExitProcess 2748->2752 2756 403605 2750->2756 2751->2752 2848 4058f4 2753->2848 2754->2733 2758 403532 CreateDirectoryW SetCurrentDirectoryW 2754->2758 2759 40610b 3 API calls 2756->2759 2761 403555 2758->2761 2762 40354a 2758->2762 2763 40360e 2759->2763 2920 405da1 lstrcpynW 2761->2920 2919 405da1 lstrcpynW 2762->2919 2767 40610b 3 API calls 2763->2767 2764 4034c1 2863 405da1 lstrcpynW 2764->2863 2769 403617 2767->2769 2772 403665 ExitWindowsEx 2769->2772 2778 403625 GetCurrentProcess 2769->2778 2770 4034cc 2864 405da1 lstrcpynW 2770->2864 2772->2748 2775 403672 2772->2775 2947 40140b 2775->2947 2776 4035a1 CopyFileW 2785 403563 2776->2785 2781 403635 2778->2781 2779 4035ea 2782 405c3b 40 API calls 2779->2782 2781->2772 2783 403639 2781->2783 2782->2745 2783->2772 2784 405dc3 18 API calls 2784->2785 2785->2779 2785->2784 2787 4035d5 CloseHandle 2785->2787 2921 405dc3 2785->2921 2939 405c3b 2785->2939 2944 40551c CreateProcessW 2785->2944 2787->2785 2789 406132 GetProcAddress 2788->2789 2790 406127 LoadLibraryA 2788->2790 2791 40326c SHGetFileInfoW 2789->2791 2790->2789 2790->2791 2792 405da1 lstrcpynW 2791->2792 2792->2715 2793->2717 2795 40581f 2794->2795 2796 4032d0 CharNextW 2795->2796 2797 405826 CharNextW 2795->2797 2796->2730 2797->2795 2950 406035 2798->2950 2800 403201 2801 40320b 2800->2801 2959 4057ec lstrlenW CharPrevW 2800->2959 2801->2724 2966 405a0d GetFileAttributesW CreateFileW 2806->2966 2808 402da7 2809 402db7 2808->2809 2967 405da1 lstrcpynW 2808->2967 2809->2733 2809->2736 2809->2740 2811 402dcd 2968 405838 lstrlenW 2811->2968 2815 402dde GetFileSize 2816 402eda 2815->2816 2834 402df5 2815->2834 2817 402d03 6 API calls 2816->2817 2818 402ee3 2817->2818 2818->2809 2820 402f13 GlobalAlloc 2818->2820 2987 4031de SetFilePointer 2818->2987 2988 4031de SetFilePointer 2820->2988 2823 402f46 2825 402d03 6 API calls 2823->2825 2824 402f2e 2989 402fa0 2824->2989 2835 402f4d 2825->2835 2826 402efc 2828 4031c8 ReadFile 2826->2828 2830 402f07 2828->2830 2829 402ead 2829->2834 2976 402d03 2829->2976 2830->2809 2830->2820 2832 402f3a 2832->2809 2832->2832 2833 402f77 SetFilePointer 2832->2833 2833->2835 2834->2809 2834->2816 2834->2823 2834->2829 2973 4031c8 2834->2973 2835->2809 2837 4036a9 2836->2837 2838 40369b CloseHandle 2836->2838 3027 4036d6 2837->3027 2838->2837 2844 405592 2843->2844 2845 40350e ExitProcess 2844->2845 2846 4055a6 MessageBoxIndirectW 2844->2846 2846->2845 2847->2722 3086 405da1 lstrcpynW 2848->3086 2850 405905 3087 405897 CharNextW CharNextW 2850->3087 2853 4034bd 2853->2733 2853->2764 2854 406035 5 API calls 2855 40591b 2854->2855 2855->2853 2860 405932 2855->2860 2856 40594c lstrlenW 2857 405957 2856->2857 2856->2860 2859 4057ec 3 API calls 2857->2859 2858 4060e4 2 API calls 2858->2860 2861 40595c GetFileAttributesW 2859->2861 2860->2853 2860->2856 2860->2858 2862 405838 2 API calls 2860->2862 2861->2853 2862->2856 2863->2770 2864->2736 2866 40610b 3 API calls 2865->2866 2867 40377f 2866->2867 2868 403785 2867->2868 2869 403797 2867->2869 3093 405ce8 wsprintfW 2868->3093 3094 405c6e RegOpenKeyExW 2869->3094 2873 4037e6 lstrcatW 2874 403795 2873->2874 3099 403a41 2874->3099 2875 405c6e 3 API calls 2875->2873 2878 4058f4 18 API calls 2880 403818 2878->2880 2879 4038ac 2881 4058f4 18 API calls 2879->2881 2880->2879 2882 405c6e 3 API calls 2880->2882 2883 4038b2 2881->2883 2884 40384a 2882->2884 2885 4038c2 LoadImageW 2883->2885 2886 405dc3 18 API calls 2883->2886 2884->2879 2889 40386b lstrlenW 2884->2889 2892 405819 CharNextW 2884->2892 2887 403968 2885->2887 2888 4038e9 RegisterClassW 2885->2888 2886->2885 2891 40140b 2 API calls 2887->2891 2890 40391f SystemParametersInfoW CreateWindowExW 2888->2890 2918 403972 2888->2918 2893 403879 lstrcmpiW 2889->2893 2894 40389f 2889->2894 2890->2887 2895 40396e 2891->2895 2897 403868 2892->2897 2893->2894 2898 403889 GetFileAttributesW 2893->2898 2896 4057ec 3 API calls 2894->2896 2899 403a41 19 API calls 2895->2899 2895->2918 2900 4038a5 2896->2900 2897->2889 2901 403895 2898->2901 2902 40397f 2899->2902 3108 405da1 lstrcpynW 2900->3108 2901->2894 2904 405838 2 API calls 2901->2904 2905 40398b ShowWindow LoadLibraryW 2902->2905 2906 403a0e 2902->2906 2904->2894 2907 4039b1 GetClassInfoW 2905->2907 2908 4039aa LoadLibraryW 2905->2908 3109 40511e OleInitialize 2906->3109 2910 4039c5 GetClassInfoW RegisterClassW 2907->2910 2911 4039db DialogBoxParamW 2907->2911 2908->2907 2910->2911 2913 40140b 2 API calls 2911->2913 2912 403a14 2914 403a30 2912->2914 2915 403a18 2912->2915 2913->2918 2916 40140b 2 API calls 2914->2916 2917 40140b 2 API calls 2915->2917 2915->2918 2916->2918 2917->2918 2918->2745 2919->2761 2920->2785 2922 405dd0 2921->2922 2923 40601b 2922->2923 2926 405e83 GetVersion 2922->2926 2927 405fe9 lstrlenW 2922->2927 2929 405dc3 10 API calls 2922->2929 2931 405c6e 3 API calls 2922->2931 2932 405efe GetSystemDirectoryW 2922->2932 2933 405f11 GetWindowsDirectoryW 2922->2933 2934 406035 5 API calls 2922->2934 2935 405dc3 10 API calls 2922->2935 2936 405f8a lstrcatW 2922->2936 2937 405f45 SHGetSpecialFolderLocation 2922->2937 3124 405ce8 wsprintfW 2922->3124 3125 405da1 lstrcpynW 2922->3125 2924 403594 DeleteFileW 2923->2924 3126 405da1 lstrcpynW 2923->3126 2924->2776 2924->2785 2926->2922 2927->2922 2929->2927 2931->2922 2932->2922 2933->2922 2934->2922 2935->2922 2936->2922 2937->2922 2938 405f5d SHGetPathFromIDListW CoTaskMemFree 2937->2938 2938->2922 2940 40610b 3 API calls 2939->2940 2941 405c42 2940->2941 2943 405c63 2941->2943 3127 405abf lstrcpyW 2941->3127 2943->2785 2945 405557 2944->2945 2946 40554b CloseHandle 2944->2946 2945->2785 2946->2945 2948 401389 2 API calls 2947->2948 2949 401420 2948->2949 2949->2748 2957 406042 2950->2957 2951 4060b8 2952 4060bd CharPrevW 2951->2952 2954 4060de 2951->2954 2952->2951 2953 4060ab CharNextW 2953->2951 2953->2957 2954->2800 2955 405819 CharNextW 2955->2957 2956 406097 CharNextW 2956->2957 2957->2951 2957->2953 2957->2955 2957->2956 2958 4060a6 CharNextW 2957->2958 2958->2953 2960 403213 CreateDirectoryW 2959->2960 2961 405808 lstrcatW 2959->2961 2962 405a3c 2960->2962 2961->2960 2963 405a49 GetTickCount GetTempFileNameW 2962->2963 2964 403227 2963->2964 2965 405a7f 2963->2965 2964->2724 2965->2963 2965->2964 2966->2808 2967->2811 2969 405846 2968->2969 2970 402dd3 2969->2970 2971 40584c CharPrevW 2969->2971 2972 405da1 lstrcpynW 2970->2972 2971->2969 2971->2970 2972->2815 3009 405a90 ReadFile 2973->3009 2977 402d24 2976->2977 2978 402d0c 2976->2978 2979 402d34 GetTickCount 2977->2979 2980 402d2c 2977->2980 2981 402d15 DestroyWindow 2978->2981 2982 402d1c 2978->2982 2984 402d42 CreateDialogParamW ShowWindow 2979->2984 2985 402d65 2979->2985 3011 406144 2980->3011 2981->2982 2982->2829 2984->2985 2985->2829 2987->2826 2988->2824 2990 402fbb 2989->2990 2991 402fe8 2990->2991 3015 4031de SetFilePointer 2990->3015 2992 4031c8 ReadFile 2991->2992 2994 402ff3 2992->2994 2995 403149 2994->2995 2996 403005 GetTickCount 2994->2996 2997 40315e 2994->2997 2995->2832 2996->2995 3005 403052 2996->3005 2998 403162 2997->2998 2999 40317a 2997->2999 3000 4031c8 ReadFile 2998->3000 2999->2995 3002 4031c8 ReadFile 2999->3002 3003 403195 WriteFile 2999->3003 3000->2995 3001 4031c8 ReadFile 3001->3005 3002->2999 3003->2995 3003->2999 3004 4030a8 GetTickCount 3004->3005 3005->2995 3005->3001 3005->3004 3006 4030cd MulDiv wsprintfW 3005->3006 3008 403111 WriteFile 3005->3008 3016 40504b 3006->3016 3008->2995 3008->3005 3010 4031db 3009->3010 3010->2834 3012 406161 PeekMessageW 3011->3012 3013 402d32 3012->3013 3014 406157 DispatchMessageW 3012->3014 3013->2829 3014->3012 3015->2991 3017 405066 3016->3017 3018 405108 3016->3018 3019 405082 lstrlenW 3017->3019 3020 405dc3 18 API calls 3017->3020 3018->3005 3021 405090 lstrlenW 3019->3021 3022 4050ab 3019->3022 3020->3019 3021->3018 3023 4050a2 lstrcatW 3021->3023 3024 4050b1 SetWindowTextW 3022->3024 3025 4050be 3022->3025 3023->3022 3024->3025 3025->3018 3026 4050c4 SendMessageW SendMessageW SendMessageW 3025->3026 3026->3018 3028 4036e4 3027->3028 3029 4036ae 3028->3029 3030 4036e9 FreeLibrary GlobalFree 3028->3030 3031 405629 3029->3031 3030->3029 3030->3030 3032 4058f4 18 API calls 3031->3032 3033 405649 3032->3033 3034 405651 DeleteFileW 3033->3034 3035 405668 3033->3035 3036 4034f0 CoUninitialize 3034->3036 3038 405793 3035->3038 3070 405da1 lstrcpynW 3035->3070 3036->2746 3036->2747 3038->3036 3042 405788 3038->3042 3039 40568e 3040 4056a1 3039->3040 3041 405694 lstrcatW 3039->3041 3044 405838 2 API calls 3040->3044 3043 4056a7 3041->3043 3042->3038 3080 4060e4 FindFirstFileW 3042->3080 3046 4056b7 lstrcatW 3043->3046 3047 4056ad 3043->3047 3044->3043 3049 4056c2 lstrlenW FindFirstFileW 3046->3049 3047->3046 3047->3049 3049->3042 3068 4056e4 3049->3068 3050 4057ec 3 API calls 3051 4057b7 3050->3051 3053 4055e1 5 API calls 3051->3053 3052 40576b FindNextFileW 3055 405781 FindClose 3052->3055 3052->3068 3056 4057c3 3053->3056 3055->3042 3057 4057c7 3056->3057 3058 4057dd 3056->3058 3057->3036 3061 40504b 25 API calls 3057->3061 3060 40504b 25 API calls 3058->3060 3060->3036 3063 4057d4 3061->3063 3062 405629 64 API calls 3062->3068 3064 405c3b 40 API calls 3063->3064 3066 4057db 3064->3066 3065 40504b 25 API calls 3065->3052 3066->3036 3067 40504b 25 API calls 3067->3068 3068->3052 3068->3062 3068->3065 3068->3067 3069 405c3b 40 API calls 3068->3069 3071 405da1 lstrcpynW 3068->3071 3072 4055e1 3068->3072 3069->3068 3070->3039 3071->3068 3083 4059e8 GetFileAttributesW 3072->3083 3075 405604 DeleteFileW 3078 40560a 3075->3078 3076 4055fc RemoveDirectoryW 3076->3078 3077 40560e 3077->3068 3078->3077 3079 40561a SetFileAttributesW 3078->3079 3079->3077 3081 4057ad 3080->3081 3082 4060fa FindClose 3080->3082 3081->3036 3081->3050 3082->3081 3084 4055ed 3083->3084 3085 4059fa SetFileAttributesW 3083->3085 3084->3075 3084->3076 3084->3077 3085->3084 3086->2850 3088 4058b4 3087->3088 3089 4058c6 3087->3089 3088->3089 3090 4058c1 CharNextW 3088->3090 3091 405819 CharNextW 3089->3091 3092 4058ea 3089->3092 3090->3092 3091->3089 3092->2853 3092->2854 3093->2874 3095 4037c7 3094->3095 3096 405ca2 RegQueryValueExW 3094->3096 3095->2873 3095->2875 3097 405cc3 RegCloseKey 3096->3097 3097->3095 3100 403a55 3099->3100 3116 405ce8 wsprintfW 3100->3116 3102 403ac6 3103 405dc3 18 API calls 3102->3103 3104 403ad2 SetWindowTextW 3103->3104 3105 4037f6 3104->3105 3106 403aee 3104->3106 3105->2878 3106->3105 3107 405dc3 18 API calls 3106->3107 3107->3106 3108->2879 3117 404032 3109->3117 3111 405168 3112 404032 SendMessageW 3111->3112 3113 40517a OleUninitialize 3112->3113 3113->2912 3114 405141 3114->3111 3120 401389 3114->3120 3116->3102 3118 40404a 3117->3118 3119 40403b SendMessageW 3117->3119 3118->3114 3119->3118 3122 401390 3120->3122 3121 4013fe 3121->3114 3122->3121 3123 4013cb MulDiv SendMessageW 3122->3123 3123->3122 3124->2922 3125->2922 3126->2924 3128 405ae8 3127->3128 3129 405b0e GetShortPathNameW 3127->3129 3152 405a0d GetFileAttributesW CreateFileW 3128->3152 3131 405b23 3129->3131 3132 405c35 3129->3132 3131->3132 3134 405b2b wsprintfA 3131->3134 3132->2943 3133 405af2 CloseHandle GetShortPathNameW 3133->3132 3136 405b06 3133->3136 3135 405dc3 18 API calls 3134->3135 3137 405b53 3135->3137 3136->3129 3136->3132 3153 405a0d GetFileAttributesW CreateFileW 3137->3153 3139 405b60 3139->3132 3140 405b6f GetFileSize GlobalAlloc 3139->3140 3141 405b91 3140->3141 3142 405c2e CloseHandle 3140->3142 3143 405a90 ReadFile 3141->3143 3142->3132 3144 405b99 3143->3144 3144->3142 3154 405972 lstrlenA 3144->3154 3147 405bb0 lstrcpyA 3150 405bd2 3147->3150 3148 405bc4 3149 405972 4 API calls 3148->3149 3149->3150 3151 405c09 SetFilePointer WriteFile GlobalFree 3150->3151 3151->3142 3152->3133 3153->3139 3155 4059b3 lstrlenA 3154->3155 3156 4059bb 3155->3156 3157 40598c lstrcmpiA 3155->3157 3156->3147 3156->3148 3157->3156 3158 4059aa CharNextA 3157->3158 3158->3155 3983 403729 3984 403734 3983->3984 3985 403738 3984->3985 3986 40373b GlobalAlloc 3984->3986 3986->3985 3987 401cab 3988 402b1b 18 API calls 3987->3988 3989 401cb2 3988->3989 3990 402b1b 18 API calls 3989->3990 3991 401cba GetDlgItem 3990->3991 3992 4024e6 3991->3992 3993 40232f 3994 402335 3993->3994 3995 402b38 18 API calls 3994->3995 3996 402347 3995->3996 3997 402b38 18 API calls 3996->3997 3998 402351 RegCreateKeyExW 3997->3998 3999 402791 3998->3999 4000 40237b 3998->4000 4001 402396 4000->4001 4002 402b38 18 API calls 4000->4002 4003 4023a2 4001->4003 4006 402b1b 18 API calls 4001->4006 4005 40238c lstrlenW 4002->4005 4004 4023bd RegSetValueExW 4003->4004 4007 402fa0 33 API calls 4003->4007 4008 4023d3 RegCloseKey 4004->4008 4005->4001 4006->4003 4007->4004 4008->3999 4010 4016af 4011 402b38 18 API calls 4010->4011 4012 4016b5 GetFullPathNameW 4011->4012 4013 4016f1 4012->4013 4014 4016cf 4012->4014 4015 4029c5 4013->4015 4016 401706 GetShortPathNameW 4013->4016 4014->4013 4017 4060e4 2 API calls 4014->4017 4016->4015 4018 4016e1 4017->4018 4018->4013 4020 405da1 lstrcpynW 4018->4020 4020->4013 4021 4027b3 4022 402b38 18 API calls 4021->4022 4023 4027c1 4022->4023 4024 4027d7 4023->4024 4025 402b38 18 API calls 4023->4025 4026 4059e8 2 API calls 4024->4026 4025->4024 4027 4027dd 4026->4027 4047 405a0d GetFileAttributesW CreateFileW 4027->4047 4029 4027ea 4030 402893 4029->4030 4031 4027f6 GlobalAlloc 4029->4031 4034 40289b DeleteFileW 4030->4034 4035 4028ae 4030->4035 4032 40288a CloseHandle 4031->4032 4033 40280f 4031->4033 4032->4030 4048 4031de SetFilePointer 4033->4048 4034->4035 4037 402815 4038 4031c8 ReadFile 4037->4038 4039 40281e GlobalAlloc 4038->4039 4040 402862 WriteFile GlobalFree 4039->4040 4041 40282e 4039->4041 4042 402fa0 33 API calls 4040->4042 4043 402fa0 33 API calls 4041->4043 4044 402887 4042->4044 4046 40283b 4043->4046 4044->4032 4045 402859 GlobalFree 4045->4040 4046->4045 4047->4029 4048->4037 4049 404134 lstrlenW 4050 404153 4049->4050 4051 404155 WideCharToMultiByte 4049->4051 4050->4051 4052 4028b4 4053 402b1b 18 API calls 4052->4053 4054 4028ba 4053->4054 4055 4028f6 4054->4055 4056 4028dd 4054->4056 4060 402791 4054->4060 4058 402900 4055->4058 4059 40290c 4055->4059 4057 4028e2 4056->4057 4065 4028f3 4056->4065 4066 405da1 lstrcpynW 4057->4066 4061 402b1b 18 API calls 4058->4061 4062 405dc3 18 API calls 4059->4062 4061->4065 4062->4065 4065->4060 4067 405ce8 wsprintfW 4065->4067 4066->4060 4067->4060 4068 4014b8 4069 4014be 4068->4069 4070 401389 2 API calls 4069->4070 4071 4014c6 4070->4071 4072 401939 4073 402b38 18 API calls 4072->4073 4074 401940 lstrlenW 4073->4074 4075 4024e6 4074->4075 4076 402939 4077 402b1b 18 API calls 4076->4077 4078 40293f 4077->4078 4079 402972 4078->4079 4081 402791 4078->4081 4082 40294d 4078->4082 4080 405dc3 18 API calls 4079->4080 4079->4081 4080->4081 4082->4081 4084 405ce8 wsprintfW 4082->4084 4084->4081 4085 4015b9 4086 402b38 18 API calls 4085->4086 4087 4015c0 4086->4087 4088 405897 4 API calls 4087->4088 4098 4015c9 4088->4098 4089 401614 4091 401646 4089->4091 4092 401619 4089->4092 4090 405819 CharNextW 4093 4015d7 CreateDirectoryW 4090->4093 4095 401423 25 API calls 4091->4095 4094 401423 25 API calls 4092->4094 4096 4015ed GetLastError 4093->4096 4093->4098 4097 401620 4094->4097 4102 40163e 4095->4102 4096->4098 4099 4015fa GetFileAttributesW 4096->4099 4103 405da1 lstrcpynW 4097->4103 4098->4089 4098->4090 4099->4098 4101 40162d SetCurrentDirectoryW 4101->4102 4103->4101 4104 40443a 4105 404470 4104->4105 4106 40444a 4104->4106 4108 40404d 8 API calls 4105->4108 4107 403fe6 19 API calls 4106->4107 4109 404457 SetDlgItemTextW 4107->4109 4110 40447c 4108->4110 4109->4105 4111 40173f 4112 402b38 18 API calls 4111->4112 4113 401746 4112->4113 4114 405a3c 2 API calls 4113->4114 4115 40174d 4114->4115 4115->4115 4116 404fbf 4117 404fe3 4116->4117 4118 404fcf 4116->4118 4119 404feb IsWindowVisible 4117->4119 4127 405002 4117->4127 4120 404fd5 4118->4120 4121 40502c 4118->4121 4119->4121 4123 404ff8 4119->4123 4122 404032 SendMessageW 4120->4122 4124 405031 CallWindowProcW 4121->4124 4125 404fdf 4122->4125 4126 404915 5 API calls 4123->4126 4124->4125 4126->4127 4127->4124 4128 404995 4 API calls 4127->4128 4128->4121

            Executed Functions

            Function 00403229 Relevance: 65.1, APIs: 27, Strings: 10, Instructions: 335stringfilecomCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 403229-4032bf #17 SetErrorMode OleInitialize call 40610b SHGetFileInfoW call 405da1 GetCommandLineW call 405da1 GetModuleHandleW 7 4032c1-4032c8 0->7 8 4032c9-4032db call 405819 CharNextW 0->8 7->8 11 4033a9-4033af 8->11 12 4032e0-4032e6 11->12 13 4033b5 11->13 15 4032e8-4032ed 12->15 16 4032ef-4032f5 12->16 14 4033c9-4033e3 GetTempPathW call 4031f5 13->14 25 4033e5-403403 GetWindowsDirectoryW lstrcatW call 4031f5 14->25 26 40343b-40344a DeleteFileW call 402d67 14->26 15->15 15->16 18 4032f7-4032fb 16->18 19 4032fc-403300 16->19 18->19 20 403306-40330c 19->20 21 40339a-4033a5 call 405819 19->21 23 403326-40333d 20->23 24 40330e-403315 20->24 21->11 39 4033a7-4033a8 21->39 30 40336b-403381 23->30 31 40333f-403355 23->31 28 403317-40331a 24->28 29 40331c 24->29 25->26 44 403405-403435 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4031f5 25->44 38 40344f-403455 26->38 28->23 28->29 29->23 30->21 37 403383-403398 30->37 31->30 35 403357-40335f 31->35 42 403361-403364 35->42 43 403366 35->43 37->21 45 4033b7-4033c4 call 405da1 37->45 40 4034eb-4034fa call 403691 CoUninitialize 38->40 41 40345b-403461 38->41 39->11 57 403500-403510 call 40557d ExitProcess 40->57 58 4035f6-4035fc 40->58 46 403463-40346e call 405819 41->46 47 4034db-4034e7 call 40376b 41->47 42->30 42->43 43->30 44->26 44->40 45->14 61 403470-403481 46->61 62 4034a5-4034af 46->62 47->40 59 403679-403681 58->59 60 4035fe-40361b call 40610b * 3 58->60 66 403683 59->66 67 403687-40368b ExitProcess 59->67 91 403665-403670 ExitWindowsEx 60->91 92 40361d-40361f 60->92 65 403483-403485 61->65 68 4034b1-4034bf call 4058f4 62->68 69 403516-403530 lstrcatW lstrcmpiW 62->69 72 403487-40349d 65->72 73 40349f-4034a3 65->73 66->67 68->40 81 4034c1-4034d7 call 405da1 * 2 68->81 69->40 75 403532-403548 CreateDirectoryW SetCurrentDirectoryW 69->75 72->62 72->73 73->62 73->65 78 403555-40357e call 405da1 75->78 79 40354a-403550 call 405da1 75->79 87 403583-40359f call 405dc3 DeleteFileW 78->87 79->78 81->47 98 4035e0-4035e8 87->98 99 4035a1-4035b1 CopyFileW 87->99 91->59 96 403672-403674 call 40140b 91->96 92->91 97 403621-403623 92->97 96->59 97->91 101 403625-403637 GetCurrentProcess 97->101 98->87 103 4035ea-4035f1 call 405c3b 98->103 99->98 102 4035b3-4035d3 call 405c3b call 405dc3 call 40551c 99->102 101->91 109 403639-40365b 101->109 102->98 115 4035d5-4035dc CloseHandle 102->115 103->40 109->91 115->98
            APIs
            • #17.COMCTL32 ref: 00403248
            • SetErrorMode.KERNELBASE(00008001), ref: 00403253
            • OleInitialize.OLE32(00000000), ref: 0040325A
              • Part of subcall function 0040610B: GetModuleHandleA.KERNEL32(?,?,00000020,0040326C,00000008), ref: 0040611D
              • Part of subcall function 0040610B: LoadLibraryA.KERNELBASE(?,?,00000020,0040326C,00000008), ref: 00406128
              • Part of subcall function 0040610B: GetProcAddress.KERNEL32(00000000,?), ref: 00406139
            • SHGetFileInfoW.SHELL32(0042B1B8,00000000,?,000002B4,00000000), ref: 00403282
              • Part of subcall function 00405DA1: lstrcpynW.KERNEL32(?,?,00000400,00403297,00433EA0,NSIS Error), ref: 00405DAE
            • GetCommandLineW.KERNEL32(00433EA0,NSIS Error), ref: 00403297
            • GetModuleHandleW.KERNEL32(00000000,0043F000,00000000), ref: 004032AA
            • CharNextW.USER32(00000000,0043F000,00000020), ref: 004032D1
            • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 004033DA
            • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 004033EB
            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 004033F7
            • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040340B
            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403413
            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403424
            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040342C
            • DeleteFileW.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp), ref: 00403440
            • CoUninitialize.COMBASE(?), ref: 004034F0
            • ExitProcess.KERNEL32 ref: 00403510
            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp,0043F000,00000000,?), ref: 0040351C
            • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00440800,C:\Users\user~1\AppData\Local\Temp\,~nsu.tmp,0043F000,00000000,?), ref: 00403528
            • CreateDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00403534
            • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\), ref: 0040353B
            • DeleteFileW.KERNEL32(0042A9B8,0042A9B8,?,00435000,?), ref: 00403595
            • CopyFileW.KERNEL32(00442800,0042A9B8,00000001), ref: 004035A9
            • CloseHandle.KERNEL32(00000000,0042A9B8,0042A9B8,?,0042A9B8,00000000), ref: 004035D6
            • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040362C
            • ExitWindowsEx.USER32(00000002,00000000), ref: 00403668
            • ExitProcess.KERNEL32 ref: 0040368B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
            • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
            • API String ID: 4107622049-3031928587
            • Opcode ID: f195a64d171f64111121db36c4463f42ca3038f7a3fbd40599632eb1a73ac7bc
            • Instruction ID: 02b0c0aa23ea66072d22554f7a9d706dafbd78a3d23bdfa468f983da76c936b2
            • Opcode Fuzzy Hash: f195a64d171f64111121db36c4463f42ca3038f7a3fbd40599632eb1a73ac7bc
            • Instruction Fuzzy Hash: 48B1D230504310AAD7207F619E4AA2B3EACEF4574AF00443FF941B62E1DBBD4A45CB6E
            Function 0040610B Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 133 40610b-406125 GetModuleHandleA 134 406132-406139 GetProcAddress 133->134 135 406127-406130 LoadLibraryA 133->135 136 40613f-406141 134->136 135->134 135->136
            APIs
            • GetModuleHandleA.KERNEL32(?,?,00000020,0040326C,00000008), ref: 0040611D
            • LoadLibraryA.KERNELBASE(?,?,00000020,0040326C,00000008), ref: 00406128
            • GetProcAddress.KERNEL32(00000000,?), ref: 00406139
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: AddressHandleLibraryLoadModuleProc
            • String ID:
            • API String ID: 310444273-0
            • Opcode ID: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
            • Instruction ID: fdb84e6153f048f4f32cb56b497edeca1f79cb2b45eddc07a3c36f847a24315a
            • Opcode Fuzzy Hash: 5679b5def2f7da251302a8cf4847d9d0b7faea0d144796f5e929e2ea3512b209
            • Instruction Fuzzy Hash: D9E0CD326002309FC3105B34AE4497773AC9FA8740305043DF586F6000CB749C22EF69
            Function 00405A3C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 116 405a3c-405a48 117 405a49-405a7d GetTickCount GetTempFileNameW 116->117 118 405a8c-405a8e 117->118 119 405a7f-405a81 117->119 121 405a86-405a89 118->121 119->117 120 405a83 119->120 120->121
            APIs
            • GetTickCount.KERNEL32 ref: 00405A5A
            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403227,C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp,C:\Users\user~1\AppData\Local\Temp\), ref: 00405A75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CountFileNameTempTick
            • String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
            • API String ID: 1716503409-3083371207
            • Opcode ID: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
            • Instruction ID: 485616ab74b01dad4b6f2028e8278cd76642f71c5b474b9ae6064b4a8122c260
            • Opcode Fuzzy Hash: 553695d42fa49c729d900ffa62198f8f27b7eacb1895c33b02f4b86faf7ca5f2
            • Instruction Fuzzy Hash: 76F03076700204BFDB008F59DD45FAFB7A8EB95750F10803AEE45E7290E6B09A548F64
            Function 004031F5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00406035: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 00406098
              • Part of subcall function 00406035: CharNextW.USER32(?,?,?,00000000), ref: 004060A7
              • Part of subcall function 00406035: CharNextW.USER32(?,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060AC
              • Part of subcall function 00406035: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060BF
            • CreateDirectoryW.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 00403216
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Char$Next$CreateDirectoryPrev
            • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp
            • API String ID: 4115351271-3284287857
            • Opcode ID: d87fad949052cfa03a28e6d8598cf07e7846d7f9d3ec73566398795b30735e76
            • Instruction ID: 8e868994f3d2bbac58875734e477fdd5edfa4fc47c6a96a7a7d594daf79fb191
            • Opcode Fuzzy Hash: d87fad949052cfa03a28e6d8598cf07e7846d7f9d3ec73566398795b30735e76
            • Instruction Fuzzy Hash: FBD0C92214693062D652376A7D4AFCF0D0C8F063AEF26407BF804B51E69B7C0AC649FE
            Function 00405A0D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 137 405a0d-405a39 GetFileAttributesW CreateFileW
            APIs
            • GetFileAttributesW.KERNELBASE(00000003,00402DA7,00442800,80000000,00000003,?,?,?,00000000,0040344F,?), ref: 00405A11
            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,0040344F,?), ref: 00405A33
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: File$AttributesCreate
            • String ID:
            • API String ID: 415043291-0
            • Opcode ID: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
            • Instruction ID: 1eb9dddf645dfc1e42ea27fadde30db719d7f554b9b2fef872a17e27e5e15d7e
            • Opcode Fuzzy Hash: 37c4dc7839c603de99ed6860e60369df17b6bb7e4a2ae391e088aaa007eea51a
            • Instruction Fuzzy Hash: C0D09E71654601EFEF098F20DE16F6EBBA2EB84B00F11952DB692940E0DA7158199B15
            Function 00405A90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 138 405a90-405aac ReadFile 139 405ab8 138->139 140 405aae-405ab1 138->140 141 405aba-405abc 139->141 140->139 142 405ab3-405ab6 140->142 142->141
            APIs
            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031DB,00000000,00000000,00402FF3,000000FF,00000004,00000000,00000000,00000000), ref: 00405AA4
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
            • Instruction ID: 07b625fac44bf3ff9367e003840ea8544b808996ef6c51cee1fe321e6e9f2367
            • Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
            • Instruction Fuzzy Hash: B1E08C3220125AEBEF11AE958C40AEB3B6CEB04360F004832FD10E3240D234E8218FE8
            Function 0040557D Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 143 40557d-405590 144 405592-405595 143->144 145 405597-40559e 143->145 144->145 146 4055de 144->146 147 4055a0 145->147 148 4055a6-4055d8 MessageBoxIndirectW 145->148 147->148 148->146
            APIs
            • MessageBoxIndirectW.USER32(0040A3B0), ref: 004055D8
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: IndirectMessage
            • String ID:
            • API String ID: 1874166685-0
            • Opcode ID: 0f5ce9ceb6b824fdab0ccd61eb1aa690aa19fb054b1cce10ad9f1958c7687728
            • Instruction ID: 72ae506b7457921a01343baea109bbf4e2c901344dea6141f916b91dad4bfda2
            • Opcode Fuzzy Hash: 0f5ce9ceb6b824fdab0ccd61eb1aa690aa19fb054b1cce10ad9f1958c7687728
            • Instruction Fuzzy Hash: 73F0DF715243009FC7A4CF28EE456563AE2F789311F14503EEA41A23E4DB7898A8CF4A
            Function 00403691 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 149 403691-403699 150 4036a9-4036ba call 4036d6 call 405629 149->150 151 40369b-4036a2 CloseHandle 149->151 151->150
            APIs
            • CloseHandle.KERNELBASE(FFFFFFFF,004034F0,?), ref: 0040369C
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: c9d0d423b4b429707c4fd9dd9caa69f7af3c19a9df35d64a48dcda9fef3fb6c8
            • Instruction ID: ccd7fe7a4fa82286fe55154120f19d55f673d8aa521cf508357ae8af62eb69f0
            • Opcode Fuzzy Hash: c9d0d423b4b429707c4fd9dd9caa69f7af3c19a9df35d64a48dcda9fef3fb6c8
            • Instruction Fuzzy Hash: A7C01234A04B04AAE1306F74EE4E6053A546740779FE04B25F0B8B01F0C77D56A9499D

            Non-executed Functions

            Function 0040518A Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 159 40518a-4051a5 160 405336-40533d 159->160 161 4051ab-405274 GetDlgItem * 3 call 40401b call 4048e8 GetClientRect GetSystemMetrics SendMessageW * 2 159->161 163 405367-405374 160->163 164 40533f-405361 GetDlgItem CreateThread CloseHandle 160->164 184 405292-405295 161->184 185 405276-405290 SendMessageW * 2 161->185 166 405392-40539c 163->166 167 405376-40537c 163->167 164->163 170 4053f2-4053f6 166->170 171 40539e-4053a4 166->171 168 4053b7-4053c0 call 40404d 167->168 169 40537e-40538d ShowWindow * 2 call 40401b 167->169 181 4053c5-4053c9 168->181 169->166 170->168 178 4053f8-4053fe 170->178 174 4053a6-4053b2 call 403fbf 171->174 175 4053cc-4053dc ShowWindow 171->175 174->168 182 4053ec-4053ed call 403fbf 175->182 183 4053de-4053e7 call 40504b 175->183 178->168 179 405400-405413 SendMessageW 178->179 186 405515-405517 179->186 187 405419-405444 CreatePopupMenu call 405dc3 AppendMenuW 179->187 182->170 183->182 188 4052a5-4052bc call 403fe6 184->188 189 405297-4052a3 SendMessageW 184->189 185->184 186->181 196 405446-405456 GetWindowRect 187->196 197 405459-40546e TrackPopupMenu 187->197 198 4052f2-405313 GetDlgItem SendMessageW 188->198 199 4052be-4052d2 ShowWindow 188->199 189->188 196->197 197->186 200 405474-40548b 197->200 198->186 203 405319-405331 SendMessageW * 2 198->203 201 4052e1 199->201 202 4052d4-4052df ShowWindow 199->202 204 405490-4054ab SendMessageW 200->204 205 4052e7-4052ed call 40401b 201->205 202->205 203->186 204->204 206 4054ad-4054d0 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 204->206 205->198 208 4054d2-4054f9 SendMessageW 206->208 208->208 209 4054fb-40550f GlobalUnlock SetClipboardData CloseClipboard 208->209 209->186
            APIs
            • GetDlgItem.USER32(?,00000403), ref: 004051E9
            • GetDlgItem.USER32(?,000003EE), ref: 004051F8
            • GetClientRect.USER32(?,?), ref: 00405235
            • GetSystemMetrics.USER32(00000015), ref: 0040523D
            • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 0040525E
            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040526F
            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405282
            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405290
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004052A3
            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004052C5
            • ShowWindow.USER32(?,00000008), ref: 004052D9
            • GetDlgItem.USER32(?,000003EC), ref: 004052FA
            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040530A
            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405323
            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040532F
            • GetDlgItem.USER32(?,000003F8), ref: 00405207
              • Part of subcall function 0040401B: SendMessageW.USER32(00000028,?,00000001,00403E47), ref: 00404029
            • GetDlgItem.USER32(?,000003EC), ref: 0040534C
            • CreateThread.KERNEL32(00000000,00000000,Function_0000511E,00000000), ref: 0040535A
            • CloseHandle.KERNEL32(00000000), ref: 00405361
            • ShowWindow.USER32(00000000), ref: 00405385
            • ShowWindow.USER32(?,00000008), ref: 0040538A
            • ShowWindow.USER32(00000008), ref: 004053D4
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405408
            • CreatePopupMenu.USER32 ref: 00405419
            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040542D
            • GetWindowRect.USER32(?,?), ref: 0040544D
            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405466
            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040549E
            • OpenClipboard.USER32(00000000), ref: 004054AE
            • EmptyClipboard.USER32 ref: 004054B4
            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004054C0
            • GlobalLock.KERNEL32(00000000), ref: 004054CA
            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004054DE
            • GlobalUnlock.KERNEL32(00000000), ref: 004054FE
            • SetClipboardData.USER32(0000000D,00000000), ref: 00405509
            • CloseClipboard.USER32 ref: 0040550F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
            • String ID: {
            • API String ID: 590372296-366298937
            • Opcode ID: 58f5626aa4c6a7058210a1ef6063d9c8904c0d068caf84b31f2655e726ab0914
            • Instruction ID: 34766a67a8348c891c509fbed0d62983ec1eb8fa6b5cfd063670c437a0e1cb12
            • Opcode Fuzzy Hash: 58f5626aa4c6a7058210a1ef6063d9c8904c0d068caf84b31f2655e726ab0914
            • Instruction Fuzzy Hash: F5B12871800608FFDB119F60DD89AAE7B79FB48355F10803AFA41BA1A0CBB59E51DF58
            Function 004049C7 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 210 4049c7-404a13 GetDlgItem * 2 211 404c34-404c3b 210->211 212 404a19-404aad GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 210->212 213 404c3d-404c4d 211->213 214 404c4f 211->214 215 404abc-404ac3 DeleteObject 212->215 216 404aaf-404aba SendMessageW 212->216 217 404c52-404c5b 213->217 214->217 218 404ac5-404acd 215->218 216->215 219 404c66-404c6c 217->219 220 404c5d-404c60 217->220 221 404af6-404afa 218->221 222 404acf-404ad2 218->222 226 404c7b-404c82 219->226 227 404c6e-404c75 219->227 220->219 223 404d4a-404d51 220->223 221->218 228 404afc-404b28 call 403fe6 * 2 221->228 224 404ad4 222->224 225 404ad7-404af4 call 405dc3 SendMessageW * 2 222->225 229 404dc2-404dca 223->229 230 404d53-404d59 223->230 224->225 225->221 232 404c84-404c87 226->232 233 404cf7-404cfa 226->233 227->223 227->226 264 404bf3-404c06 GetWindowLongW SetWindowLongW 228->264 265 404b2e-404b34 228->265 239 404dd4-404ddb 229->239 240 404dcc-404dd2 SendMessageW 229->240 236 404faa-404fbc call 40404d 230->236 237 404d5f-404d69 230->237 242 404c92-404ca7 call 404915 232->242 243 404c89-404c90 232->243 233->223 238 404cfc-404d06 233->238 237->236 245 404d6f-404d7e SendMessageW 237->245 247 404d16-404d20 238->247 248 404d08-404d14 SendMessageW 238->248 249 404ddd-404de4 239->249 250 404e0f-404e16 239->250 240->239 242->233 261 404ca9-404cba 242->261 243->233 243->242 245->236 256 404d84-404d95 SendMessageW 245->256 247->223 258 404d22-404d2c 247->258 248->247 259 404de6-404de7 ImageList_Destroy 249->259 260 404ded-404df4 249->260 254 404f6c-404f73 250->254 255 404e1c-404e28 call 4011ef 250->255 254->236 269 404f75-404f7c 254->269 282 404e38-404e3b 255->282 283 404e2a-404e2d 255->283 267 404d97-404d9d 256->267 268 404d9f-404da1 256->268 270 404d3d-404d47 258->270 271 404d2e-404d3b 258->271 259->260 262 404df6-404df7 GlobalFree 260->262 263 404dfd-404e09 260->263 261->233 272 404cbc-404cbe 261->272 262->263 263->250 277 404c0c-404c10 264->277 273 404b37-404b3e 265->273 267->268 275 404da2-404dbb call 401299 SendMessageW 267->275 268->275 269->236 276 404f7e-404fa8 ShowWindow GetDlgItem ShowWindow 269->276 270->223 271->223 278 404cc0-404cc7 272->278 279 404cd1 272->279 280 404bd4-404be7 273->280 281 404b44-404b6c 273->281 275->229 276->236 285 404c12-404c25 ShowWindow call 40401b 277->285 286 404c2a-404c32 call 40401b 277->286 288 404cc9-404ccb 278->288 289 404ccd-404ccf 278->289 292 404cd4-404cf0 call 40117d 279->292 280->273 296 404bed-404bf1 280->296 290 404ba6-404ba8 281->290 291 404b6e-404ba4 SendMessageW 281->291 297 404e7c-404ea0 call 4011ef 282->297 298 404e3d-404e56 call 4012e2 call 401299 282->298 293 404e30-404e33 call 404995 283->293 294 404e2f 283->294 285->236 286->211 288->292 289->292 300 404baa-404bb9 SendMessageW 290->300 301 404bbb-404bd1 SendMessageW 290->301 291->280 292->233 293->282 294->293 296->264 296->277 312 404f42-404f56 InvalidateRect 297->312 313 404ea6 297->313 318 404e66-404e75 SendMessageW 298->318 319 404e58-404e5e 298->319 300->280 301->280 312->254 315 404f58-404f67 call 4048e8 call 40482f 312->315 316 404ea9-404eb4 313->316 315->254 320 404eb6-404ec5 316->320 321 404f2a-404f3c 316->321 318->297 322 404e60 319->322 323 404e61-404e64 319->323 325 404ec7-404ed4 320->325 326 404ed8-404edb 320->326 321->312 321->316 322->323 323->318 323->319 325->326 328 404ee2-404eeb 326->328 329 404edd-404ee0 326->329 330 404ef0-404f28 SendMessageW * 2 328->330 331 404eed 328->331 329->330 330->321 331->330
            APIs
            • GetDlgItem.USER32(?,000003F9), ref: 004049DF
            • GetDlgItem.USER32(?,00000408), ref: 004049EA
            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A34
            • LoadBitmapW.USER32(0000006E), ref: 00404A47
            • SetWindowLongW.USER32(?,000000FC,00404FBF), ref: 00404A60
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A74
            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A86
            • SendMessageW.USER32(?,00001109,00000002), ref: 00404A9C
            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404AA8
            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404ABA
            • DeleteObject.GDI32(00000000), ref: 00404ABD
            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AE8
            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AF4
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B8A
            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404BB5
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BC9
            • GetWindowLongW.USER32(?,000000F0), ref: 00404BF8
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404C06
            • ShowWindow.USER32(?,00000005), ref: 00404C17
            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404D14
            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D79
            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D8E
            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404DB2
            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DD2
            • ImageList_Destroy.COMCTL32(?), ref: 00404DE7
            • GlobalFree.KERNEL32(?), ref: 00404DF7
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E70
            • SendMessageW.USER32(?,00001102,?,?), ref: 00404F19
            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F28
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F48
            • ShowWindow.USER32(?,00000000), ref: 00404F96
            • GetDlgItem.USER32(?,000003FE), ref: 00404FA1
            • ShowWindow.USER32(00000000), ref: 00404FA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
            • String ID: $M$N
            • API String ID: 1638840714-813528018
            • Opcode ID: d3c421dbc05eb9c118f70068bf7944ed4c7c9b5971f9bdb3d84e9ab566385c08
            • Instruction ID: e53c56638097080d8a9576e5f9c25271d89cd91d9f9dd4264a0f886a8ea3ee34
            • Opcode Fuzzy Hash: d3c421dbc05eb9c118f70068bf7944ed4c7c9b5971f9bdb3d84e9ab566385c08
            • Instruction Fuzzy Hash: CE028FB0900209EFEB109F54DD85AAE7BB5FB84315F10813AF611BA2E1C7B89D52DF58
            Function 00404481 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 269stringCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003FB), ref: 004044D0
            • SetWindowTextW.USER32(00000000,?), ref: 004044FA
            • SHBrowseForFolderW.SHELL32(?), ref: 004045AB
            • CoTaskMemFree.OLE32(00000000), ref: 004045B6
            • lstrcmpiW.KERNEL32(00432E40,0042D1F8,00000000,?,?), ref: 004045E8
            • lstrcatW.KERNEL32(?,00432E40), ref: 004045F4
            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404606
              • Part of subcall function 00405561: GetDlgItemTextW.USER32(?,?,00000400,0040463D), ref: 00405574
              • Part of subcall function 00406035: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 00406098
              • Part of subcall function 00406035: CharNextW.USER32(?,?,?,00000000), ref: 004060A7
              • Part of subcall function 00406035: CharNextW.USER32(?,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060AC
              • Part of subcall function 00406035: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060BF
            • GetDiskFreeSpaceW.KERNEL32(0042B1C8,?,?,0000040F,?,0042B1C8,0042B1C8,?,00000000,0042B1C8,?,?,000003FB,?), ref: 004046C7
            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E2
            • SetDlgItemTextW.USER32(00000000,00000400,0042B1B8), ref: 00404768
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
            • String ID: @.C$A
            • API String ID: 2246997448-1557386336
            • Opcode ID: 7459313ad56da6814eed4461a0493d862bb185afe1827c1f72d68e103bf79117
            • Instruction ID: 23f2a3ef68cc2ecf1ba22192b5584ba95f97fd263584382d2916c135efe1ecf3
            • Opcode Fuzzy Hash: 7459313ad56da6814eed4461a0493d862bb185afe1827c1f72d68e103bf79117
            • Instruction Fuzzy Hash: 179164B1900215ABDB11AFA1CD85AAF77B8EF85314F14843BF601B72D1DB7C8A41CB69
            Function 00405DC3 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
            Download Yara Rule
            APIs
            • GetVersion.KERNEL32(00000000,0042C1D8,?,00405082,0042C1D8,00000000,00000000,?), ref: 00405E86
            • GetSystemDirectoryW.KERNEL32(00432E40,00000400), ref: 00405F04
            • GetWindowsDirectoryW.KERNEL32(00432E40,00000400), ref: 00405F17
            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405F53
            • SHGetPathFromIDListW.SHELL32(?,00432E40), ref: 00405F61
            • CoTaskMemFree.OLE32(?), ref: 00405F6C
            • lstrcatW.KERNEL32(00432E40,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F90
            • lstrlenW.KERNEL32(00432E40,00000000,0042C1D8,?,00405082,0042C1D8,00000000,00000000,?), ref: 00405FEA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
            • String ID: @.C$@.C$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
            • API String ID: 900638850-3579590209
            • Opcode ID: 43c29530afae03f5301cf54f370ba8410909c3f9dcb969b2f832d616e7dacda1
            • Instruction ID: 51fea1f0525bd32aa09071eea97aa62567f0d70ed35b44e0f17875bb3ea282eb
            • Opcode Fuzzy Hash: 43c29530afae03f5301cf54f370ba8410909c3f9dcb969b2f832d616e7dacda1
            • Instruction Fuzzy Hash: 7561EE71A00A06ABDB209F64CC45AAF37A5EF54314F11C13BE941BA2E0D77D9A82CF4D
            Function 00405629 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
            Download Yara Rule
            APIs
            • DeleteFileW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 00405652
            • lstrcatW.KERNEL32(0042F200,\*.*,0042F200,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 0040569A
            • lstrcatW.KERNEL32(?,0040A014,?,0042F200,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 004056BD
            • lstrlenW.KERNEL32(?,?,0040A014,?,0042F200,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 004056C3
            • FindFirstFileW.KERNEL32(0042F200,?,?,?,0040A014,?,0042F200,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 004056D3
            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405773
            • FindClose.KERNEL32(00000000), ref: 00405782
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
            • String ID: C:\Users\user~1\AppData\Local\Temp\$\*.*
            • API String ID: 2035342205-1117835029
            • Opcode ID: f8de7b50163dd1efd412f680910ecff258e3fc2c6b7af745ee09ee24b87cc35c
            • Instruction ID: 537a859ffcff897d8cd5f5cf56393fe58197ce41a03b0bffcce20e97483bf088
            • Opcode Fuzzy Hash: f8de7b50163dd1efd412f680910ecff258e3fc2c6b7af745ee09ee24b87cc35c
            • Instruction Fuzzy Hash: 2441B230500A18E6DB21AB618D89EBF7778DF86719F14813BF805B21D1D77C4981EE6E
            Function 004060E4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,00430248,0042FA00,0040593D,0042FA00,0042FA00,00000000,0042FA00,0042FA00,?,?,771B3420,00405649,?,C:\Users\user~1\AppData\Local\Temp\,771B3420), ref: 004060EF
            • FindClose.KERNEL32(00000000), ref: 004060FB
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
            • Instruction ID: 5d70c47cb11938251a0a1db446d6214bf1d94b5ec034c03d4844f4bffd5ee079
            • Opcode Fuzzy Hash: 9c2bed4397a3bf892ba140cd3fe5090782190f2fd0e109c23d43d293603923f5
            • Instruction Fuzzy Hash: 1DD012755540309BD7805738AE0C84B7A59AF193317224B36F46AF62E0D7788C66869C
            Function 00406D1E Relevance: 2.8, Strings: 2, Instructions: 300COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID:
            • String ID: !C$ !C
            • API String ID: 0-4112869800
            • Opcode ID: f244a69970be5e3fb7395b2eb28eccf6eedf7c5e0ffd2bc2360b4ba292bdf26c
            • Instruction ID: 9d59628195055c55702702634927743170e9131f895cfb3327bf2ff62f88c604
            • Opcode Fuzzy Hash: f244a69970be5e3fb7395b2eb28eccf6eedf7c5e0ffd2bc2360b4ba292bdf26c
            • Instruction Fuzzy Hash: F2C15971A0021ACBCF18CF68D5905EEB7B2BF98314F26826AD8567B380D7346952CF94
            Function 0040206A Relevance: 1.6, APIs: 1, Instructions: 123comCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(00408580,?,00000001,00408570,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CreateInstance
            • String ID:
            • API String ID: 542301482-0
            • Opcode ID: ffa6b33d051242dea0b599afd0b70f87154ad558325d106faae319e39926f61a
            • Instruction ID: 980c83093501945f33440b76d7cafb195365f9a7aefe91f5dd6c45d3bc957592
            • Opcode Fuzzy Hash: ffa6b33d051242dea0b599afd0b70f87154ad558325d106faae319e39926f61a
            • Instruction Fuzzy Hash: 77415C75A00104BFCB00DFA4CD88EAE7BB6EF88315B20456AF905EB2D1DA79ED41CB55
            Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: FileFindFirst
            • String ID:
            • API String ID: 1974802433-0
            • Opcode ID: 61e4b2d84330adcf7c60f82c7e5d820b6e598669863a6f3568266a41ee9f3ddd
            • Instruction ID: acf40542f5c489c1fe3f42b28250c4c8421c5faf7d3490952b38be557a9d2a1a
            • Opcode Fuzzy Hash: 61e4b2d84330adcf7c60f82c7e5d820b6e598669863a6f3568266a41ee9f3ddd
            • Instruction Fuzzy Hash: BEF0B8B16002109BCB00EFA0CD489AEB378FF08324F20097AF101F30D0D6B899009B2A
            Function 00406547 Relevance: .3, Instructions: 334COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
            • Instruction ID: 831d3521bb97c66da2d66f325b0a06c49e3003946fd67b3772e4acd4ce90d7ab
            • Opcode Fuzzy Hash: d398b535e43ee880de6f9663a3da9d30c23bf20106ab7c53179b5f9c0eb57cb5
            • Instruction Fuzzy Hash: DDE17B71900719DFDB24CF58C880BAAB7F5EB44305F15892EE897AB2D1D778A961CF04
            Function 0040376B Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 332 40376b-403783 call 40610b 335 403785-403795 call 405ce8 332->335 336 403797-4037ce call 405c6e 332->336 345 4037f1-40381a call 403a41 call 4058f4 335->345 341 4037d0-4037e1 call 405c6e 336->341 342 4037e6-4037ec lstrcatW 336->342 341->342 342->345 350 403820-403825 345->350 351 4038ac-4038b4 call 4058f4 345->351 350->351 352 40382b-403853 call 405c6e 350->352 357 4038c2-4038e7 LoadImageW 351->357 358 4038b6-4038bd call 405dc3 351->358 352->351 359 403855-403859 352->359 361 403968-403970 call 40140b 357->361 362 4038e9-403919 RegisterClassW 357->362 358->357 363 40386b-403877 lstrlenW 359->363 364 40385b-403868 call 405819 359->364 376 403972-403975 361->376 377 40397a-403985 call 403a41 361->377 365 403a37 362->365 366 40391f-403963 SystemParametersInfoW CreateWindowExW 362->366 370 403879-403887 lstrcmpiW 363->370 371 40389f-4038a7 call 4057ec call 405da1 363->371 364->363 368 403a39-403a40 365->368 366->361 370->371 375 403889-403893 GetFileAttributesW 370->375 371->351 380 403895-403897 375->380 381 403899-40389a call 405838 375->381 376->368 385 40398b-4039a8 ShowWindow LoadLibraryW 377->385 386 403a0e-403a16 call 40511e 377->386 380->371 380->381 381->371 387 4039b1-4039c3 GetClassInfoW 385->387 388 4039aa-4039af LoadLibraryW 385->388 394 403a30-403a32 call 40140b 386->394 395 403a18-403a1e 386->395 390 4039c5-4039d5 GetClassInfoW RegisterClassW 387->390 391 4039db-403a0c DialogBoxParamW call 40140b call 4036bb 387->391 388->387 390->391 391->368 394->365 395->376 396 403a24-403a2b call 40140b 395->396 396->376
            APIs
              • Part of subcall function 0040610B: GetModuleHandleA.KERNEL32(?,?,00000020,0040326C,00000008), ref: 0040611D
              • Part of subcall function 0040610B: LoadLibraryA.KERNELBASE(?,?,00000020,0040326C,00000008), ref: 00406128
              • Part of subcall function 0040610B: GetProcAddress.KERNEL32(00000000,?), ref: 00406139
            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000,0043F000), ref: 004037EC
            • lstrlenW.KERNEL32(00432E40,?,?,?,00432E40,00000000,0043F800,C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000,00000006,C:\Users\user~1\AppData\Local\Temp\), ref: 0040386C
            • lstrcmpiW.KERNEL32(00432E38,.exe,00432E40,?,?,?,00432E40,00000000,0043F800,C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp,0042D1F8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D1F8,00000000), ref: 0040387F
            • GetFileAttributesW.KERNEL32(00432E40), ref: 0040388A
            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 004038D3
              • Part of subcall function 00405CE8: wsprintfW.USER32 ref: 00405CF5
            • RegisterClassW.USER32(00433E40), ref: 00403910
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403928
            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040395D
            • ShowWindow.USER32(00000005,00000000), ref: 00403993
            • LoadLibraryW.KERNEL32(RichEd20), ref: 004039A4
            • LoadLibraryW.KERNEL32(RichEd32), ref: 004039AF
            • GetClassInfoW.USER32(00000000,RichEdit20W,00433E40), ref: 004039BF
            • GetClassInfoW.USER32(00000000,RichEdit,00433E40), ref: 004039CC
            • RegisterClassW.USER32(00433E40), ref: 004039D5
            • DialogBoxParamW.USER32(?,00000000,00403B0E,00000000), ref: 004039F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
            • String ID: .DEFAULT\Control Panel\International$.exe$@.C$@>C$B.C$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsmADFC.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
            • API String ID: 914957316-1387936157
            • Opcode ID: 13181fb0a13b4fe95f4f44d618df2cd010522b2bf7784839af7428735638c323
            • Instruction ID: 9058ea0fac2f7b5828f11579708a501ddeab19906f501c4d7d338e07c4ff49df
            • Opcode Fuzzy Hash: 13181fb0a13b4fe95f4f44d618df2cd010522b2bf7784839af7428735638c323
            • Instruction Fuzzy Hash: 2761B871600700AFD720BF669D46F2B3A6CEB84B4AF50443FF940B62E1CBB95941CA2D
            Function 00403B0E Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 403 403b0e-403b20 404 403c61-403c70 403->404 405 403b26-403b2c 403->405 407 403c72-403cba GetDlgItem * 2 call 403fe6 SetClassLongW call 40140b 404->407 408 403cbf-403cd4 404->408 405->404 406 403b32-403b3b 405->406 409 403b50-403b53 406->409 410 403b3d-403b4a SetWindowPos 406->410 407->408 412 403d14-403d19 call 404032 408->412 413 403cd6-403cd9 408->413 415 403b55-403b67 ShowWindow 409->415 416 403b6d-403b73 409->416 410->409 422 403d1e-403d39 412->422 418 403cdb-403ce6 call 401389 413->418 419 403d0c-403d0e 413->419 415->416 423 403b75-403b8a DestroyWindow 416->423 424 403b8f-403b92 416->424 418->419 434 403ce8-403d07 SendMessageW 418->434 419->412 421 403fb3 419->421 429 403fb5-403fbc 421->429 427 403d42-403d48 422->427 428 403d3b-403d3d call 40140b 422->428 430 403f90-403f96 423->430 432 403b94-403ba0 SetWindowLongW 424->432 433 403ba5-403bab 424->433 437 403f71-403f8a DestroyWindow EndDialog 427->437 438 403d4e-403d59 427->438 428->427 430->421 435 403f98-403f9e 430->435 432->429 439 403bb1-403bc2 GetDlgItem 433->439 440 403c4e-403c5c call 40404d 433->440 434->429 435->421 444 403fa0-403fa9 ShowWindow 435->444 437->430 438->437 445 403d5f-403dac call 405dc3 call 403fe6 * 3 GetDlgItem 438->445 441 403be1-403be4 439->441 442 403bc4-403bdb SendMessageW IsWindowEnabled 439->442 440->429 446 403be6-403be7 441->446 447 403be9-403bec 441->447 442->421 442->441 444->421 473 403db6-403df2 ShowWindow EnableWindow call 404008 EnableWindow 445->473 474 403dae-403db3 445->474 450 403c17-403c1c call 403fbf 446->450 451 403bfa-403bff 447->451 452 403bee-403bf4 447->452 450->440 454 403c35-403c48 SendMessageW 451->454 456 403c01-403c07 451->456 452->454 455 403bf6-403bf8 452->455 454->440 455->450 459 403c09-403c0f call 40140b 456->459 460 403c1e-403c27 call 40140b 456->460 471 403c15 459->471 460->440 469 403c29-403c33 460->469 469->471 471->450 477 403df4-403df5 473->477 478 403df7 473->478 474->473 479 403df9-403e27 GetSystemMenu EnableMenuItem SendMessageW 477->479 478->479 480 403e29-403e3a SendMessageW 479->480 481 403e3c 479->481 482 403e42-403e80 call 40401b call 405da1 lstrlenW call 405dc3 SetWindowTextW call 401389 480->482 481->482 482->422 491 403e86-403e88 482->491 491->422 492 403e8e-403e92 491->492 493 403eb1-403ec5 DestroyWindow 492->493 494 403e94-403e9a 492->494 493->430 496 403ecb-403ef8 CreateDialogParamW 493->496 494->421 495 403ea0-403ea6 494->495 495->422 497 403eac 495->497 496->430 498 403efe-403f55 call 403fe6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 496->498 497->421 498->421 503 403f57-403f6f ShowWindow call 404032 498->503 503->430
            APIs
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B4A
            • ShowWindow.USER32(?), ref: 00403B67
            • DestroyWindow.USER32 ref: 00403B7B
            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403B97
            • GetDlgItem.USER32(?,?), ref: 00403BB8
            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403BCC
            • IsWindowEnabled.USER32(00000000), ref: 00403BD3
            • GetDlgItem.USER32(?,00000001), ref: 00403C81
            • GetDlgItem.USER32(?,00000002), ref: 00403C8B
            • SetClassLongW.USER32(?,000000F2,?), ref: 00403CA5
            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403CF6
            • GetDlgItem.USER32(?,00000003), ref: 00403D9C
            • ShowWindow.USER32(00000000,?), ref: 00403DBD
            • EnableWindow.USER32(?,?), ref: 00403DCF
            • EnableWindow.USER32(?,?), ref: 00403DEA
            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E00
            • EnableMenuItem.USER32(00000000), ref: 00403E07
            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403E1F
            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403E32
            • lstrlenW.KERNEL32(0042D1F8,?,0042D1F8,00433EA0), ref: 00403E5B
            • SetWindowTextW.USER32(?,0042D1F8), ref: 00403E6F
            • ShowWindow.USER32(?,0000000A), ref: 00403FA3
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
            • String ID:
            • API String ID: 184305955-0
            • Opcode ID: 3d70d94d5eb68e801898c08395313f40ee8f1bd2a4b8db52baf4935a012bca6c
            • Instruction ID: 60ca7c1d91bee6f8242d2bed331db898ad50b25bc51b1c46c45c1ad212b6c09a
            • Opcode Fuzzy Hash: 3d70d94d5eb68e801898c08395313f40ee8f1bd2a4b8db52baf4935a012bca6c
            • Instruction Fuzzy Hash: B6C1DD71904205ABDB216F61EE86E2A3E7CFB4570AF14053EF641B11E0CB799A42DB2D
            Function 00404183 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 506 404183-404195 507 4042b5-4042c2 506->507 508 40419b-4041a3 506->508 509 4042c4-4042cd 507->509 510 40431f-404323 507->510 511 4041a5-4041b4 508->511 512 4041b6-4041da 508->512 513 404400 509->513 514 4042d3-4042d9 509->514 517 4043f1-4043f8 510->517 518 404329-404341 GetDlgItem 510->518 511->512 515 4041e3-40425e call 403fe6 * 2 CheckDlgButton call 404008 GetDlgItem call 40401b SendMessageW 512->515 516 4041dc 512->516 522 404403-40440a call 40404d 513->522 514->513 519 4042df-4042ea 514->519 546 404260-404263 GetSysColor 515->546 547 404269-4042b0 SendMessageW * 2 lstrlenW SendMessageW * 2 515->547 516->515 517->513 520 4043fa 517->520 523 4043b2-4043b9 518->523 524 404343-40434a 518->524 519->513 525 4042f0-40431a GetDlgItem SendMessageW call 404008 call 404416 519->525 520->513 532 40440f-404413 522->532 523->522 529 4043bb-4043c2 523->529 524->523 528 40434c-404367 524->528 525->510 528->523 533 404369-4043af SendMessageW LoadCursorW SetCursor ShellExecuteW LoadCursorW SetCursor 528->533 529->522 534 4043c4-4043c8 529->534 533->523 537 4043da-4043de 534->537 538 4043ca-4043d8 SendMessageW 534->538 539 4043e0-4043ea SendMessageW 537->539 540 4043ec-4043ef 537->540 538->537 539->540 540->532 546->547 547->532
            APIs
            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404221
            • GetDlgItem.USER32(?,000003E8), ref: 00404235
            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404252
            • GetSysColor.USER32(?), ref: 00404263
            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404271
            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040427F
            • lstrlenW.KERNEL32(?), ref: 00404284
            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404291
            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004042A6
            • GetDlgItem.USER32(?,0000040A), ref: 004042FF
            • SendMessageW.USER32(00000000), ref: 00404306
            • GetDlgItem.USER32(?,000003E8), ref: 00404331
            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
            • LoadCursorW.USER32(00000000,00007F02), ref: 00404382
            • SetCursor.USER32(00000000), ref: 00404385
            • ShellExecuteW.SHELL32(0000070B,open,@.C,00000000,00000000,00000001), ref: 0040439A
            • LoadCursorW.USER32(00000000,00007F00), ref: 004043A6
            • SetCursor.USER32(00000000), ref: 004043A9
            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004043D8
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004043EA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
            • String ID: @.C$N$open
            • API String ID: 3615053054-801394694
            • Opcode ID: 963217090c97da4adcbcf15c24e762bcbfd2aad3b5ef9f006c5e90e2b7288751
            • Instruction ID: bcd791c445e14c4d77ec78b24435c59c5d20c83db90324e08484bccd48c03535
            • Opcode Fuzzy Hash: 963217090c97da4adcbcf15c24e762bcbfd2aad3b5ef9f006c5e90e2b7288751
            • Instruction Fuzzy Hash: 727181B1A00209BFDB109F60DD85E6A7B79FB84355F04803AFB05B62D1C779A961CF98
            Function 00405ABF Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 548 405abf-405ae6 lstrcpyW 549 405ae8-405b00 call 405a0d CloseHandle GetShortPathNameW 548->549 550 405b0e-405b1d GetShortPathNameW 548->550 553 405c35-405c3a 549->553 557 405b06-405b08 549->557 552 405b23-405b25 550->552 550->553 552->553 555 405b2b-405b69 wsprintfA call 405dc3 call 405a0d 552->555 555->553 561 405b6f-405b8b GetFileSize GlobalAlloc 555->561 557->550 557->553 562 405b91-405b9b call 405a90 561->562 563 405c2e-405c2f CloseHandle 561->563 562->563 566 405ba1-405bae call 405972 562->566 563->553 569 405bb0-405bc2 lstrcpyA 566->569 570 405bc4-405bd6 call 405972 566->570 571 405bf9 569->571 576 405bf5 570->576 577 405bd8-405bde 570->577 573 405bfb-405c28 call 4059c8 SetFilePointer WriteFile GlobalFree 571->573 573->563 576->571 578 405be6-405be8 577->578 580 405be0-405be5 578->580 581 405bea-405bf3 578->581 580->578 581->573
            APIs
            • lstrcpyW.KERNEL32(00430898,NUL,?,00000000,?,?,?,00405C63,?,?,00000001,004057DB,?,00000000,000000F1,?), ref: 00405ACF
            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405C63,?,?,00000001,004057DB,?,00000000,000000F1,?), ref: 00405AF3
            • GetShortPathNameW.KERNEL32(00000000,00430898,00000400), ref: 00405AFC
              • Part of subcall function 00405972: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BAC,00000000,[Rename],00000000,00000000,00000000), ref: 00405982
              • Part of subcall function 00405972: lstrlenA.KERNEL32(00405BAC,?,00000000,00405BAC,00000000,[Rename],00000000,00000000,00000000), ref: 004059B4
            • GetShortPathNameW.KERNEL32(?,00431098,00000400), ref: 00405B19
            • wsprintfA.USER32 ref: 00405B37
            • GetFileSize.KERNEL32(00000000,00000000,00431098,C0000000,00000004,00431098,?,?,?,?,?), ref: 00405B72
            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B81
            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405BB9
            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00430498,00000000,-0000000A,0040A514,00000000,[Rename],00000000,00000000,00000000), ref: 00405C0F
            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405C21
            • GlobalFree.KERNEL32(00000000), ref: 00405C28
            • CloseHandle.KERNEL32(00000000), ref: 00405C2F
              • Part of subcall function 00405A0D: GetFileAttributesW.KERNELBASE(00000003,00402DA7,00442800,80000000,00000003,?,?,?,00000000,0040344F,?), ref: 00405A11
              • Part of subcall function 00405A0D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,0040344F,?), ref: 00405A33
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
            • String ID: %ls=%ls$NUL$[Rename]
            • API String ID: 1265525490-899692902
            • Opcode ID: 966b28a7e5a5b9a46133c77218e23553b336693a1c23903b6eeae7e9c3b0497a
            • Instruction ID: 7e8ca1d3d50ba167f29b61b8a94756d2149cb8eb8d1ee9df404c58700b9860d6
            • Opcode Fuzzy Hash: 966b28a7e5a5b9a46133c77218e23553b336693a1c23903b6eeae7e9c3b0497a
            • Instruction Fuzzy Hash: B1411671204B19BFD2206B615D49F6B3B6CEF45715F14003AF942B62D2EA7CE9018A7D
            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
            • BeginPaint.USER32(?,?), ref: 00401047
            • GetClientRect.USER32(?,?), ref: 0040105B
            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
            • DeleteObject.GDI32(?), ref: 004010ED
            • CreateFontIndirectW.GDI32(?), ref: 00401105
            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
            • SelectObject.GDI32(00000000,?), ref: 00401140
            • DrawTextW.USER32(00000000,00433EA0,000000FF,00000010,00000820), ref: 00401156
            • SelectObject.GDI32(00000000,00000000), ref: 00401160
            • DeleteObject.GDI32(?), ref: 00401165
            • EndPaint.USER32(?,?), ref: 0040116E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
            • String ID: F
            • API String ID: 941294808-1304234792
            • Opcode ID: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
            • Instruction ID: f1b70214e96eb8bec3146c709be0bbd1f29e4b49e587d4bf0c97a3ec82ce1e67
            • Opcode Fuzzy Hash: eba2a3bbcb5832d39a7808e3ae5c7eb99af93b299209f69c760ac1b0491d86a4
            • Instruction Fuzzy Hash: 00417C71400209AFCB058FA5DE459BF7BB9FF44315F00802EF591AA1A0C778EA54DFA4
            Function 00402D67 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 182COMMON
            Download Yara Rule
            APIs
            • GetTickCount.KERNEL32 ref: 00402D78
            • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,?,?,00000000,0040344F,?), ref: 00402D94
              • Part of subcall function 00405A0D: GetFileAttributesW.KERNELBASE(00000003,00402DA7,00442800,80000000,00000003,?,?,?,00000000,0040344F,?), ref: 00405A11
              • Part of subcall function 00405A0D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,0040344F,?), ref: 00405A33
            • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003,?,?,?,00000000,0040344F,?), ref: 00402DE0
            Strings
            • 39-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>, xrefs: 00402DF5, 00402E16, 00402E32, 00402EBE
            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402D71
            • Inst, xrefs: 00402E4C
            • Null, xrefs: 00402E5E
            • Error launching installer, xrefs: 00402DB7
            • soft, xrefs: 00402E55
            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402F3F
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: File$AttributesCountCreateModuleNameSizeTick
            • String ID: 39-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>$C:\Users\user~1\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
            • API String ID: 4283519449-586070698
            • Opcode ID: 1ddf41df0a42b2360c78983b726e0176e8784e91c938cfa3838bdba12ee062b7
            • Instruction ID: 2344981239cccc2d9a157a4bc97fadfb01f0662fe41213100d9ed930206fcb3f
            • Opcode Fuzzy Hash: 1ddf41df0a42b2360c78983b726e0176e8784e91c938cfa3838bdba12ee062b7
            • Instruction Fuzzy Hash: 2451D171900215AFDB109FA5DE89B9F7AB8FB04359F20413BF904B62D1C7B89D408BAD
            Function 00402FA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175fileCOMMON
            Download Yara Rule
            APIs
            • GetTickCount.KERNEL32 ref: 0040300B
            • GetTickCount.KERNEL32 ref: 004030B0
            • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004030D9
            • wsprintfW.USER32 ref: 004030EC
            • WriteFile.KERNEL32(00000000,00000000,?,00402F3A,00000000), ref: 0040311D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CountTick$FileWritewsprintf
            • String ID: ... %d%%
            • API String ID: 4209647438-2449383134
            • Opcode ID: 567d16c84bc26e35b56de6a991f7c1d851492a15168b7d80d9f2dbebfc4257a8
            • Instruction ID: edebebcb9cc5efd3ffb8aa1a5e3cca2c022cdf8913c1b450003ecc800609919e
            • Opcode Fuzzy Hash: 567d16c84bc26e35b56de6a991f7c1d851492a15168b7d80d9f2dbebfc4257a8
            • Instruction Fuzzy Hash: 78615971900219EBCF10DF65DA84A9F7FB8AF08312F14457BE814BB2D0D7789A50CBA9
            Function 0040404D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EB), ref: 0040406A
            • GetSysColor.USER32(00000000), ref: 00404086
            • SetTextColor.GDI32(?,00000000), ref: 00404092
            • SetBkMode.GDI32(?,?), ref: 0040409E
            • GetSysColor.USER32(?), ref: 004040B1
            • SetBkColor.GDI32(?,?), ref: 004040C1
            • DeleteObject.GDI32(?), ref: 004040DB
            • CreateBrushIndirect.GDI32(?), ref: 004040E5
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
            • String ID:
            • API String ID: 2320649405-0
            • Opcode ID: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
            • Instruction ID: 4290116d03e1e938411804169c88583f7df32a2dcd0dedbcf70a7ff5d4599883
            • Opcode Fuzzy Hash: 878c72b768cb9ca2e83e307521140d4ebe6f79c9a792ccaf91322ed4afa210a0
            • Instruction Fuzzy Hash: 0F2157B15007049BC7319F68DD48B5B7BF8AF41714F04893DEA95F2691D734D948CB64
            Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D
              • Part of subcall function 00405A90: ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031DB,00000000,00000000,00402FF3,000000FF,00000004,00000000,00000000,00000000), ref: 00405AA4
              • Part of subcall function 00405CE8: wsprintfW.USER32 ref: 00405CF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
            • String ID: 9
            • API String ID: 1149667376-2366072709
            • Opcode ID: 1ebf7e8ea81d9f721691c6586ac75f819ca406a5e40d7b7a1c139251d0037f51
            • Instruction ID: 712a0fc01c11b6dc7c3c5e68f53f431dee7eef2fa5089cb8e9bfef1fdcaab261
            • Opcode Fuzzy Hash: 1ebf7e8ea81d9f721691c6586ac75f819ca406a5e40d7b7a1c139251d0037f51
            • Instruction Fuzzy Hash: A151EBB1D00219AADF14DFA4DA88AAEB779FF04304F50443BE501B62D0DB759E42CB69
            Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
            Download Yara Rule
            APIs
            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
            • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
            • GlobalFree.KERNEL32(00000000), ref: 00402875
            • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
            • String ID:
            • API String ID: 3294113728-0
            • Opcode ID: 8e0940e00e99637d45cda657c49f497c391d11177f7645e1064727bb186f540e
            • Instruction ID: fe2ca1a255c9cd407b5186cb59bdd4cc2173cf127eb101838ad91b4c2232832b
            • Opcode Fuzzy Hash: 8e0940e00e99637d45cda657c49f497c391d11177f7645e1064727bb186f540e
            • Instruction Fuzzy Hash: BD317F72800118BBDF11AFA5CE49DAF7E79EF09364F24423AF550762D0CA794E418BA9
            Function 0040504B Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000,?), ref: 00405083
            • lstrlenW.KERNEL32(00403103,0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000), ref: 00405093
            • lstrcatW.KERNEL32(0042C1D8,00403103,00403103,0042C1D8,00000000,?,771B23A0), ref: 004050A6
            • SetWindowTextW.USER32(0042C1D8,0042C1D8), ref: 004050B8
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004050DE
            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050F8
            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405106
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$lstrlen$TextWindowlstrcat
            • String ID:
            • API String ID: 2531174081-0
            • Opcode ID: c0e6c919bf82f45c73b6eecd0639a41c2ad0d5a79d84f923f5aec4b4dd022a62
            • Instruction ID: 18f0b212c8a37fbfd9ea408b4b1fd2a272b642164fc692df639cd20d24458be7
            • Opcode Fuzzy Hash: c0e6c919bf82f45c73b6eecd0639a41c2ad0d5a79d84f923f5aec4b4dd022a62
            • Instruction Fuzzy Hash: 56219D71900518BADB11AF95DD85EDFBFB9EF84314F10807AF904B62A1C3794A40CFA8
            Function 00406035 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • CharNextW.USER32(?,*?|<>/":,00000000,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 00406098
            • CharNextW.USER32(?,?,?,00000000), ref: 004060A7
            • CharNextW.USER32(?,0043F000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060AC
            • CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,00403201,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004060BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Char$Next$Prev
            • String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\
            • API String ID: 589700163-1439852002
            • Opcode ID: 5d64c10bc97e62ea4a676719e588da5fc07abd2ce6560c5e8650e212b13ecad1
            • Instruction ID: 35fbf6a24d661ac63574abd6f2b5f3cfaee5f5a3e28f3d5ffd4c7fbc13fd6fb5
            • Opcode Fuzzy Hash: 5d64c10bc97e62ea4a676719e588da5fc07abd2ce6560c5e8650e212b13ecad1
            • Instruction Fuzzy Hash: 1F11C81684061299DB30BB148C40A7772E8EF55754F56843FED86732C0E7BC4CA282BD
            Function 00404915 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404930
            • GetMessagePos.USER32 ref: 00404938
            • ScreenToClient.USER32(?,?), ref: 00404952
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404964
            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0040498A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Message$Send$ClientScreen
            • String ID: f
            • API String ID: 41195575-1993550816
            • Opcode ID: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
            • Instruction ID: e09b5cbf994b9d20e684e2691b51e71dfbdbe619cf93b48063de1b345cd00843
            • Opcode Fuzzy Hash: 8022016cd060c827d0bdc105967e00620e8417d97f69c1817adc8455638bf95d
            • Instruction Fuzzy Hash: 14015E71940219BADB00DBA4DD85FFFBBBCAF54711F10012BBB50B61C0C7B499018BA4
            Function 00402C7D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
            Download Yara Rule
            APIs
            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
            • MulDiv.KERNEL32(?,00000064,?), ref: 00402CC6
            • wsprintfW.USER32 ref: 00402CD6
            • SetWindowTextW.USER32(?,?), ref: 00402CE6
            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF8
            Strings
            • verifying installer: %d%%, xrefs: 00402CD0
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Text$ItemTimerWindowwsprintf
            • String ID: verifying installer: %d%%
            • API String ID: 1451636040-82062127
            • Opcode ID: b579be9e180f96ba16c56fb513ac100cc9f2c07574638d36e797e7726839ab9f
            • Instruction ID: 4408f4c8952a47a194ff67b523293e2f30943602a1885e021f1ba6dd9a58fc5a
            • Opcode Fuzzy Hash: b579be9e180f96ba16c56fb513ac100cc9f2c07574638d36e797e7726839ab9f
            • Instruction Fuzzy Hash: FB016270640208BFEF20AF64DD49FEE3B69BB00309F008439FA06A92D0DBB89555CF59
            Function 004024EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON
            Download Yara Rule
            APIs
            • WideCharToMultiByte.KERNEL32(?,?,0040B578,000000FF,0040AD78,00000400,?,?,00000021), ref: 0040252D
            • lstrlenA.KERNEL32(0040AD78,?,?,0040B578,000000FF,0040AD78,00000400,?,?,00000021), ref: 00402534
            • WriteFile.KERNEL32(00000000,?,0040AD78,00000000,?,?,00000000,00000011), ref: 00402566
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: ByteCharFileMultiWideWritelstrlen
            • String ID: 8
            • API String ID: 1453599865-4194326291
            • Opcode ID: fa24a900829e58aa854b55985ad0857a7e20b855b9e3e7eff8b1e02e12944b15
            • Instruction ID: 789ffc1fd5c9b2491a3bc3a33d6618758842135b745afe85e879194269bc7d47
            • Opcode Fuzzy Hash: fa24a900829e58aa854b55985ad0857a7e20b855b9e3e7eff8b1e02e12944b15
            • Instruction Fuzzy Hash: FF018071A40604BFD700ABB19E8DEAF7278EF6031AF20453BF142B60C1D6B84991962E
            Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
            Download Yara Rule
            APIs
            • lstrcatW.KERNEL32(00000000,00000000,0040A578,00440000,?,?,00000031), ref: 00401793
            • CompareFileTime.KERNEL32(-00000014,?,0040A578,0040A578,00000000,00000000,0040A578,00440000,?,?,00000031), ref: 004017B8
              • Part of subcall function 00405DA1: lstrcpynW.KERNEL32(?,?,00000400,00403297,00433EA0,NSIS Error), ref: 00405DAE
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000,?), ref: 00405083
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(00403103,0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000), ref: 00405093
              • Part of subcall function 0040504B: lstrcatW.KERNEL32(0042C1D8,00403103,00403103,0042C1D8,00000000,?,771B23A0), ref: 004050A6
              • Part of subcall function 0040504B: SetWindowTextW.USER32(0042C1D8,0042C1D8), ref: 004050B8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004050DE
              • Part of subcall function 0040504B: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050F8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405106
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
            • String ID:
            • API String ID: 1941528284-0
            • Opcode ID: 3b07a03950afe4c981b82c8560f7630a0fa17e6691ec92e93bdf0364be60bc21
            • Instruction ID: e0c9a0707421b0566b50a086881e387c24033da95965c7c775ca149cf8f14c82
            • Opcode Fuzzy Hash: 3b07a03950afe4c981b82c8560f7630a0fa17e6691ec92e93bdf0364be60bc21
            • Instruction Fuzzy Hash: EA418071900518BACF116BB5DC4ADAF7679EF45368B20823BF421B10E1D73C8A519A6D
            Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
            • RegCloseKey.ADVAPI32(?), ref: 00402BDE
            • RegCloseKey.ADVAPI32(?), ref: 00402C03
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Close$DeleteEnumOpen
            • String ID:
            • API String ID: 1912718029-0
            • Opcode ID: bd91da1ba0eb139b8caccfea47c3b8adcc0195348a71b7fcd29f2bbb3b0fb127
            • Instruction ID: 2ec885d680f81863ea04f737883acb0357ac6f266bfb4f4db73bac45c1b80bd2
            • Opcode Fuzzy Hash: bd91da1ba0eb139b8caccfea47c3b8adcc0195348a71b7fcd29f2bbb3b0fb127
            • Instruction Fuzzy Hash: AB114671504108FFEF11AF90DE89EAE3B7DEB44348F11007AFA15A10A0D7B59E55AF68
            Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,?), ref: 00401CEB
            • GetClientRect.USER32(00000000,?), ref: 00401CF8
            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
            • DeleteObject.GDI32(00000000), ref: 00401D36
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
            • String ID:
            • API String ID: 1849352358-0
            • Opcode ID: aeb2b04795d680d12746b09d9d3076b6a991ad1a912ba314740c9d263e8ce963
            • Instruction ID: a030428118a1c000f424ff4dfb6ba2235896b41d14b08693192eaf3a016f5733
            • Opcode Fuzzy Hash: aeb2b04795d680d12746b09d9d3076b6a991ad1a912ba314740c9d263e8ce963
            • Instruction Fuzzy Hash: 92F0ECB2600508AFDB01DBE4EF88CEEB7BCEB08311B15146AF641F6190DA74AD018B38
            Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(?), ref: 00401D44
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
            • ReleaseDC.USER32(?,00000000), ref: 00401D71
            • CreateFontIndirectW.GDI32(0040CD80), ref: 00401DBC
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CapsCreateDeviceFontIndirectRelease
            • String ID:
            • API String ID: 3808545654-0
            • Opcode ID: d0c589828fdc2f60c51a1b7eb7f59a871ef2e54159ce2cf69037fbe37572b688
            • Instruction ID: 116310afc90cc01f82b49c11926c77c683d1a1b46be819c55f1a02a8d5d7abe2
            • Opcode Fuzzy Hash: d0c589828fdc2f60c51a1b7eb7f59a871ef2e54159ce2cf69037fbe37572b688
            • Instruction Fuzzy Hash: DC016D35944640EFEB016BB0AF8AB9A3F74EF55305F104A79F545B62E2CA7804098B2D
            Function 0040482F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(0042D1F8,0042D1F8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 004048C0
            • wsprintfW.USER32 ref: 004048C9
            • SetDlgItemTextW.USER32(?,0042D1F8), ref: 004048DC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: ItemTextlstrlenwsprintf
            • String ID: %u.%u%s%s
            • API String ID: 3540041739-3551169577
            • Opcode ID: ab2d75c3d347bcae210a388157d4015cbde97b43778bbdcc2d1826b2da227e5d
            • Instruction ID: 531d837b88f4b702d8d9e34e744ab90cc2584a20199bf08e47c16144e152f227
            • Opcode Fuzzy Hash: ab2d75c3d347bcae210a388157d4015cbde97b43778bbdcc2d1826b2da227e5d
            • Instruction Fuzzy Hash: CB11E6736002243BDB10A66D9C4AEDF3659DBC2334F14863BFA25F61D1D978891186E8
            Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$Timeout
            • String ID: !
            • API String ID: 1777923405-2657877971
            • Opcode ID: fa0622c80f3ea4c4a1a4fe4c6f91de5de270cf664640931bdd5eb32ff74c1ad7
            • Instruction ID: d25c1399015d6fc3d8f93c2dcf78642a10d85d9054307dbf3bdfe5c686c79543
            • Opcode Fuzzy Hash: fa0622c80f3ea4c4a1a4fe4c6f91de5de270cf664640931bdd5eb32ff74c1ad7
            • Instruction Fuzzy Hash: FC21B371A44208AFEF01AFB0CA4AEAD7B75EF45308F10413EF502B61D1D7B8A941DB18
            Function 00401F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FC3
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000,?), ref: 00405083
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(00403103,0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000), ref: 00405093
              • Part of subcall function 0040504B: lstrcatW.KERNEL32(0042C1D8,00403103,00403103,0042C1D8,00000000,?,771B23A0), ref: 004050A6
              • Part of subcall function 0040504B: SetWindowTextW.USER32(0042C1D8,0042C1D8), ref: 004050B8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004050DE
              • Part of subcall function 0040504B: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050F8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405106
            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
            • String ID: OC
            • API String ID: 334405425-1597561874
            • Opcode ID: 297c1825603e8d5f489a2522be40841bd89bd4d7f47841d63e333b39b1ac1a2c
            • Instruction ID: b3ac21fa57660b76ceab9e03e352ea593c7fbc5daa3d747aca45c0be544cf33f
            • Opcode Fuzzy Hash: 297c1825603e8d5f489a2522be40841bd89bd4d7f47841d63e333b39b1ac1a2c
            • Instruction Fuzzy Hash: 3B21A771900215EACF106FA5CE48A9E7EB0AF09354F70423BF610B51E0D7BD8A81DA5D
            Function 004057EC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403213,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004057F2
            • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403213,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004033E1), ref: 004057FC
            • lstrcatW.KERNEL32(?,0040A014), ref: 0040580E
            Strings
            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004057EC
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CharPrevlstrcatlstrlen
            • String ID: C:\Users\user~1\AppData\Local\Temp\
            • API String ID: 2659869361-2382934351
            • Opcode ID: de9dddfcd7a9d618380513bff0a4e880c88fc064ccebdc1c89e46d65784464cc
            • Instruction ID: f63ca075a24b3552cb7c5632698c0476d366f5162805e4a7ef835507e0185024
            • Opcode Fuzzy Hash: de9dddfcd7a9d618380513bff0a4e880c88fc064ccebdc1c89e46d65784464cc
            • Instruction Fuzzy Hash: 9DD05E21102E20AAD1117B849C08EDB629DEE85300340847BF500B21A1CB7819518BED
            Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
            Download Yara Rule
            APIs
            • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
            • lstrlenW.KERNEL32(0040B578,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
            • RegSetValueExW.ADVAPI32(?,?,?,?,0040B578,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
            • RegCloseKey.ADVAPI32(?,?,?,0040B578,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CloseCreateValuelstrlen
            • String ID:
            • API String ID: 1356686001-0
            • Opcode ID: cc0965250b89a09c51cf9f9c53b423a312148e2e41ea1d3763b9cdd40fc2e552
            • Instruction ID: 92be6db62a7debd6b64078ffb9939270950072c0cf2fb5a53bae11f9be139373
            • Opcode Fuzzy Hash: cc0965250b89a09c51cf9f9c53b423a312148e2e41ea1d3763b9cdd40fc2e552
            • Instruction Fuzzy Hash: 8F1190B1A00108BFEB00AFA1DE8AEAF777CEB54358F11403AF504B71D0D7B85D409A68
            Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00405897: CharNextW.USER32(?,?,0042FA00,?,0040590B,0042FA00,0042FA00,?,?,771B3420,00405649,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,0043F000), ref: 004058A5
              • Part of subcall function 00405897: CharNextW.USER32(00000000), ref: 004058AA
              • Part of subcall function 00405897: CharNextW.USER32(00000000), ref: 004058C2
            • CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
            • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
            • SetCurrentDirectoryW.KERNEL32(?,00440000,?,00000000,000000F0), ref: 00401630
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
            • String ID:
            • API String ID: 3751793516-0
            • Opcode ID: 109ac3cab168821cff9c761a4bcdab396d1ff7e1addeaf9cefa6065999dfc9c4
            • Instruction ID: 34d8f352ef9aa8656828f895e526d2bd4293bf172d5861d5c75f43cad8b5630e
            • Opcode Fuzzy Hash: 109ac3cab168821cff9c761a4bcdab396d1ff7e1addeaf9cefa6065999dfc9c4
            • Instruction Fuzzy Hash: B2112531500104EBCF206FA0DD449AE3BB0EF05369B29453BF881F22E0D73D49808B5D
            Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
            Download Yara Rule
            APIs
            • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
            • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
            • VerQueryValueW.VERSION(?,0040A014,?,?,?,?,00000000,00000000), ref: 00401F69
              • Part of subcall function 00405CE8: wsprintfW.USER32 ref: 00405CF5
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
            • String ID:
            • API String ID: 1404258612-0
            • Opcode ID: 90b437ca501e41d769246acc3526ee78bfc1f7e4b716acdc87d1f01b62c577f6
            • Instruction ID: 985e6d37b82d88455cf37f94a5598379594e562e2ebdb1bdff2800a7dde94c7a
            • Opcode Fuzzy Hash: 90b437ca501e41d769246acc3526ee78bfc1f7e4b716acdc87d1f01b62c577f6
            • Instruction Fuzzy Hash: B6111CB1A00109AFDB01DFA5C945DAEBBB5EF45344F21417AF500F62E1E7359E40DB29
            Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000,?), ref: 00405083
              • Part of subcall function 0040504B: lstrlenW.KERNEL32(00403103,0042C1D8,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403103,00000000), ref: 00405093
              • Part of subcall function 0040504B: lstrcatW.KERNEL32(0042C1D8,00403103,00403103,0042C1D8,00000000,?,771B23A0), ref: 004050A6
              • Part of subcall function 0040504B: SetWindowTextW.USER32(0042C1D8,0042C1D8), ref: 004050B8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004050DE
              • Part of subcall function 0040504B: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004050F8
              • Part of subcall function 0040504B: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405106
              • Part of subcall function 0040551C: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 00405541
              • Part of subcall function 0040551C: CloseHandle.KERNEL32(?), ref: 0040554E
            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
            • String ID:
            • API String ID: 3585118688-0
            • Opcode ID: 397bbc1e4d4bd5b336570b9bd6cdfb94af19db1830bc237898cd674fcce29f39
            • Instruction ID: b5f73ffbd4a1fa015f0c2796452332fd916e9637aff9300d1e3c67c2e8cabf32
            • Opcode Fuzzy Hash: 397bbc1e4d4bd5b336570b9bd6cdfb94af19db1830bc237898cd674fcce29f39
            • Instruction Fuzzy Hash: C911AD71900204EBCF109FA1CE449EE7AB1EF04315F20443BF901B61E1C7798A929F99
            Function 00402D03 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000,00000000,00402EE3,00000001,?,?,?,00000000,0040344F,?), ref: 00402D16
            • GetTickCount.KERNEL32 ref: 00402D34
            • CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402D51
            • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,0040344F,?), ref: 00402D5F
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Window$CountCreateDestroyDialogParamShowTick
            • String ID:
            • API String ID: 2102729457-0
            • Opcode ID: aed48f930e6cb8163906278dd1a6a8d55546e7dcfd90fdb5b9c2cdca09a853f5
            • Instruction ID: 0f67fd822d339501c317f9c9290c0d88a12acd91c10ffcc8c100a5c20b21d8f0
            • Opcode Fuzzy Hash: aed48f930e6cb8163906278dd1a6a8d55546e7dcfd90fdb5b9c2cdca09a853f5
            • Instruction Fuzzy Hash: 8EF0F870603620BFC621AB64FF4DA9B7A65FB44B12B95047AF141B11E4D7B848C1CBDD
            Function 00404FBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00404FEE
            • CallWindowProcW.USER32(?,?,?,?), ref: 0040503F
              • Part of subcall function 00404032: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Window$CallMessageProcSendVisible
            • String ID:
            • API String ID: 3748168415-3916222277
            • Opcode ID: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
            • Instruction ID: bbda00c2ce61db54858d54f75231ff4833bc9f24808a58ee1059b1aa4c9daed2
            • Opcode Fuzzy Hash: d5165aaa8ddedbb0149cdff99e62f7242478f10d326129f832a6699438a9a539
            • Instruction Fuzzy Hash: 44018F71100608AFDF318F11DD81AAF3A2AEB88354F104037FA00761D1CB7A8DA2DEA9
            Function 0040551C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00430200,Error launching installer), ref: 00405541
            • CloseHandle.KERNEL32(?), ref: 0040554E
            Strings
            • Error launching installer, xrefs: 0040552F
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: CloseCreateHandleProcess
            • String ID: Error launching installer
            • API String ID: 3712363035-66219284
            • Opcode ID: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
            • Instruction ID: cf9fdeca5e40bc41ee8c953bab838b17ccc92df15d25727223da148b4173978b
            • Opcode Fuzzy Hash: e3a99de12ab609f41969ca5042cf5c1fd7ec7a17acfe207451f60b4ef79cfd79
            • Instruction Fuzzy Hash: 41E0ECB4500309ABEB00AF64DD49E6F7BBDEB04344F008575A950F2150D774D9148B68
            Function 004036D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B3420,004036AE,004034F0,?), ref: 004036F0
            • GlobalFree.KERNEL32(?), ref: 004036F7
            Strings
            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004036E8
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: Free$GlobalLibrary
            • String ID: C:\Users\user~1\AppData\Local\Temp\
            • API String ID: 1100898210-2382934351
            • Opcode ID: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
            • Instruction ID: 839bfc3724c17aac1dd4b1c492512fede4cfaa3ffa2183060c5e8c58424d678e
            • Opcode Fuzzy Hash: af6bb57c9087681c5df9a6583299814f0cea52fc49ac98f0490cfdd2588b3981
            • Instruction Fuzzy Hash: 3AE0C233500020ABC6315F55FD0572EBB68AF4AB22F05842EE8807B3A087745C534FC8
            Function 00405972 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405BAC,00000000,[Rename],00000000,00000000,00000000), ref: 00405982
            • lstrcmpiA.KERNEL32(00405BAC,00000000), ref: 0040599A
            • CharNextA.USER32(00405BAC,?,00000000,00405BAC,00000000,[Rename],00000000,00000000,00000000), ref: 004059AB
            • lstrlenA.KERNEL32(00405BAC,?,00000000,00405BAC,00000000,[Rename],00000000,00000000,00000000), ref: 004059B4
            Memory Dump Source
            • Source File: 00000000.00000002.1362102381.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1362082135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362125273.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1362216780.0000000000465000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_y83WAR4vQc.jbxd
            Similarity
            • API ID: lstrlen$CharNextlstrcmpi
            • String ID:
            • API String ID: 190613189-0
            • Opcode ID: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
            • Instruction ID: 74db543d3a7c556463c7df328d7f28d8c713d1c7c3b841aeb09eb3bbb428cad3
            • Opcode Fuzzy Hash: 8032f475193f702fb71f6f03d8a24b737fcdd57b3ef24890a40e5d8249ef00b0
            • Instruction Fuzzy Hash: F4F0F632205914FFD702DFA4CE0099FBBA8EF05364B2140B9E840FB210D674DE019FA8