Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Analysis ID:1433049
MD5:034cb3e5f37e1ce4aa06fbf299f8aad2
SHA1:1f37f230cfc5def3e322e7f45fea6c8c2c6332a6
SHA256:705723eb97c62bb078d20146d9c62bf991ba285c420836d19e7fb186598bdf2e
Tags:exe
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Common Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe" MD5: 034CB3E5F37E1CE4AA06FBF299F8AAD2)
    • SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp (PID: 6560 cmdline: "C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe" MD5: 213E2B12F93AD5F9881E93B9A13D031C)
      • notepad.exe (PID: 7780 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txt MD5: E92D3A824A0578A50D2DD81B5060145F)
      • rundll32.exe (PID: 7788 cmdline: "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr MD5: 889B99C52A60DD49227C5E485A016679)
        • MBSS Light.scr (PID: 7844 cmdline: "C:\Windows\system32\MBSS Light.scr" /p 66834 MD5: 40A755C77CA8211879FE6446370EEE8F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Common Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): Data: Details: C:\Windows\system32\MBSSLI~1.SCR, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7788, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose,1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004511DC FindFirstFileA,GetLastError,1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose,1_2_0045DE20
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drString found in binary or memory: http://www.innosetup.com/
Source: is-CJAM5.tmp.1.drString found in binary or memory: http://www.mathsavers.com
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_fireworks.htm
Source: is-24KDP.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_fireworks.htmThttp://www.mathsavers.com/buy_galaxies.htm
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_galaxies.htm
Source: is-8HO2N.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_galaxies.htmXhttp://www.mathsavers.com/buy_starfields.htm$MBSS
Source: MBSS Light.scr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-A1AL2.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_gravwells.htm
Source: MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-JG6KC.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_gravwells.htmDA
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_light.htm
Source: is-A1AL2.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_light.htmVhttp://www.mathsavers.com/buy_fireworks.htm
Source: MBSS Light.scrString found in binary or memory: http://www.mathsavers.com/buy_starfields.htm
Source: MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-24KDP.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_starfields.htm$MBSS
Source: is-FPQL9.tmp.1.drString found in binary or memory: http://www.mathsavers.com/buy_starfields.htmVhttp://www.mathsavers.com/buy_gravwells.htm
Source: is-CJAM5.tmp.1.drString found in binary or memory: http://www.mathsavers.com/faq.htm
Source: is-CJAM5.tmp.1.drString found in binary or memory: http://www.mathsavers.com/faq.htm7
Source: is-A071M.tmp.1.dr, is-M1MRN.tmp.1.dr, is-CJAM5.tmp.1.drString found in binary or memory: http://www.mathsavers.com/faq.htmCurrent
Source: is-0OC1R.tmp.1.drString found in binary or memory: http://www.mathsavers.com/fireworks.htm
Source: is-CJAM5.tmp.1.drString found in binary or memory: http://www.mathsavers.com/galaxy.htm
Source: is-JGPHN.tmp.1.drString found in binary or memory: http://www.mathsavers.com/gravwell.htm
Source: notepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-F6CPB.tmp.1.drString found in binary or memory: http://www.mathsavers.com/light.htm
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drString found in binary or memory: http://www.mathsavers.com/paypaltip.htm
Source: notepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-K99HS.tmp.1.dr, is-F6CPB.tmp.1.dr, is-0OC1R.tmp.1.dr, is-Q3TRV.tmp.1.dr, is-JGPHN.tmp.1.drString found in binary or memory: http://www.mathsavers.com/register.htm
Source: is-0QTJN.tmp.1.drString found in binary or memory: http://www.mathsavers.com/savers.htm
Source: is-Q3TRV.tmp.1.drString found in binary or memory: http://www.mathsavers.com/starflds.htm
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615640410.0000000002074000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.2231682934.0000000002080000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.2230227519.0000000002154000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.1617637618.0000000002148000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mathsavers.com2
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drString found in binary or memory: http://www.remobjects.com/?ps
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drString found in binary or memory: http://www.remobjects.com/?psU
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00423B2C NtdllDefWindowProc_A,1_2_00423B2C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004722D4 NtdllDefWindowProc_A,1_2_004722D4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00412580 NtdllDefWindowProc_A,1_2_00412580
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0042ED38 NtdllDefWindowProc_A,1_2_0042ED38
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004551F4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004551F4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0042E6CC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453AF8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All ProductsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\is-TTH1H.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-JG6KC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-24KDP.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-A1AL2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-8HO2N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-FPQL9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-F6CPB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-K99HS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-0OC1R.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-Q3TRV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-JGPHN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-1BOUR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-A071M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-CJAM5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-M1MRN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-0QTJN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-AJOP0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-PB7LK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-5ITG0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-Q8BC7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-JUSIF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-99LG3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-188RC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-TC383.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004082E80_2_004082E8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004629941_2_00462994
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0046AC901_2_0046AC90
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004797C11_2_004797C1
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004800E81_2_004800E8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0044416C1_2_0044416C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004305D01_2_004305D0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004448641_2_00444864
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004588EC1_2_004588EC
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0046498C1_2_0046498C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00434A2C1_2_00434A2C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00444C701_2_00444C70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0047F2381_2_0047F238
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0043D44C1_2_0043D44C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045B6941_2_0045B694
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0042FB741_2_0042FB74
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00443BC41_2_00443BC4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00433D281_2_00433D28
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00485FE01_2_00485FE0
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: 9_2_004030449_2_00403044
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: 9_2_004019859_2_00401985
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: 9_2_004D4AB09_2_004D4AB0
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: 9_2_00457B409_2_00457B40
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: String function: 004B4820 appears 52 times
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: String function: 004B5DC0 appears 165 times
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: String function: 004DE2E0 appears 95 times
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: String function: 004DE3D0 appears 138 times
Source: C:\Windows\SysWOW64\MBSS Light.scrCode function: String function: 004D7870 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00405964 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 004454D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00407894 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00433C40 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00455970 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00451AC0 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00455B70 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 004457A0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00403684 appears 204 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: String function: 00408BAC appears 44 times
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-TTH1H.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-TTH1H.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-TTH1H.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-TTH1H.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-TTH1H.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus24.evad.winEXE@9/73@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453AF8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00454320 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00454320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00409A04 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409A04
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Users\user\Desktop\MBSS Light.lnkJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrMutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeFile created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp "C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txt
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\MBSS Light.scr "C:\Windows\system32\MBSS Light.scr" /p 66834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp "C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\rundll32.exe "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scrJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\MBSS Light.scr "C:\Windows\system32\MBSS Light.scr" /p 66834Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrSection loaded: mbssm6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: MBSS Starfields Readme.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Starfields Readme.txt
Source: MBSS Gravity Wells Readme.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Gravity Wells Readme.txt
Source: MBSS Website.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS_GoTo_MathSavers.url
Source: Uninstall MBSS All Products.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\MBSS All Products\unins000.exe
Source: MBSS Light.lnk.1.drLNK file: ..\..\..\Windows\System32\MBSS Light.scr
Source: MBSS Galaxies.lnk.1.drLNK file: ..\..\..\Windows\System32\MBSS Galaxies.scr
Source: MBSS Fireworks.lnk.1.drLNK file: ..\..\..\Windows\System32\MBSS Fireworks.scr
Source: MBSS Starfields.lnk.1.drLNK file: ..\..\..\Windows\System32\MBSS Starfields.scr
Source: MBSS Gravity Wells.lnk.1.drLNK file: ..\..\..\Windows\System32\MBSS Gravity Wells.scr
Source: MBSS Light.lnk0.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light.scr
Source: MBSS Galaxies.lnk0.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxies.scr
Source: MBSS Fireworks.lnk0.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Fireworks.scr
Source: MBSS Starfields.lnk0.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Starfields.scr
Source: MBSS Gravity Wells.lnk0.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Gravity Wells.scr
Source: MBSS Light Help.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light.hlp
Source: MBSS Galaxy Help.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxy.hlp
Source: Star Help.lnk.1.drLNK file: ..\..\..\..\..\..\..\..\Windows\System32\MBSS_Gen.hlp
Source: MBSS Light Readme.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light Readme.txt
Source: MBSS Galaxies Readme.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxies Readme.txt
Source: MBSS Fireworks Readme.lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\MBSS Fireworks Readme.txt
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpAutomated click: I accept the agreement
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exeWindow detected: Number of UI elements: 11
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeStatic file information: File size 1583275 > 1048576
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00408D90 push 00408DC3h; ret 0_2_00408DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax0_2_00407FE5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004098EC push 00409929h; ret 1_2_00409921
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004305D0 push ecx; mov dword ptr [esp], eax1_2_004305D5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00410678 push ecx; mov dword ptr [esp], edx1_2_0041067D
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004128D0 push 00412933h; ret 1_2_0041292B
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0047C88C push 0047C96Ah; ret 1_2_0047C962
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00450A78 push 00450AABh; ret 1_2_00450AA3
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00442B3C push ecx; mov dword ptr [esp], ecx1_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0040CFD0 push ecx; mov dword ptr [esp], edx1_2_0040CFD2
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004573DC push 00457420h; ret 1_2_00457418
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045B38C push ecx; mov dword ptr [esp], eax1_2_0045B391
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0040F530 push ecx; mov dword ptr [esp], edx1_2_0040F532
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004715E8 push ecx; mov dword ptr [esp], edx1_2_004715E9
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00419BD0 push ecx; mov dword ptr [esp], ecx1_2_00419BD5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00455C0C push 00455C44h; ret 1_2_00455C3C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0047DEE0 push ecx; mov dword ptr [esp], ecx1_2_0047DEE5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00409FE7 push ds; ret 1_2_00409FE8

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\Windows\SysWOW64\MBSS Light.scrJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-FPQL9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Light.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-1BOUR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSSM6.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-JG6KC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Starfields.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-A1AL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-24KDP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-8HO2N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\is-TTH1H.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeFile created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-FPQL9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Light.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-1BOUR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSSM6.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-JG6KC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\MBSS Starfields.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-A1AL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-24KDP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\SysWOW64\is-8HO2N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\is-TTH1H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\Windows\MBSS All Products\unins000.exe (copy)Jump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\rundll32.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All ProductsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Help.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxy Help.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS FireJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire\GravityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire\Gravity\Star Help.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Readme.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies Readme.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks Readme.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields Readme.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells Readme.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Website.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\Uninstall MBSS All Products.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00422804 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00422804
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0042413C IsIconic,SetActiveWindow,1_2_0042413C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00424184 IsIconic,SetActiveWindow,SetFocus,1_2_00424184
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0047C25C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047C25C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0041832C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0041832C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00417540 IsIconic,GetCapture,1_2_00417540
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00417C76 IsIconic,SetWindowPos,1_2_00417C76
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00417C78 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C78
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scrWindow / User API: threadDelayed 9914Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-FPQL9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-1BOUR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Starfields.scr (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-A1AL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-24KDP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-8HO2N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\MBSS All Products\is-TTH1H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Windows\MBSS All Products\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5358
Source: C:\Windows\SysWOW64\MBSS Light.scrAPI coverage: 5.7 %
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose,1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004511DC FindFirstFileA,GetLastError,1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose,1_2_0045DE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00409948 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409948
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AD34
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00471D70 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00471D70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_0045A0E8 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045A0E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: GetLocaleInfoA,0_2_0040515C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: GetLocaleInfoA,0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: GetLocaleInfoA,1_2_00408508
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: GetLocaleInfoA,1_2_00408554
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Windows\SysWOW64\MBSS Light Readme.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_004566B8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004566B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmpCode function: 1_2_00453AB0 GetUserNameA,1_2_00453AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Native API		11
Registry Run Keys / Startup Folder		1
Exploitation for Privilege Escalation		121
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		LSASS Memory11
Application Window Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
Process Injection		12
Process Injection		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
Deobfuscate/Decode Files or Information		NTDS3
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		2
Obfuscated Files or Information		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe3%ReversingLabs
SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp5%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp0%VirustotalBrowse
C:\Windows\MBSS All Products\is-TTH1H.tmp5%ReversingLabs
C:\Windows\MBSS All Products\is-TTH1H.tmp0%VirustotalBrowse
C:\Windows\MBSS All Products\unins000.exe (copy)5%ReversingLabs
C:\Windows\MBSS All Products\unins000.exe (copy)0%VirustotalBrowse
C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)5%VirustotalBrowse
C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)0%ReversingLabs
C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)0%VirustotalBrowse
C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)0%ReversingLabs
C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)0%VirustotalBrowse
C:\Windows\SysWOW64\MBSS Light.scr (copy)0%ReversingLabs
C:\Windows\SysWOW64\MBSS Light.scr (copy)2%VirustotalBrowse
C:\Windows\SysWOW64\MBSS Starfields.scr (copy)0%ReversingLabs
C:\Windows\SysWOW64\MBSS Starfields.scr (copy)2%VirustotalBrowse
C:\Windows\SysWOW64\MBSSM6.dll (copy)0%ReversingLabs
C:\Windows\SysWOW64\MBSSM6.dll (copy)1%VirustotalBrowse
C:\Windows\SysWOW64\is-1BOUR.tmp0%ReversingLabs
C:\Windows\SysWOW64\is-1BOUR.tmp1%VirustotalBrowse
C:\Windows\SysWOW64\is-24KDP.tmp0%ReversingLabs
C:\Windows\SysWOW64\is-24KDP.tmp0%VirustotalBrowse
C:\Windows\SysWOW64\is-8HO2N.tmp0%ReversingLabs
C:\Windows\SysWOW64\is-8HO2N.tmp2%VirustotalBrowse
C:\Windows\SysWOW64\is-FPQL9.tmp0%ReversingLabs
C:\Windows\SysWOW64\is-JG6KC.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.remobjects.com/?ps0%URL Reputationsafe
http://www.remobjects.com/?psU0%URL Reputationsafe
http://www.mathsavers.com/buy_galaxies.htmXhttp://www.mathsavers.com/buy_starfields.htm$MBSS0%Avira URL Cloudsafe
http://www.innosetup.com/0%Avira URL Cloudsafe
http://www.mathsavers.com0%Avira URL Cloudsafe
http://www.mathsavers.com/starflds.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/savers.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/savers.htm0%VirustotalBrowse
http://www.mathsavers.com/starflds.htm0%VirustotalBrowse
http://www.mathsavers.com/buy_starfields.htm$MBSS0%Avira URL Cloudsafe
http://www.mathsavers.com/faq.htm70%Avira URL Cloudsafe
http://www.mathsavers.com/buy_gravwells.htmDA0%Avira URL Cloudsafe
http://www.mathsavers.com/register.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/faq.htm0%Avira URL Cloudsafe
http://www.mathsavers.com20%Avira URL Cloudsafe
http://www.mathsavers.com/buy_galaxies.htm0%Avira URL Cloudsafe
http://www.innosetup.com/2%VirustotalBrowse
http://www.mathsavers.com/buy_starfields.htmVhttp://www.mathsavers.com/buy_gravwells.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/paypaltip.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/faq.htm0%VirustotalBrowse
http://www.mathsavers.com/galaxy.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_gravwells.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_light.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/register.htm0%VirustotalBrowse
http://www.mathsavers.com/buy_light.htmVhttp://www.mathsavers.com/buy_fireworks.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/paypaltip.htm0%VirustotalBrowse
http://www.mathsavers.com0%VirustotalBrowse
http://www.mathsavers.com/buy_galaxies.htm0%VirustotalBrowse
http://www.mathsavers.com/buy_fireworks.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_fireworks.htmThttp://www.mathsavers.com/buy_galaxies.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_starfields.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/galaxy.htm0%VirustotalBrowse
http://www.mathsavers.com/buy_light.htm0%VirustotalBrowse
http://www.mathsavers.com/light.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/fireworks.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_gravwells.htm0%VirustotalBrowse
http://www.mathsavers.com/faq.htmCurrent0%Avira URL Cloudsafe
http://www.mathsavers.com/gravwell.htm0%Avira URL Cloudsafe
http://www.mathsavers.com/buy_starfields.htm0%VirustotalBrowse
http://www.mathsavers.com/buy_fireworks.htm0%VirustotalBrowse
http://www.mathsavers.com/fireworks.htm0%VirustotalBrowse
http://www.mathsavers.com/gravwell.htm0%VirustotalBrowse
http://www.mathsavers.com/light.htm0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.innosetup.com/SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/buy_galaxies.htmXhttp://www.mathsavers.com/buy_starfields.htm$MBSSis-8HO2N.tmp.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/savers.htmis-0QTJN.tmp.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.remobjects.com/?psSecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drfalse
  • URL Reputation: safe
unknown
http://www.mathsavers.comis-CJAM5.tmp.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/starflds.htmis-Q3TRV.tmp.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/buy_starfields.htm$MBSSMBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-24KDP.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/faq.htm7is-CJAM5.tmp.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/buy_gravwells.htmDAMBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-JG6KC.tmp.1.drfalse
  • Avira URL Cloud: safe
unknown
http://www.mathsavers.com/register.htmnotepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-K99HS.tmp.1.dr, is-F6CPB.tmp.1.dr, is-0OC1R.tmp.1.dr, is-Q3TRV.tmp.1.dr, is-JGPHN.tmp.1.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.paypal.com/cgi-bin/webscr?cmd=_xclickMBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drfalse
    		high
    http://www.mathsavers.com/faq.htmis-CJAM5.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com2SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615640410.0000000002074000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.2231682934.0000000002080000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.2230227519.0000000002154000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.1617637618.0000000002148000.00000004.00001000.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_galaxies.htmMBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_starfields.htmVhttp://www.mathsavers.com/buy_gravwells.htmis-FPQL9.tmp.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/paypaltip.htmMBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/galaxy.htmis-CJAM5.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_gravwells.htmMBSS Light.scr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-A1AL2.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_light.htmMBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_light.htmVhttp://www.mathsavers.com/buy_fireworks.htmis-A1AL2.tmp.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_fireworks.htmMBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_fireworks.htmThttp://www.mathsavers.com/buy_galaxies.htmis-24KDP.tmp.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/buy_starfields.htmMBSS Light.scrfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/light.htmnotepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-F6CPB.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/fireworks.htmis-0OC1R.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/faq.htmCurrentis-A071M.tmp.1.dr, is-M1MRN.tmp.1.dr, is-CJAM5.tmp.1.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.mathsavers.com/gravwell.htmis-JGPHN.tmp.1.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.remobjects.com/?psUSecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1433049
    Start date and time:2024-04-29 02:23:09 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 12s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:11
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
    Detection:SUS
    Classification:sus24.evad.winEXE@9/73@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 97%
    • Number of executed functions: 170
    • Number of non-executed functions: 225
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmpC0eD7SKCnN.exeGet hashmaliciousUnknownBrowse
      SW_PC_Interact2.3.5_Build6.exeGet hashmaliciousDBatLoaderBrowse
        SW_PC_Interact2.3.5_Build6.exeGet hashmaliciousDBatLoaderBrowse
          c56wcjIguT.exeGet hashmaliciousUnknownBrowse
            c56wcjIguT.exeGet hashmaliciousUnknownBrowse
              hw-vsp3-single_3-1-2.exeGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exeGet hashmaliciousUnknownBrowse
                  jcreator_6i-6JJ1.exeGet hashmaliciousUnknownBrowse
                    jcreator_6i-6JJ1.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201.exeGet hashmaliciousUnknownBrowse
                        C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmpC0eD7SKCnN.exeGet hashmaliciousUnknownBrowse
                          SW_PC_Interact2.3.5_Build6.exeGet hashmaliciousDBatLoaderBrowse
                            SW_PC_Interact2.3.5_Build6.exeGet hashmaliciousDBatLoaderBrowse
                              c56wcjIguT.exeGet hashmaliciousUnknownBrowse
                                c56wcjIguT.exeGet hashmaliciousUnknownBrowse
                                  hw-vsp3-single_3-1-2.exeGet hashmaliciousUnknownBrowse
                                    SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exeGet hashmaliciousUnknownBrowse
                                      jcreator_6i-6JJ1.exeGet hashmaliciousUnknownBrowse
                                        jcreator_6i-6JJ1.exeGet hashmaliciousUnknownBrowse
                                          SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201.exeGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire\Gravity\Star Help.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Apr 24 12:23:10 2005, length=185175, window=hide
                                            Category:dropped
                                            Size (bytes):944
                                            Entropy (8bit):4.653846945263246
                                            Encrypted:false
                                            SSDEEP:12:8uhnm/y3MpXVrVSX6jE1K4GlZTPOjAw9CW+UcpoiNAlhkJB44t2YZ/elFlSJmZmV:8Za3Mri+ZTPyAw97+/jkPqyFm
                                            MD5:79867813F9BBA3C997D495485DB95BCE
                                            SHA1:7ED5016506032C4793F350E2AC683CD0B2F22402
                                            SHA-256:2FC16CF6AA1B52DF0664CA9FD5A7F465031F1515CC0EF8C70309FFCB7A599C6A
                                            SHA-512:1BB5B25893876DBEE885AE51D0AF8B9596C2F19A0DB81A1D807C2D0C253871857E849E7CF8055EB13E18F8C4CA503988FDBF9B7811F3468D86CA0D42DCB93677
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... .....J....M1M......J..H..W.......................E....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....f.2.W....2.j .MBSS_Gen.hlp..J......X...X......b.........................M.B.S.S._.G.e.n...h.l.p.......O...............-.......N............lwq.....C:\Windows\System32\MBSS_Gen.hlp..5.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S._.G.e.n...h.l.p.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks Readme.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jan 30 10:28:22 2011, length=11618, window=hide
                                            Category:dropped
                                            Size (bytes):997
                                            Entropy (8bit):4.669101308055038
                                            Encrypted:false
                                            SSDEEP:12:8roPVm/y3MpXVrVSX6jE1K4jsmfU/p+TjABWW+UcpGp+LiNAlhoFB44t2YZ/elFM:8r5a3MrivfUhkABv+/mlkoFyqyFm
                                            MD5:FC4A3544556461818D82DEDA38AD70AE
                                            SHA1:D0938EB541479D79C287E5E2C18D9B9D32AFAD86
                                            SHA-256:0E3F9A1119CDF8E91F9989072FFBE46700FF8F79AB5E8E199815A73C47D8D00E
                                            SHA-512:0A1E0E2DFFFD6FC2014623FF9792CC80495E2584845558339871DDCAC4B0C498FDC1FF295F4D21D930BC949C93F7E039DB68AA2EE1E34F853EA035639F88F51A
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... .....:......:........p...b-......................_....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.......2.b-..>>.[ .MBSSFI~1.TXT..d......X...X................................M.B.S.S. .F.i.r.e.w.o.r.k.s. .R.e.a.d.m.e...t.x.t.......\...............-.......[............lwq.....C:\Windows\System32\MBSS Fireworks Readme.txt..<.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .F.i.r.e.w.o.r.k.s. .R.e.a.d.m.e...t.x.t.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:51:56 2009, length=991232, window=hide
                                            Category:dropped
                                            Size (bytes):962
                                            Entropy (8bit):4.654647814060355
                                            Encrypted:false
                                            SSDEEP:24:8Mq+QRa3MriL8/9WUAeHAb+/ikQ9yqyFm:81+QQQ1aP9vyF
                                            MD5:385C0BF96FB3F148E3208D247ED4C0A2
                                            SHA1:CC0BF179716A5F372FB0AD02355890E724531361
                                            SHA-256:3A6C2FFC8A82B631EE809DB0729150658270F71474613CBF074C9B7344D4C074
                                            SHA-512:7AFDA62527385F36BD391EBA9A4AC4D6E9FAA008BFD7318AC0D7842CB9C907D4312896CF6084700AFFB7C802D9D8605D1A8B3C6BB71D4C1C66EC7FF4722F17C7
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... .......................... ......................Q....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....r.2.. ...:|. .MBSSFI~1.SCR..V......X...X......z.........................M.B.S.S. .F.i.r.e.w.o.r.k.s...s.c.r.......U...............-.......T............lwq.....C:\Windows\System32\MBSS Fireworks.scr..5.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .F.i.r.e.w.o.r.k.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies Readme.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jan 30 10:23:40 2011, length=11385, window=hide
                                            Category:dropped
                                            Size (bytes):992
                                            Entropy (8bit):4.677430985458078
                                            Encrypted:false
                                            SSDEEP:12:81zKEfm/y3MpXVrVSX6jE1K4Ad1k/v+bOjAsr3lW+Ucpu+LiNAlht2D44t2YZ/eE:81u7a3MriI1k/vBAsw+/glk7qyFm
                                            MD5:33A5AE176E97B2C1E68D7197938DA42F
                                            SHA1:D1C5EE4D2794BFD7550AA5CE4716D8134F1C8FD0
                                            SHA-256:F19D42A59F03CF8EEE51AD6BDF3B96A6EBAC3A924A6BE9392DB593670C0F243F
                                            SHA-512:6B4478A4A89F78962E4C077043FD9E7F1596E2EC61BB89B93F712321B70D03FD2DB995D06855A2346E27D3F6F292E13A5A8629315794FD270D46232D869D38ED
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ...|.7....|.7.......%p...y,......................]....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....~.2.y,..>>.Z .MBSSGA~1.TXT..b......X...X................................M.B.S.S. .G.a.l.a.x.i.e.s. .R.e.a.d.m.e...t.x.t.......[...............-.......Z............lwq.....C:\Windows\System32\MBSS Galaxies Readme.txt..;.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.a.l.a.x.i.e.s. .R.e.a.d.m.e...t.x.t.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:36 2024, mtime=Sun Apr 28 23:24:36 2024, atime=Sun Jan 30 09:26:54 2011, length=1466368, window=hide
                                            Category:dropped
                                            Size (bytes):957
                                            Entropy (8bit):4.663910611914058
                                            Encrypted:false
                                            SSDEEP:12:8BMzBFJlcm0m/y3MpXVrVSX6jE1K4WO1oPIjA6SPRlSW+UcpmwiNAlhw44t2YZ/P:8BYl9a3MriVoUA6SPRh+/wkPqyFm
                                            MD5:DE8E841BD3BAA3A1149903168C02EBB7
                                            SHA1:718984EF2CBB60B2EDCD77936257FA05DB7ABCEB
                                            SHA-256:45EDF2FC93761D01F3C529ACCF7AA488407A447D2FB272960AC7A691228207CD
                                            SHA-512:1BEF2E2B95252BC1E3773605D6FCC33E574D53A79CFFA9B8D413FB22A38E0A65DF236DFC3A0C47901B1179930A47A64E8EAA8C8478D507D6959E6C9246C63C60
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ...ZI.....]p......k.6h....`......................O....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....p.2..`..>>[S .MBSSGA~1.SCR..T......X...X......y.........................M.B.S.S. .G.a.l.a.x.i.e.s...s.c.r.......T...............-.......S............lwq.....C:\Windows\System32\MBSS Galaxies.scr..4.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.a.l.a.x.i.e.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxy Help.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jun 29 12:02:00 2003, length=209090, window=hide
                                            Category:dropped
                                            Size (bytes):947
                                            Entropy (8bit):4.6750685392984055
                                            Encrypted:false
                                            SSDEEP:12:8ORm/y3MpXVrVSX6jE1K4Pl1LSjAn0W+UcpDiNAlho44t2YZ/elFlSJmZmV:8ba3MriHzLuAn9+/Qk3qyFm
                                            MD5:3A077EE2B815AD7A0481323713A895F5
                                            SHA1:AACC48CC3F14CF0B591E9AB80C4D3D734807DCE9
                                            SHA-256:9F82F64AFD95AACB2BCA86084E7C0D9DCDE24F0E4BD88D4FC0FECEB5B6898A1D
                                            SHA-512:8A2FEF9BC5A3FE50D1BAD1C4738887DA9AC791489722682341C2086938C2644DBEF4B5FF51E644E7E7C20ABF3C953F0BAE016C8DEC5E5FFC17B16EEE4047CC58
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ...6.F.....lH.....T..>>...0......................K....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....l.2..0....@h .MBSSGA~1.HLP..P......X...X......`.........................M.B.S.S. .G.a.l.a.x.y...h.l.p.......R...............-.......Q............lwq.....C:\Windows\System32\MBSS Galaxy.hlp..2.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.a.l.a.x.y...h.l.p.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells Readme.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jan 30 10:29:24 2011, length=11004, window=hide
                                            Category:dropped
                                            Size (bytes):1017
                                            Entropy (8bit):4.694426553016214
                                            Encrypted:false
                                            SSDEEP:12:88hIl/C+0m/y3MpXVrVSX6jE1K4clm3aurH+HjA2StW+UcpBrH+LiNAlh0ZB44tr:8nlDa3MriH3akQAlc+/zlkvqyFm
                                            MD5:2C0EB503D8F51948452E6E5B3A43F8EC
                                            SHA1:6FC19E618734F475383125F47B290AF33B526DEC
                                            SHA-256:8CCF9E2F039FC3EE3FDE9C173A3E85476B7F93D96C17FF2A4776E8888C2ACC82
                                            SHA-512:7E3B6B0FDB3D955FA2AD311700F227F1248145569D62A78980D9325BF5B60A2C04119B95570042C8B662E70A669E8F2CF7CA7D8CEFF9BD0D551133C923051555
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ...c.>....c.>........p....*......................g....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.......2..*..>>.[ .MBSSGR~1.TXT..l......X...X...... .........................M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s. .R.e.a.d.m.e...t.x.t.......`...............-......._............lwq.....C:\Windows\System32\MBSS Gravity Wells Readme.txt..@.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s. .R.e.a.d.m.e...t.x.t.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:52:04 2009, length=827392, window=hide
                                            Category:dropped
                                            Size (bytes):982
                                            Entropy (8bit):4.684193840010097
                                            Encrypted:false
                                            SSDEEP:24:8hVfpRJa3Mrip1xpGeAsH4q+/ZkvqyFm:8TfLYRv0lsmyF
                                            MD5:24E729DC7F9F64C98645ADDB0AC665E0
                                            SHA1:B63BD9F8C132C06750DB85B0A49CBD4B0D0AC3A3
                                            SHA-256:5593D1D94A9B03D229C2525566E7106A31A1F732BAD71BF3354DD628A9A860DE
                                            SHA-512:4DDFBC93BBD495B6E2C9D4539D83B5A0B7F896747A7BFD3AA394B658AA672A2A24D4F1A1237C27C2CF3D7E3C5D0A93D318E93CB091732131249B22AEC8E02781
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ....n)......0.....Zb.............................Y....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....z.2......:.. .MBSSGR~1.SCR..^......X...X......y.........................M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s...s.c.r.......Y...............-.......X............lwq.....C:\Windows\System32\MBSS Gravity Wells.scr..9.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Help.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Apr 24 06:56:02 2005, length=123726, window=hide
                                            Category:dropped
                                            Size (bytes):942
                                            Entropy (8bit):4.675077673739083
                                            Encrypted:false
                                            SSDEEP:12:8o66CZRm/y3MpXVrVSX6jE1K4DwJmobAjAKBW+UcpLziNAlhw44t2YZ/elFlSJm6:8xUa3MribwJmvAKA+/MkPqyFm
                                            MD5:239DF0A4CA5ACE32E7612393AC7156F8
                                            SHA1:E8FFA38BCDE25492B27F9F6EBD04EC668F5ECBF4
                                            SHA-256:F2A7871E78FC65FE6475A6AC13925C4FBBEA385F6F68030D5EE3ED9AA5CCAF3C
                                            SHA-512:FF46D00A81DA1A5BA61159E0D9B45E83D1C54F7F01BA1A9765FCCFD19AE3DD12E93E3E7032CB4ECED1BD5FBB1E6132FC67D9871897148E842976EC1D2C362D07
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ....C.....C.........H..N.......................I....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....j.2.N....2.? .MBSSLI~1.HLP..N......X...X......_.........................M.B.S.S. .L.i.g.h.t...h.l.p.......Q...............-.......P............lwq.....C:\Windows\System32\MBSS Light.hlp..1.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .L.i.g.h.t...h.l.p.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Readme.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jan 30 10:29:46 2011, length=9123, window=hide
                                            Category:dropped
                                            Size (bytes):977
                                            Entropy (8bit):4.679291934125667
                                            Encrypted:false
                                            SSDEEP:12:8tNqlidGGXEtm/y3MpXVrVSX6jE1K4stWm1Xow+fjAt0W+UcpLw+LiNAlhQ44t2W:8Pql6h9a3MriEtnXNYAt9+/KlkvqyFm
                                            MD5:12C9D87E8CC2BC0C32A0EB88F10452FE
                                            SHA1:60FFA0FB7CA70BDF0FEDDFBF13AC36DFB25E9E28
                                            SHA-256:76B0CF67A3AC0EA8E47DBFFAB803D4548803E127B1CE46DE7C0FA5C9DF59EE48
                                            SHA-512:4775CA375B714F0A2A433C3F7974738CC02736CE21021E7ADA88BA0EFB9E277534D0E891CDA7CBF820BC740F97CF323AA1DDE40A748576619EB91F12833F1C6E
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ....Z5.....Z5......).p....#......................W....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....x.2..#..>>.[ .MBSSLI~1.TXT..\......X...X......|.........................M.B.S.S. .L.i.g.h.t. .R.e.a.d.m.e...t.x.t.......X...............-.......W............lwq.....C:\Windows\System32\MBSS Light Readme.txt..8.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .L.i.g.h.t. .R.e.a.d.m.e...t.x.t.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:36 2024, mtime=Sun Apr 28 23:24:36 2024, atime=Mon Nov 15 05:23:16 2010, length=933888, window=hide
                                            Category:dropped
                                            Size (bytes):942
                                            Entropy (8bit):4.656760655878197
                                            Encrypted:false
                                            SSDEEP:12:8QqZRm/y3MpXVrVSX6jE1K4OSAnaoJrAjAKZW+UcpLJjiNAlhU5B44t2YZ/elFlm:8tUa3MrimSAnaqYAKo+/b6kvqyFm
                                            MD5:2C3F032CA82559BAE5ABD4B386D9C867
                                            SHA1:27FD741F370AC6686B46BB96ABE6FFFA5FE96EC5
                                            SHA-256:5F78B3EB282E80CE1502806222AEB131B3A032B3B8B5C8781A4FA39BA65A37A0
                                            SHA-512:F715850B204DB5583B6EBD1A5A850A53FF7664686B34729150A7513CABFADCCFA00B6F944CD040173047507F5882D558BB206159021C3B4CC65A6FE53D36DBC3
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... ....]..............y......@......................I....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....j.2..@..o=.2 .MBSSLI~1.SCR..N......X...X...............................M.B.S.S. .L.i.g.h.t...s.c.r.......Q...............-.......P............lwq.....C:\Windows\System32\MBSS Light.scr..1.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .L.i.g.h.t...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields Readme.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Sun Jan 30 10:30:14 2011, length=10635, window=hide
                                            Category:dropped
                                            Size (bytes):1002
                                            Entropy (8bit):4.663490136515626
                                            Encrypted:false
                                            SSDEEP:24:8GUa3MriCR5r5JqkUAWl+/S5JqlkXqyFm:8ywrHqkjAHqFyF
                                            MD5:24099A3DE9120847120841CD2F97D5EA
                                            SHA1:2370C214FC645AB21F2687478B83DB7A38D15BF3
                                            SHA-256:3F1B2260D4F4923CF64866BFC4C61120591065880CD02AEE7523C06411DD5D9D
                                            SHA-512:6129AB3F22F8286CC9919571C00E5A6910F528818202405D944763B5CF45DD84A1CEA28BE75DA1934DB84978E790FF933166A0828DFFE514E4A5A3E6DD598822
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.... .....<......<.....g..q....)......................a....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.......2..)..>>.[ .MBSSST~1.TXT..f......X...X................................M.B.S.S. .S.t.a.r.f.i.e.l.d.s. .R.e.a.d.m.e...t.x.t.......]...............-.......\............lwq.....C:\Windows\System32\MBSS Starfields Readme.txt..=.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .S.t.a.r.f.i.e.l.d.s. .R.e.a.d.m.e...t.x.t.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?..............

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:52:08 2009, length=831488, window=hide
                                            Category:dropped
                                            Size (bytes):967
                                            Entropy (8bit):4.659139218812255
                                            Encrypted:false
                                            SSDEEP:24:8A/a3MriqY1vGr5JhArM/1+/S5JOknqyFm:8A2SYsrHyAxHYyF
                                            MD5:33E316BFE05FC75658C5D8937F512096
                                            SHA1:393E10E7CBBD6D63165B58F890A084DF6882E7F8
                                            SHA-256:D5AA877BDD9A0277787F0FFB5AC2034BC2C4CC56410FBE71E7B0B9C0CA074273
                                            SHA-512:41286050F2F9C30CCA40B5D9AA6F8BAA422C17B4069F65BAAC3FEA589DAA77F97A25B5E761ED1D1915C82903F3B6C6353B1025706E8346233187D9CB2F90388D
                                            Malicious:false
                                            Preview:L..................F.... ...V......S.$....................................S....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....t.2......:.. .MBSSST~1.SCR..X......X...X......i.........................M.B.S.S. .S.t.a.r.f.i.e.l.d.s...s.c.r.......V...............-.......U............lwq.....C:\Windows\System32\MBSS Starfields.scr..6.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .S.t.a.r.f.i.e.l.d.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Website.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Thu Jun 9 04:45:16 2005, length=62, window=hide
                                            Category:dropped
                                            Size (bytes):992
                                            Entropy (8bit):4.6894398983930285
                                            Encrypted:false
                                            SSDEEP:12:8M6fm/y3MpXVrVSX6jE1K4+jyTlAlOjAsr1W+UcpClAFiNAlhw44t2YZ/elFlSJX:8M1a3MriWjy+sAsrU+/5okPqyFm
                                            MD5:F1FCBA9390B0992E3D77D4D71A82FF53
                                            SHA1:F472C60C243C423E4D0A854CD8D1B2C0F6EBACDF
                                            SHA-256:4A3425372541188198151833688253DC62A702B89B618441C8C8C51C02660D45
                                            SHA-512:9B31E06E05EDE3E28017CC85F0EEEA621F6515E12D00E61377B183D45357C25C511ABF7D4D47619476612589D171705B3C9BC1333676C929BEC1C532E5E23287
                                            Malicious:false
                                            Preview:L..................F.... .....O......O.....~.i.l..>.......................]....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....~.2.>....2.- .MBSS_G~1.URL..b......X...X......c.........................M.B.S.S._.G.o.T.o._.M.a.t.h.S.a.v.e.r.s...u.r.l.......[...............-.......Z............lwq.....C:\Windows\System32\MBSS_GoTo_MathSavers.url..;.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S._.G.o.T.o._.M.a.t.h.S.a.v.e.r.s...u.r.l.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\Uninstall MBSS All Products.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:36 2024, mtime=Sun Apr 28 23:24:36 2024, atime=Sun Apr 28 23:23:54 2024, length=699674, window=hide
                                            Category:dropped
                                            Size (bytes):977
                                            Entropy (8bit):4.676914675259034
                                            Encrypted:false
                                            SSDEEP:24:8bBa3MrwLylo7v4Yh0AD/+g7Eqbt2b3wdyqyFm:8M4ToDkqbtEgdvyF
                                            MD5:0C3AE1C64FBC284082AC987E1A0EBA3B
                                            SHA1:557A428906BA73CF84D7DDABA2687A2651C4ECA9
                                            SHA-256:B57176C057B6D0C85A4DC072A6C351FC23171C26C05ED6304712CF6B89D74369
                                            SHA-512:2808768C929922998AE65D3F481E160B45FCA905EA729B750999595F57207CF99B51DF82AEC29DA9BFC1C964B1922B1B8F615BFBBCAA5FC4615AFB637BBB9EDF
                                            Malicious:false
                                            Preview:L..................F.... .............r#............................W....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....l.1......X....MBSSAL~1..T......X...X...........................h..M.B.S.S. .A.l.l. .P.r.o.d.u.c.t.s.....f.2......X.. .unins000.exe..J......X...X...............................u.n.i.n.s.0.0.0...e.x.e.......X...............-.......W............lwq.....C:\Windows\MBSS All Products\unins000.exe..8.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.M.B.S.S. .A.l.l. .P.r.o.d.u.c.t.s.\.u.n.i.n.s.0.0.0...e.x.e.........$..................C..B..g..(.#....`.......X.......724536...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3584
                                            Entropy (8bit):4.012434743866195
                                            Encrypted:false
                                            SSDEEP:48:iAnz1hEU3FR/pmqBl8/QMCBaquEMx5BCwSS4k+bkguj0K:pz1eEFNcqBC/Qrex5MSKD
                                            MD5:C594B792B9C556EA62A30DE541D2FB03
                                            SHA1:69E0207515E913243B94C2D3A116D232FF79AF5F
                                            SHA-256:5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E
                                            SHA-512:387BD07857B0DE67C04E0ABF89B754691683F30515726045FF382DA9B6B7F36570E38FAE9ECA5C4F0110CE9BB421D8045A5EC273C4C47B5831948564763ED144
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                            Joe Sandbox View:
                                            • Filename: C0eD7SKCnN.exe, Detection: malicious, Browse
                                            • Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse
                                            • Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse
                                            • Filename: c56wcjIguT.exe, Detection: malicious, Browse
                                            • Filename: c56wcjIguT.exe, Detection: malicious, Browse
                                            • Filename: hw-vsp3-single_3-1-2.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exe, Detection: malicious, Browse
                                            • Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse
                                            • Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L.....%E..................................... ....@..........................@..............................................l ..P....0..8............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...8....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):5632
                                            Entropy (8bit):4.203889009972449
                                            Encrypted:false
                                            SSDEEP:48:SvTmfWvPcXegCWUo1vlZwrAxoONfHFZONfH3d1xCWMBgW2p3SS4k+bkg6j0K:nfkcXegjJ/ZgYNzcld1xamW2pCSKv
                                            MD5:B4604F8CD050D7933012AE4AA98E1796
                                            SHA1:36B7D966C7F87860CD6C46096B397AA23933DF8E
                                            SHA-256:B50B7AC03EC6DA865BF4504C7AC1E52D9F5B67C7BCB3EC0DB59FAB24F1B471C5
                                            SHA-512:3057AA4810245DA0B340E1C70201E5CE528CFDC5A164915E7B11855E3A5B9BA0ED77FBC542F5E4EB296EA65AF88F263647B577151068636BA188D8C4FD44E431
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Joe Sandbox View:
                                            • Filename: C0eD7SKCnN.exe, Detection: malicious, Browse
                                            • Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse
                                            • Filename: SW_PC_Interact2.3.5_Build6.exe, Detection: malicious, Browse
                                            • Filename: c56wcjIguT.exe, Detection: malicious, Browse
                                            • Filename: c56wcjIguT.exe, Detection: malicious, Browse
                                            • Filename: hw-vsp3-single_3-1-2.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Trojan.VbCrypt.150.26922.11894.exe, Detection: malicious, Browse
                                            • Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse
                                            • Filename: jcreator_6i-6JJ1.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d......E..........#............................@.............................`..............................................................<!.......P..8....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...8....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                            Category:dropped
                                            Size (bytes):23312
                                            Entropy (8bit):4.596242908851566
                                            Encrypted:false
                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):689152
                                            Entropy (8bit):6.493109105065036
                                            Encrypted:false
                                            SSDEEP:12288:M/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqHx9Q:IvksLWtkrPi37NzHDA6Yg5dsfoTzwx9Q
                                            MD5:213E2B12F93AD5F9881E93B9A13D031C
                                            SHA1:7BE1A9CF1E30C86221A66DEF786940CD900711A9
                                            SHA-256:B66663639F92313326B5A3829B14D4D19D12C7328E7A322851B6EA20114E2A4F
                                            SHA-512:9609230897FCA3B03E698DF91CB5D21F4F98D059AE07B4151FE1B2F194E8FCAB2C0E6D045BA8FEE022185C9BEC649EBA2987A50E49D68A34A69ADCA14F5BA9A5
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 5%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p...................@...........................@...%... ..8I..........................................................................................................CODE....4........................... ..`DATA....p...........................@...BSS.......... ...........................idata...%...@...&..................@....tls.........p.......8...................rdata...............8..............@..P.reloc...............:..............@..P.rsrc...8I... ...J...:..............@..P.............`......................@..P........................................................................................................................................

                                            C:\Users\user\Desktop\MBSS Fireworks.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:51:56 2009, length=991232, window=hide
                                            Category:dropped
                                            Size (bytes):944
                                            Entropy (8bit):4.676750459810108
                                            Encrypted:false
                                            SSDEEP:24:8Mq+QRa3MriL8/9WUAeHJV+/ikQ9yqyFm:81+QQQ1aq9vyF
                                            MD5:C849664F14698AF498834D4D7C245134
                                            SHA1:C3DAA096CAD6847E909ACD62683DFCFD133CC8CC
                                            SHA-256:37A6F283CFD46B0D6B6FE4724BEC959147245FBB92E3A8DF893E501845521861
                                            SHA-512:CDA1FC47CD2E2B781F6E9B713A3EFCA704627ED3C9E1FCD60CB751CE9CDEA4B2375A68DDA570B45315F022EDBC14CC487AEC0BC0B3C01F6FD60ADE055AF2B162
                                            Malicious:false
                                            Preview:L..................F.... .......................... ......................Q....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....r.2.. ...:|. .MBSSFI~1.SCR..V......X...X......z.........................M.B.S.S. .F.i.r.e.w.o.r.k.s...s.c.r.......U...............-.......T............lwq.....C:\Windows\System32\MBSS Fireworks.scr..,.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .F.i.r.e.w.o.r.k.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Users\user\Desktop\MBSS Galaxies.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:36 2024, mtime=Sun Apr 28 23:24:36 2024, atime=Sun Jan 30 09:26:54 2011, length=1466368, window=hide
                                            Category:dropped
                                            Size (bytes):939
                                            Entropy (8bit):4.6876719259995365
                                            Encrypted:false
                                            SSDEEP:12:8BMzBFJlcm0m/y3MpXVrVSX6jE1K4WO1oPIjA6SP1W+UcpmwiNAlhw44t2YZ/ele:8BYl9a3MriVoUA6SPU+/wkPqyFm
                                            MD5:5DFD492EC0E51126900FC021F3A4A3A7
                                            SHA1:091D580E4736534F96B3EF1AB219E6301D2B81EF
                                            SHA-256:7FFFBCB586D18277F8AF11C3F688AD4996336D33E610D5AB05622F67C2FCD2F6
                                            SHA-512:8E0DFE16DF62E8D4CF9DF47985BA1ABCC398094D326851862FEEE3CAFDD7A67F7EFE446014A54328D73EECEE026C8BBF80B6496F99E91E151166E9D8D85F4DE0
                                            Malicious:false
                                            Preview:L..................F.... ...ZI.....]p......k.6h....`......................O....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....p.2..`..>>[S .MBSSGA~1.SCR..T......X...X......y.........................M.B.S.S. .G.a.l.a.x.i.e.s...s.c.r.......T...............-.......S............lwq.....C:\Windows\System32\MBSS Galaxies.scr..+.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.a.l.a.x.i.e.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Users\user\Desktop\MBSS Gravity Wells.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:52:04 2009, length=827392, window=hide
                                            Category:dropped
                                            Size (bytes):964
                                            Entropy (8bit):4.703448114728701
                                            Encrypted:false
                                            SSDEEP:24:8hVfpRJa3Mrip1xpGeAsH4P/+/ZkvqyFm:8TfLYRv0lsLyF
                                            MD5:49E9BB9D58D372A436F51956C8493ED8
                                            SHA1:5D456302536C8C81717E27E2CB9D413ECE6B1BF0
                                            SHA-256:593847FCDA56A6AF494DE67328DFDB82B2F966F642E02AE7738E58A12CE07E35
                                            SHA-512:BE526245484A5B915B42A57039B25558980F45D2F94B2116D76DB220D204EEB197EA450C11C41C9CB5EB9A67D598728AE3A0650ECBCAE9DD2785C8FAD8F14845
                                            Malicious:false
                                            Preview:L..................F.... ....n)......0.....Zb.............................Y....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....z.2......:.. .MBSSGR~1.SCR..^......X...X......y.........................M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s...s.c.r.......Y...............-.......X............lwq.....C:\Windows\System32\MBSS Gravity Wells.scr..0.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .G.r.a.v.i.t.y. .W.e.l.l.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Users\user\Desktop\MBSS Light.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:36 2024, mtime=Sun Apr 28 23:24:36 2024, atime=Mon Nov 15 05:23:16 2010, length=933888, window=hide
                                            Category:dropped
                                            Size (bytes):924
                                            Entropy (8bit):4.683853835882995
                                            Encrypted:false
                                            SSDEEP:12:8QqZRm/y3MpXVrVSX6jE1K4OSAnaoJrAjAKnlmW+UcpLJjiNAlhU5B44t2YZ/ele:8tUa3MrimSAnaqYAKl/+/b6kvqyFm
                                            MD5:C46A1FFBD92374FD1DF0C7E90173633A
                                            SHA1:60AA3CE218A8A881986636F6BBCAA6245238F481
                                            SHA-256:D759FB40878A2583A885824C4DA1B9581A93B6CFFFBEE1CAF8F14A3E45903AA6
                                            SHA-512:B9994DC71D2566E54A77CE2EE5EDF151170B8BB4C55C18ECAB79E627BC3D3FCCBAB5770C1B6B60EC1F4D0953C220F836124A9DA4B103DE3803718CB0FE9ED375
                                            Malicious:false
                                            Preview:L..................F.... ....]..............y......@......................I....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....j.2..@..o=.2 .MBSSLI~1.SCR..N......X...X...............................M.B.S.S. .L.i.g.h.t...s.c.r.......Q...............-.......P............lwq.....C:\Windows\System32\MBSS Light.scr..(.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .L.i.g.h.t...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Users\user\Desktop\MBSS Starfields.lnk

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Apr 28 23:24:37 2024, mtime=Sun Apr 28 23:24:37 2024, atime=Fri May 1 20:52:08 2009, length=831488, window=hide
                                            Category:dropped
                                            Size (bytes):949
                                            Entropy (8bit):4.679732634195851
                                            Encrypted:false
                                            SSDEEP:24:8A/a3MriqY1vGr5JhArM/Sp+/S5JOknqyFm:8A2SYsrHyAUHYyF
                                            MD5:F2F66F58066FD0D429D3BB175B232CC9
                                            SHA1:AD039D6B5271E1022FE9603120DFEAADB3313526
                                            SHA-256:907F7A59910A47ED4DD296C505C7EF4CC37CCECC9F2E88BBC1B83E4B0154E7E3
                                            SHA-512:204CF8D18DA432C4397C2F6039E585AE1287D4D92277396AA4EEF3A1B5921677766C864DC039981FE19730FE593457D5B430B02E88B526767A1409B59E696450
                                            Malicious:false
                                            Preview:L..................F.... ...V......S.$....................................S....P.O. .:i.....+00.../C:\...................V.1......X....Windows.@......OwH.X......3.....................<...W.i.n.d.o.w.s.....Z.1......X....System32..B......OwH.X............................M} .S.y.s.t.e.m.3.2.....t.2......:.. .MBSSST~1.SCR..X......X...X......i.........................M.B.S.S. .S.t.a.r.f.i.e.l.d.s...s.c.r.......V...............-.......U............lwq.....C:\Windows\System32\MBSS Starfields.scr..-.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.M.B.S.S. .S.t.a.r.f.i.e.l.d.s...s.c.r.........%...............wN....]N.D...Q......`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                            C:\Windows\MBSS All Products\is-TTH1H.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):699674
                                            Entropy (8bit):6.501110961834531
                                            Encrypted:false
                                            SSDEEP:12288:0/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqHx90:QvksLWtkrPi37NzHDA6Yg5dsfoTzwx90
                                            MD5:54109FD2E127818AAED79E6D52A3942A
                                            SHA1:AB0B62257E06F9EFA11C8DE50B7999C1B1097000
                                            SHA-256:B416D31FFFA2802B68CF6032D0EA46F0241E91983CA656E2397C821E2E230776
                                            SHA-512:CEEAB40363F854BBCDA8F47B365D43C03B7850D70E83B14D0E97D86C7C7C84420EEEA93B02C055143B6AC1B04980E49BBA9B58A9CD430F48F321998552ED9430
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 5%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p...................@...........................@...%... ..8I..........................................................................................................CODE....4........................... ..`DATA....p...........................@...BSS.......... ...........................idata...%...@...&..................@....tls.........p.......8...................rdata...............8..............@..P.reloc...............:..............@..P.rsrc...8I... ...J...:..............@..P.............`......................@..P........................................................................................................................................

                                            C:\Windows\MBSS All Products\unins000.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:InnoSetup Log MBSS All Products, version 0x30, 7405 bytes, 724536\user, "C:\Windows\MBSS All Products"
                                            Category:dropped
                                            Size (bytes):7405
                                            Entropy (8bit):5.013687485634201
                                            Encrypted:false
                                            SSDEEP:96:nFMqKBmuBqhMhjmEritGmt6izgyFyzSh79uWWJaYL2MTsrvrE2fgqn06biYalRxX:n2Pu7AlRxzeU
                                            MD5:ECC54C8DAF793F3AB4B6249E9FEC4612
                                            SHA1:761A499201F31E8D0AE03C1B4641069ABB1E80E7
                                            SHA-256:D8649307AB35CE416EF9CD08DB1DCE74B670B1380BCAD1279FFE4974108796BC
                                            SHA-512:139E4112136055F370435497F1664CF32D122CF7D9DEBCC12D2E069049FF10D45DC7A25F4232E561B606410C92EC0810A055D2B4BEACA2F470435E52819362D3
                                            Malicious:false
                                            Preview:Inno Setup Uninstall Log (b)....................................MBSS All Products...............................................................................................................MBSS All Products...............................................................................................................0...Z.......%...............................................................................................................lP...........H........<....724536.user.C:\Windows\MBSS All Products.............$.... .......... .................................C:\Windows\MBSS All ProductsFC:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products.MBSS All Products.default.............C:\Windows\MBSS All Products.......'..."C:\Windows\system32\MBSS Light.scr..........*...%C:\Windows\system32\MBSS Galaxies.scr..........+...&C:\Windows\system32\MBSS Fireworks.scr..........,...'C:\Windows\system32\MBSS Starfields.scr........../...*C:\Windows\system32\MBSS Gravity Wells.

                                            C:\Windows\MBSS All Products\unins000.exe (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):699674
                                            Entropy (8bit):6.501110961834531
                                            Encrypted:false
                                            SSDEEP:12288:0/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqHx90:QvksLWtkrPi37NzHDA6Yg5dsfoTzwx90
                                            MD5:54109FD2E127818AAED79E6D52A3942A
                                            SHA1:AB0B62257E06F9EFA11C8DE50B7999C1B1097000
                                            SHA-256:B416D31FFFA2802B68CF6032D0EA46F0241E91983CA656E2397C821E2E230776
                                            SHA-512:CEEAB40363F854BBCDA8F47B365D43C03B7850D70E83B14D0E97D86C7C7C84420EEEA93B02C055143B6AC1B04980E49BBA9B58A9CD430F48F321998552ED9430
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 5%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p...................@...........................@...%... ..8I..........................................................................................................CODE....4........................... ..`DATA....p...........................@...BSS.......... ...........................idata...%...@...&..................@....tls.........p.......8...................rdata...............8..............@..P.reloc...............:..............@..P.rsrc...8I... ...J...:..............@..P.............`......................@..P........................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Fireworks Readme.txt (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11618
                                            Entropy (8bit):4.653607504006574
                                            Encrypted:false
                                            SSDEEP:192:ydELHHcoR3vDu5ujOFTmgWDDg7wVGUoXMjMHMh:9pjOFEDj3oXgl
                                            MD5:D32C188FC688CEF883D4925DFD36C244
                                            SHA1:28E513C08663638EEB9FB4045F7A3A6111816C2B
                                            SHA-256:D879B06460AD28B35B9D0E0F892635A0B7F59501C3B6C5466BE803EFB341196C
                                            SHA-512:C22E212FCD99A6566C70D07D7DF569410875EDEC0AB9A95211F6807A68931945EEF1413091863A5F99A6DB99FF695306817529C12EEE00AD877E92910AEFD1E8
                                            Malicious:false
                                            Preview:To: MBSS Fireworks Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Fireworks-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Fireworks.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Fireworks effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to register

                                            C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):991232
                                            Entropy (8bit):5.7383148053333
                                            Encrypted:false
                                            SSDEEP:12288:oqtVogJ3QOn7Sh+SrTjRrKHf34tvop/BEqFrkv+EVYMg3kEp80RDBjj17c7rFFOD:okigJ3QHrKHf3wvELFrk6CBAZmw9n3
                                            MD5:294BD6B2B14444025AD8D04E845C990F
                                            SHA1:5AAF9F1F764D496907DCC5344E2A793741D77513
                                            SHA-256:615F5FCB396AD7E4D0228850CE0C349F88A0C7E3926C286E018F762114C1C5D3
                                            SHA-512:F0AB705E274C3633E84C992B5A2DFF0C0FEF3D4DE26049392F26DD373D8242BC07D910BE459AC61814DAD361CB4F81851B6AE1703DF9CF6F8DC8C0E40EE7BFB9
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: Virustotal, Detection: 5%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................._.................Rich...........................PE..L......I.........................................@..................................2......................................d...(....@...9..................................................................8... ....................................text............................... ..`.data....n..........................@....rsrc....9...@...@..................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Galaxies Readme.txt (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11385
                                            Entropy (8bit):4.710178377767261
                                            Encrypted:false
                                            SSDEEP:192:6SRvQf1cdEZQdv1u5YD5PJ9hhuOf/kduIfXEyMHMh:fNEAD5xh5/kvXEyl
                                            MD5:CA47F7D68DA57F85C6C780BB1D7BC757
                                            SHA1:4F0D8DF6CD3E6F40D11EBBBB4336656D84B013DB
                                            SHA-256:2ACDB878F243F93367E99FE45E6E6DE24B595ABD9968927DC8281F557ABD2CC6
                                            SHA-512:D1D75CC982B59E832C59871223F5AC243846552A94BA58EBE32D3F991C3C2EC22E7EFDA0376035B14C99CCF59851C264E3D750F451ACA45BB6343125356E31E2
                                            Malicious:false
                                            Preview:To: MBSS Galaxies Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Galaxies product -- and other good things..Date: Sunday, January 30, 2011....-----------------------------------------------------------------------..Program: Galaxies.. Mathematically Beautiful Screen Savers (MBSS)..Version: 6.0 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display 3D Galaxy Effects by setting numerous properties... Define the Galaxy Types as well as how the Galaxies should be.. dispersed throughout the Universe. Watch as the camera tours.. the Universe, visiting the Galaxies.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista & 7... See the Registration window to register the product...

                                            C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1466368
                                            Entropy (8bit):5.802870922913927
                                            Encrypted:false
                                            SSDEEP:24576:+H3NpfTgLoi3rlbx64ScES+YAE+r0NJFmpbLJ:0ngjZScES+YACzQpR
                                            MD5:AC7C0A12A462079CAAB1605E4662E3ED
                                            SHA1:9702F0F85015AACCC315EC0D34AA0C909C97C6BF
                                            SHA-256:CFB9A5131B8FDF59341A90050DFCEE1EE62FBADA35FF792BCA167E3ADDB62291
                                            SHA-512:E661B34B0CBF341C3EBC2BC5240D7CCB024699F396DDC708D8369641217B304553AA654D7F0852AB7A922E092CB0A5E2BDCB6396CA503CD0C636BAE80E182585
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O.E..E..E.X.K..E...L..E..H..E.Rich.E.................PE..L.....EM.................0...................@....@..................................+......................................d-..(...........................................................................0... .......(............................text....*.......0.................. ..`.data........@.......@..............@....rsrc................P..............@..@$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Galaxy.hlp (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Mon Jun 30 00:02:10 2003, 209090 bytes
                                            Category:dropped
                                            Size (bytes):209090
                                            Entropy (8bit):5.237242075062221
                                            Encrypted:false
                                            SSDEEP:6144:QBXr8o0FuNcd/7XKSZK4tRlXv2FGZGNVhra:QBXr8juN+Xv2FGZ3
                                            MD5:1B98348B9D4E31E7F73891D3CF62DA68
                                            SHA1:462D39924FAE95E11D068CAAE997FD098EA07967
                                            SHA-256:EC98CCD8B265D843B7C003452E22ADE5EC91E83397848B5EF26A0EFF83FF8FFC
                                            SHA-512:FB7D56189D9C00DB3140D700C8128C25DCA774FFF6045EA1C56460194D610422C2BC05A6E8F4AC808B4E8310AD4C5BACB3F9C049CE257C32B409ADFF84BD5612
                                            Malicious:false
                                            Preview:?_...........0...........l.!....a.>......Galaxies 5.1 Help.............. 2000 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....Galaxies 5.1 Help..................................x.x...X................................../...&....;)....z4......................................|CONTEXT..(..|CTXOMAP.....|FONT.....|KWBTREE.5...|KWDATA.....|KWMAP.....|SYSTEM.....|TOPIC.....|TTLBTREE.d...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Gravity Wells Readme.txt (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11004
                                            Entropy (8bit):4.6432649199151586
                                            Encrypted:false
                                            SSDEEP:192:32lzXucTvRxvDu5ujOFTmgR7vDXSvbR20xXxMHMh:E1HjOFPD2b/Xxl
                                            MD5:F11042D12B82A7F777EFF0F11BE9CE7D
                                            SHA1:E0055CBBB7D459E03CE16C76BB358CC9C49D0D0C
                                            SHA-256:01DC1EDF9A749A17514B69D2547FE56AF58ACCB5B037F9A8DEBEC02E54E94EE1
                                            SHA-512:4DC995808DF010E6D14C95642602FD1BF732877B86BF58D6A7A5602A856A73D1A1AFEB0F96984127A8957B1F5284470A1F13B9CE58374B2C027476686369A490
                                            Malicious:false
                                            Preview:To: MBSS Gravity Wells Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Gravity Wells-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Gravity Wells.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Gravity effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window t

                                            C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):827392
                                            Entropy (8bit):5.730600542566671
                                            Encrypted:false
                                            SSDEEP:12288:E3ZSKSzLgXnH+5S8PEZFPfKYd/WK/Ggm2KiRFlqhJ6BQKEolf83il80xLG40UoZ:AIgXVfKYd/FOYwiliUo
                                            MD5:FCDCD17AD526103CCDB8892D196D1DE5
                                            SHA1:26159FE91DF957D5F76668CB425C53105115F796
                                            SHA-256:75C9D8A672FA3FA044B7F788D067755607606EE9336F87405B38996850A6E160
                                            SHA-512:250F16CC0F5C8158DA208C9867D6FE3E63E3FB4DA49687A01A95BED349C3DA3B8F74A1BD5C74BE7A7350D973CA651906DE1970FF8D0CC2BC9120B4DAE1974764
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L......I.................@..........H........P....@.................................VF.......................................7..(........9..................................................................(... ....................................text....3.......@.................. ..`.data....e...P.......P..............@....rsrc....9.......@...`..............@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Light Readme.txt (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):9123
                                            Entropy (8bit):4.638566838091547
                                            Encrypted:false
                                            SSDEEP:192:oPv95ZcDEZQFv1u5x6mgi/9mDiXrlMHMh:gWEbl/oDiXrll
                                            MD5:741BFB624BF550D7657E4ECF31AE0EF0
                                            SHA1:3C3CD9F8222E4285C190DABA100D9D9DEE243424
                                            SHA-256:D859CA6764FE55C5D3EBFD7C2EF074F5B2795A6C806B5C2C369CB0EBBA91ECD3
                                            SHA-512:58FAED78CA525F6AEDDE347E4A9A269477408F171D3DAC443C0E3838E79B1EF979459F5C88AA4D4F587BAED7ADF33B848104ACCA98E33E74E22525D71D07311C
                                            Malicious:false
                                            Preview:To: MBSS Light Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Light -- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Light.. Mathematically Beautiful Screen Savers (MBSS)..Version: 4.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Light effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to register the product...

                                            C:\Windows\SysWOW64\MBSS Light.hlp (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Sun Apr 24 19:56:02 2005, 123726 bytes
                                            Category:dropped
                                            Size (bytes):123726
                                            Entropy (8bit):5.216857831249389
                                            Encrypted:false
                                            SSDEEP:1536:IHSZiase3NaHCXoJNtyZYLA4d+JgMHB6qKEQ43e:IHSZiasmaiayZYLAxJvB6qKEQ43
                                            MD5:7A9D01756F832168E76AAC1DBCE37DA1
                                            SHA1:8CD3DDE3B83AE3E4738A9647D504BABA38C0B925
                                            SHA-256:B640F957180A8054E84FE8C62CEA718AD69770D8E45E9A14E8365F60574D5E84
                                            SHA-512:91511657C2C8145CA5BF35C85166076E9DA899FAF49749CE8A38ED463FBE17E54AD2FAABC47A88EC5F8EFC34CBA962705329DF6863F4E9A923B162E0FD950659
                                            Malicious:false
                                            Preview:?_..........N............l.!.....kB......MBSS Light.............. 2003 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....MBSS Light.........................................x.x...X................................./...&....;)....z4......................................|CONTEXT.....|CTXOMAP.@...|FONT.*...|KWBTREE.....|KWDATA....|KWMAP.....|SYSTEM.....|TOPIC.....|TTLBTREE.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Light.scr (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):933888
                                            Entropy (8bit):5.7739554151256165
                                            Encrypted:false
                                            SSDEEP:12288:aYdU/gVzIDeCZb8wo4CcbITzWlwIjNzFUY6o1/90t7dtm97nIscBF0REXfNnWh3:aYd6gVO11CMITzBo1/+rwh
                                            MD5:40A755C77CA8211879FE6446370EEE8F
                                            SHA1:7E949B4BB0CCADA57B87998D6EF3879BF624E7B4
                                            SHA-256:BD62357E2ED0E4A72F05A86B8E9FC3237B894252C1C4654A761B076FC27517CF
                                            SHA-512:2E17C980C74EE63899A58DBE2E62505185B693FFBD636D6A3A5DCD833A62FE3F372571C07606B65836D53E8D2F0DCFFCE4CFBB10887F60A09242B51D84A8A702
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 2%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L...t^.L.........................................@.........................................................................4...(....p..6(..................................................................(... ....................................text............................... ..`.data...dg..........................@....rsrc...6(...p...0..................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS Starfields Readme.txt (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):10635
                                            Entropy (8bit):4.6474006203537295
                                            Encrypted:false
                                            SSDEEP:192:bwfV29cPiUvDu5ujOFTmgD29VvDVUrl4XZMHMh:m9jOFw9xD2l4XZl
                                            MD5:B62EF9BC3C7AF6DE9CD3468D476E62E0
                                            SHA1:75E8E3FA523F80F70416276E8ED11E6F0438EFF6
                                            SHA-256:4A0FB6C5D93D013BF753B67BE9743E598A565C3CE8434DF6697ECD4773739335
                                            SHA-512:9D4B5A68AF5780BAD643BDC4819D6F8F0FAE3B5C9F4A30C51084F54B1D2AAA9AAC6B2E199C3BA44AFDF2374841B51F21ED520F147D0C3B509DCE194417959CCC
                                            Malicious:false
                                            Preview:To: MBSS Starfields Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Starfields-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Starfields.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Starfield effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to regis

                                            C:\Windows\SysWOW64\MBSS Starfields.scr (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):831488
                                            Entropy (8bit):5.719564466164652
                                            Encrypted:false
                                            SSDEEP:12288:8g7aCVgYumzMVXMyHEwRJDQmjQ7bjQhbSqobNaNfUauA5m5IUUyAPMm95FmeJU/k:8gOugzmg8mjQ7/mbrgY95
                                            MD5:033384AA9C4E0C0B2121FA88AA2A9A26
                                            SHA1:4F20594D937CA4ED63A6A0789E3CCCD55AF815B5
                                            SHA-256:7E5B6B66D69295236809CC9257A5FE37D7D15139030F92DF66791D33482D4CA9
                                            SHA-512:6034FB20487BFC3B28307373A18E51ACC3E59A5F837AAE768CEAC51AEFBCB12B5253ABD51F5569A938854F3BD08FB04B57B36F2B582C03C935B8D07BAC146281
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 2%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L......I.................P..................`....@.................................h........................................O..(........0..................................................................(... ....................................text...HL.......P.................. ..`.data....e...`.......`..............@....rsrc....0.......@...p..............@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSFireworksDecayStars8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):57518
                                            Entropy (8bit):3.1813080766275093
                                            Encrypted:false
                                            SSDEEP:1536:XRtrQ+05BOlnQxXPXSiI+Zmdfu0ksMrrFGICf3n6:Btm
                                            MD5:4EA832530DD1332897B101E73053EDBC
                                            SHA1:EC90B1EEC4DC384C1E79D7F279CB59E3F260539E
                                            SHA-256:70F14D2A8BF64F88603318B841C5F52634A24BCE2CFD624606640D67E8D09D4D
                                            SHA-512:EF80A2E7B670ACD57E8BEB76BDD7700326E0A03CAC47FF212279184BB045BC5313B40A8A19D0C3CA50EA57776F914F3449B4E861D637DFAA3652A5F2A6E59601
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact....:p..datat........................................................~.~.~.~.~.~.~.~.~.~.~......................................................................................................................................................~~}~~~|~~.....................................................................................................................}.}~|~|~|}|~}~}...................~.............................................................................................~.~.~.~.~.~.~.......~.~.........................................................................................................{.....v{.r.l.[.U.O.Q.Q.QxQuRqRuSwSoVv.z.zZyTyUyU}V._x.z.}...................t.a._.[.Y.U.X.].Z.c.czat^rcrdnfjusfq`m^xp.}...........................................{.}...r.r.u.v.o.h.p.v.{.r.q|t.w~qwsy}.................}.z.}.|.|~t|s|}z.{zwxuxw.w.y.~z|u||z.x|xyz.}....~...~...................................|.y.v.w~z~..~..|~}|||}{~~}}}{|.{

                                            C:\Windows\SysWOW64\MBSSFireworksJetBurst8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):32670
                                            Entropy (8bit):2.778285530693594
                                            Encrypted:false
                                            SSDEEP:192:raGFY0B7x8xWsYQ2rbJsZ9EVjGoFP43PMY9rxNxAzUhCDKBZa6jq:40VThDGoFPniypDAzq
                                            MD5:CF3CF044E4F703888217E5909C30C0EE
                                            SHA1:4D853095001069FAA9EAF66DA0520870C5B5AECB
                                            SHA-256:71C4D76CCA2CD693FA556DCF0438CB35A9D966D79F3F32F66AD4A560F2EBC908
                                            SHA-512:2F9B0DEF469B29087E87F7CF2E7B1AD503AFDB19671044718DD432014367CDEF430BBA4DC34CDFDA48DF7D4BFC2F9A4FD19C4226029DA3F6AA9719BC36AFCAFB
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....?..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSFireworksLaunch8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):24760
                                            Entropy (8bit):1.6854983550427152
                                            Encrypted:false
                                            SSDEEP:48:uLX2fyt80Xx4EmwpGdDPrNthCtfAokJPe+0jmG0AwTkFVNQiku+Da/dfttEtBc62:C60SEWd75thCt4vRe+0jL0fTeM0
                                            MD5:B62A116E3A58713E77EF1C1A0C4D8767
                                            SHA1:6A7F7E075AEA74361973F1D408E60F0754198F4A
                                            SHA-256:8B195DBC9C2D1B15B45BA03209ED397440BEC7324BFF2C695F86D34D749C0CBA
                                            SHA-512:18FB52FE6640D553C38F8C56F0A72C66B042B4DC78269D0B584CFDD5FF2D64E2873270FA1059E93F76A978EE19AA61BA77384F69793F583DD972D8DA076D1B3A
                                            Malicious:false
                                            Preview:RIFF.`..WAVEfmt ........@....>........fact.....0..data.`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSFireworksMultiBurst8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):56320
                                            Entropy (8bit):3.1314676065715386
                                            Encrypted:false
                                            SSDEEP:768:svLP40MOsUx1326IUbf9bbnmy8oUdLzWR9NoAYj1YDFjXKPetWT1U:sv+OsUxtbm3SR9NoAYj1YDFjaPetWT1U
                                            MD5:1CF9769524678A269C3DDD273E4D14DA
                                            SHA1:37986CB51A1E7327EF67866A25D85288420FCDB0
                                            SHA-256:9121528982D98483160E9C1EFFEEC3DC724D2D2FCC592D5C1A5C122518A17668
                                            SHA-512:94DA04F12E9B5A9AE7C2BF97477FA9CDBDC559CD9591D43B8C6B12F353506E5C33D739E5E3D516CF534F49976B6A55A7A8177A22E48D07631B10FCD29236ED95
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....m..dataf....................................................~.~.}.}.}.~.~.~.~.~.}.}.~..~.~~.~...~....~.................................................................................................................................~.~~|}|~|}{~.........~.................~.~..........................................................~...........................}.|.|~z~{}{}z~|~}~................~.~...........................................................................................~.~.}.}.~.~.~.~.~.~.~.~.~...........~.......................................................~.~.......................................|.wv.d.X.H.A.=.=.>.>q?o?p@n@uAmUu.zmyDqBwDvD~E~av.x.{..............l.S.M.J.I.E.I.P.KyZ}WvPjQp\jRgcgin[iPdays.}...........................................u...}.o.m.o.s.d.^.g~x.v.g}n{o}qxjuox}.................v.~...v.uzoztx}x.yupsszt.v.{.~u|x{~v.rwx|z....~.~...|...................................x.s.r.w}y}.~~|~z}|z{y}x}||z||z.{

                                            C:\Windows\SysWOW64\MBSSFireworksScintilators8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):67578
                                            Entropy (8bit):2.4386235944575896
                                            Encrypted:false
                                            SSDEEP:768:zkBcE+Psy/NwMQ6GOHQ4pnQk/4Y4Zcj+t3HuH+gMbKR0ZnBuB/mNU:Nl0ObpQG4Zcj+t3HuegMbKR0hBuB/mNU
                                            MD5:98A36CF7B2E65AE8E8736357AC9DEEA7
                                            SHA1:0C5594D2C9DEAF495C3811692B69BA76BD273531
                                            SHA-256:1509CD99352494616AE67591CE563B9F1AE6BBC8CF1705980E7B7C18B6029AD3
                                            SHA-512:4454D4685C0E1DBB2AAF54263B7F53CFA44A60D8C9D3C62F387FEFB0837CAB65E495EA411613C1AFF9B38A57097BE8B0C0D87FE019B330298DC10082CC6A3174
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact........data....................................................................................................................................................................................................................................~.~...................~.~.....................~.............................................................................~.~.~.~.....................~.~.................................................................................................................................................................................................................................~.z.~y.uxi.l.t.v.z~.~.|.~.z.{~||.z.z.|.....x.u~w~y.}..}.~......z.y.{....v.x.r.g.i{qw{x.y.}.~.|.}.~~|y{w|z~|}.|....~}}.....................~...........{..~}.|.z...|.y.}}.}{.{~~~..|.y.~........}...~}|.~............~}.{.||}|~.....~}~}......~~~}~.~....{.z.}~.}.~........~...}...............~.~.~.~~}~.~........~.|.{.}~.~.....~..~.~.~.........

                                            C:\Windows\SysWOW64\MBSSFireworksSparkler8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):82438
                                            Entropy (8bit):4.213718397511192
                                            Encrypted:false
                                            SSDEEP:1536:O8cNLZL6h41AihROZVqk7FEQL16QzEEEEnEEry:OJNBj1ADIw6F
                                            MD5:D49C38054EEDD52AA95D8802B5D351D0
                                            SHA1:1117E70654D635950A8D2789977D784E50D74B87
                                            SHA-256:7DFE683A3E1BE9667B762421A6DE9F39380F3C6E1A59E32F4A40115F8131618A
                                            SHA-512:36288278F8241E8931CB17B1FB03F3813BF1FFA4EC4F1D5261FF914DA27D053EEC520872DDD46AFC890B461BA7F487AFD0AEC777A32ABD3091B8CDAA68291E54
                                            Malicious:false
                                            Preview:RIFF.A..WAVEfmt ........@....>........fact........data|A................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSFireworksStandardBurst8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):45242
                                            Entropy (8bit):4.290525673094203
                                            Encrypted:false
                                            SSDEEP:384:k2DNJDoL/VWvWpJOHLdVrxuWHK2MfCN0RFu+czlAh9XGRUZiWmHKnymtMo5vnyHj:k2TD9epkVduWHK2M6N6lh9WRNVsvyHCs
                                            MD5:1675D3430C1AE04BBE8AFE13F6B48EBB
                                            SHA1:80BB23F6520B37F45635985713D0CA45C50432BA
                                            SHA-256:5734F413F9AF90737BF7E9ED4F91AB7A4A7820766AC7541F685681D7D11F311F
                                            SHA-512:29DD2596962B08637C363E2373EDF3A5FF5FE99743D4CB103EE30F23DE43066FA93F325DBEA1F198952F6EE5ABE589C88D8DB07036BA3CA538E875B142D3E55B
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact....@X..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSFireworksTwisters8.wav (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):58540
                                            Entropy (8bit):3.7039132612226187
                                            Encrypted:false
                                            SSDEEP:768:fngWAMVo36h+xnjr9gQg7cqOK8/atTRsq3/dR95VODSzshtdecFYPJia7giLxf:fO56h+x9gjcHKia7s2/zVOf15FYVNLxf
                                            MD5:B81F2EF2648DB1D00EBC1BB104569144
                                            SHA1:E650F0D27D772C517085ACCE7DFFCF3929D64217
                                            SHA-256:7F7D54A37CCA68A3D7998AE96DA2D8228894DEC22E354019345A4B1B2C91630E
                                            SHA-512:06FEEEDA02DA1E97893C080C03C6CFF017B015FD3B95E654DFA35C55D9A025E4C2A274381F8E6D3FA022DD908485690395DADFB3693BE7BF0DC4711DEADB8425
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....r..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSSM6.dll (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):147456
                                            Entropy (8bit):4.961296096394837
                                            Encrypted:false
                                            SSDEEP:3072:E4iQl22TcIZdZExNHWaq++sNEFYe/hoHNzyzZ:v+NBeCW
                                            MD5:CB1996BBBE5906CAE8CB06261A6BE1F9
                                            SHA1:8AF9D4BF0FEE3ADD5DA7CCDA2750444B5D462298
                                            SHA-256:9425B2E31492DDFCFE9A9DB922625467072E0F37098DA8C93FECD396BCD02C2E
                                            SHA-512:B4E6D70177CBDF23FC722DFAEBE7C724B17613E38EE08536A426669A7803A279C7F4F42A5B03E060B48905E9662925092F8A53FEEC180A40C4FCDFAF4E7FC172
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S6a*.W.y.W.y.W.y!q.y.W.y.K.y.W.y.W.yTW.yuH.y.W.y!q.yMW.y.w.y.W.yRich.W.y........................PE..L......L...........!.....0...................@......................................................................N......dI..(............................0.......................................................@...............................text...z........0.................. ..`.rdata.......@... ...@..............@..@.data.......`...@...`..............@....reloc..:....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS_Gen.hlp (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Mon Apr 25 01:23:09 2005, 185175 bytes
                                            Category:dropped
                                            Size (bytes):185175
                                            Entropy (8bit):5.3405130259244045
                                            Encrypted:false
                                            SSDEEP:3072:bHXoZ4/FLTB3to7lYI0kXpbrmJ2mJFRaMV5l:boaLtto5YjkZbEj
                                            MD5:C54066E9B17D8EC0A27FCD6557D4144E
                                            SHA1:B6C8CE2E4E3FBABCFE13E7E32FD92635C2F239FA
                                            SHA-256:C5CDBD7EBF29E1FBA8266E282C8BD89561F790716C7CFE9F3D4E48A37F1C34CF
                                            SHA-512:3B4BBDC371F53196FC30ADAC3D7724BFE15B37F5E1B020878AD0E5E4F401B081A1823CFB0E5672355A7403301AFFE79B99E149ABB36F63A9B3064B80DA770629
                                            Malicious:false
                                            Preview:?_..........W............l.!...]*lB......MBSS Products.............. 2001 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....MBSS Products......................................x.x...X................................./...&....;)....z4......................................|CONTEXT.(...|CTXOMAP.Sq..|FONT..p..|KWBTREE..z..|KWDATA.vw..|KWMAP..z..|SYSTEM.....|TOPIC.....|TTLBTREE..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\MBSS_GoTo_MathSavers.url (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 95 Internet shortcut text (URL=<http://www.mathsavers.com/savers.htm>), ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):62
                                            Entropy (8bit):4.473963447309176
                                            Encrypted:false
                                            SSDEEP:3:HRAbABGQYm/0S41Tv3WETlIy:HRYFVm/r41K6Sy
                                            MD5:A73992D10FD0C1CB26697D7340ED03C1
                                            SHA1:DF7E2EAE60DC0EDC8D81089413FCE549D68FC931
                                            SHA-256:4F1EBB019D1537E8AC8592AF7739E02342FE0E88720C82F861EF502ACD4B5808
                                            SHA-512:28A94D2588BE10826D1796FD4BC0EA0939EACA2EE2801A0941AB3E6BC268E5B2BAB0C0D4578127D68E378F923A24B747C55BCF73531F5E82D5A6B170C8059F14
                                            Malicious:false
                                            Preview:[InternetShortcut]..URL=http://www.mathsavers.com/savers.htm..

                                            C:\Windows\SysWOW64\is-0OC1R.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11618
                                            Entropy (8bit):4.653607504006574
                                            Encrypted:false
                                            SSDEEP:192:ydELHHcoR3vDu5ujOFTmgWDDg7wVGUoXMjMHMh:9pjOFEDj3oXgl
                                            MD5:D32C188FC688CEF883D4925DFD36C244
                                            SHA1:28E513C08663638EEB9FB4045F7A3A6111816C2B
                                            SHA-256:D879B06460AD28B35B9D0E0F892635A0B7F59501C3B6C5466BE803EFB341196C
                                            SHA-512:C22E212FCD99A6566C70D07D7DF569410875EDEC0AB9A95211F6807A68931945EEF1413091863A5F99A6DB99FF695306817529C12EEE00AD877E92910AEFD1E8
                                            Malicious:false
                                            Preview:To: MBSS Fireworks Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Fireworks-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Fireworks.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Fireworks effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to register

                                            C:\Windows\SysWOW64\is-0QTJN.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 95 Internet shortcut text (URL=<http://www.mathsavers.com/savers.htm>), ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):62
                                            Entropy (8bit):4.473963447309176
                                            Encrypted:false
                                            SSDEEP:3:HRAbABGQYm/0S41Tv3WETlIy:HRYFVm/r41K6Sy
                                            MD5:A73992D10FD0C1CB26697D7340ED03C1
                                            SHA1:DF7E2EAE60DC0EDC8D81089413FCE549D68FC931
                                            SHA-256:4F1EBB019D1537E8AC8592AF7739E02342FE0E88720C82F861EF502ACD4B5808
                                            SHA-512:28A94D2588BE10826D1796FD4BC0EA0939EACA2EE2801A0941AB3E6BC268E5B2BAB0C0D4578127D68E378F923A24B747C55BCF73531F5E82D5A6B170C8059F14
                                            Malicious:false
                                            Preview:[InternetShortcut]..URL=http://www.mathsavers.com/savers.htm..

                                            C:\Windows\SysWOW64\is-188RC.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):45242
                                            Entropy (8bit):4.290525673094203
                                            Encrypted:false
                                            SSDEEP:384:k2DNJDoL/VWvWpJOHLdVrxuWHK2MfCN0RFu+czlAh9XGRUZiWmHKnymtMo5vnyHj:k2TD9epkVduWHK2M6N6lh9WRNVsvyHCs
                                            MD5:1675D3430C1AE04BBE8AFE13F6B48EBB
                                            SHA1:80BB23F6520B37F45635985713D0CA45C50432BA
                                            SHA-256:5734F413F9AF90737BF7E9ED4F91AB7A4A7820766AC7541F685681D7D11F311F
                                            SHA-512:29DD2596962B08637C363E2373EDF3A5FF5FE99743D4CB103EE30F23DE43066FA93F325DBEA1F198952F6EE5ABE589C88D8DB07036BA3CA538E875B142D3E55B
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact....@X..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-1BOUR.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):147456
                                            Entropy (8bit):4.961296096394837
                                            Encrypted:false
                                            SSDEEP:3072:E4iQl22TcIZdZExNHWaq++sNEFYe/hoHNzyzZ:v+NBeCW
                                            MD5:CB1996BBBE5906CAE8CB06261A6BE1F9
                                            SHA1:8AF9D4BF0FEE3ADD5DA7CCDA2750444B5D462298
                                            SHA-256:9425B2E31492DDFCFE9A9DB922625467072E0F37098DA8C93FECD396BCD02C2E
                                            SHA-512:B4E6D70177CBDF23FC722DFAEBE7C724B17613E38EE08536A426669A7803A279C7F4F42A5B03E060B48905E9662925092F8A53FEEC180A40C4FCDFAF4E7FC172
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 1%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S6a*.W.y.W.y.W.y!q.y.W.y.K.y.W.y.W.yTW.yuH.y.W.y!q.yMW.y.w.y.W.yRich.W.y........................PE..L......L...........!.....0...................@......................................................................N......dI..(............................0.......................................................@...............................text...z........0.................. ..`.rdata.......@... ...@..............@..@.data.......`...@...`..............@....reloc..:....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-24KDP.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1466368
                                            Entropy (8bit):5.802870922913927
                                            Encrypted:false
                                            SSDEEP:24576:+H3NpfTgLoi3rlbx64ScES+YAE+r0NJFmpbLJ:0ngjZScES+YACzQpR
                                            MD5:AC7C0A12A462079CAAB1605E4662E3ED
                                            SHA1:9702F0F85015AACCC315EC0D34AA0C909C97C6BF
                                            SHA-256:CFB9A5131B8FDF59341A90050DFCEE1EE62FBADA35FF792BCA167E3ADDB62291
                                            SHA-512:E661B34B0CBF341C3EBC2BC5240D7CCB024699F396DDC708D8369641217B304553AA654D7F0852AB7A922E092CB0A5E2BDCB6396CA503CD0C636BAE80E182585
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+O.E..E..E.X.K..E...L..E..H..E.Rich.E.................PE..L.....EM.................0...................@....@..................................+......................................d-..(...........................................................................0... .......(............................text....*.......0.................. ..`.data........@.......@..............@....rsrc................P..............@..@$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-5ITG0.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):24760
                                            Entropy (8bit):1.6854983550427152
                                            Encrypted:false
                                            SSDEEP:48:uLX2fyt80Xx4EmwpGdDPrNthCtfAokJPe+0jmG0AwTkFVNQiku+Da/dfttEtBc62:C60SEWd75thCt4vRe+0jL0fTeM0
                                            MD5:B62A116E3A58713E77EF1C1A0C4D8767
                                            SHA1:6A7F7E075AEA74361973F1D408E60F0754198F4A
                                            SHA-256:8B195DBC9C2D1B15B45BA03209ED397440BEC7324BFF2C695F86D34D749C0CBA
                                            SHA-512:18FB52FE6640D553C38F8C56F0A72C66B042B4DC78269D0B584CFDD5FF2D64E2873270FA1059E93F76A978EE19AA61BA77384F69793F583DD972D8DA076D1B3A
                                            Malicious:false
                                            Preview:RIFF.`..WAVEfmt ........@....>........fact.....0..data.`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-8HO2N.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):831488
                                            Entropy (8bit):5.719564466164652
                                            Encrypted:false
                                            SSDEEP:12288:8g7aCVgYumzMVXMyHEwRJDQmjQ7bjQhbSqobNaNfUauA5m5IUUyAPMm95FmeJU/k:8gOugzmg8mjQ7/mbrgY95
                                            MD5:033384AA9C4E0C0B2121FA88AA2A9A26
                                            SHA1:4F20594D937CA4ED63A6A0789E3CCCD55AF815B5
                                            SHA-256:7E5B6B66D69295236809CC9257A5FE37D7D15139030F92DF66791D33482D4CA9
                                            SHA-512:6034FB20487BFC3B28307373A18E51ACC3E59A5F837AAE768CEAC51AEFBCB12B5253ABD51F5569A938854F3BD08FB04B57B36F2B582C03C935B8D07BAC146281
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 2%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L......I.................P..................`....@.................................h........................................O..(........0..................................................................(... ....................................text...HL.......P.................. ..`.data....e...`.......`..............@....rsrc....0.......@...p..............@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-99LG3.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):82438
                                            Entropy (8bit):4.213718397511192
                                            Encrypted:false
                                            SSDEEP:1536:O8cNLZL6h41AihROZVqk7FEQL16QzEEEEnEEry:OJNBj1ADIw6F
                                            MD5:D49C38054EEDD52AA95D8802B5D351D0
                                            SHA1:1117E70654D635950A8D2789977D784E50D74B87
                                            SHA-256:7DFE683A3E1BE9667B762421A6DE9F39380F3C6E1A59E32F4A40115F8131618A
                                            SHA-512:36288278F8241E8931CB17B1FB03F3813BF1FFA4EC4F1D5261FF914DA27D053EEC520872DDD46AFC890B461BA7F487AFD0AEC777A32ABD3091B8CDAA68291E54
                                            Malicious:false
                                            Preview:RIFF.A..WAVEfmt ........@....>........fact........data|A................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-A071M.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Sun Apr 24 19:56:02 2005, 123726 bytes
                                            Category:dropped
                                            Size (bytes):123726
                                            Entropy (8bit):5.216857831249389
                                            Encrypted:false
                                            SSDEEP:1536:IHSZiase3NaHCXoJNtyZYLA4d+JgMHB6qKEQ43e:IHSZiasmaiayZYLAxJvB6qKEQ43
                                            MD5:7A9D01756F832168E76AAC1DBCE37DA1
                                            SHA1:8CD3DDE3B83AE3E4738A9647D504BABA38C0B925
                                            SHA-256:B640F957180A8054E84FE8C62CEA718AD69770D8E45E9A14E8365F60574D5E84
                                            SHA-512:91511657C2C8145CA5BF35C85166076E9DA899FAF49749CE8A38ED463FBE17E54AD2FAABC47A88EC5F8EFC34CBA962705329DF6863F4E9A923B162E0FD950659
                                            Malicious:false
                                            Preview:?_..........N............l.!.....kB......MBSS Light.............. 2003 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....MBSS Light.........................................x.x...X................................./...&....;)....z4......................................|CONTEXT.....|CTXOMAP.@...|FONT.*...|KWBTREE.....|KWDATA....|KWMAP.....|SYSTEM.....|TOPIC.....|TTLBTREE.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-A1AL2.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):991232
                                            Entropy (8bit):5.7383148053333
                                            Encrypted:false
                                            SSDEEP:12288:oqtVogJ3QOn7Sh+SrTjRrKHf34tvop/BEqFrkv+EVYMg3kEp80RDBjj17c7rFFOD:okigJ3QHrKHf3wvELFrk6CBAZmw9n3
                                            MD5:294BD6B2B14444025AD8D04E845C990F
                                            SHA1:5AAF9F1F764D496907DCC5344E2A793741D77513
                                            SHA-256:615F5FCB396AD7E4D0228850CE0C349F88A0C7E3926C286E018F762114C1C5D3
                                            SHA-512:F0AB705E274C3633E84C992B5A2DFF0C0FEF3D4DE26049392F26DD373D8242BC07D910BE459AC61814DAD361CB4F81851B6AE1703DF9CF6F8DC8C0E40EE7BFB9
                                            Malicious:false
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................._.................Rich...........................PE..L......I.........................................@..................................2......................................d...(....@...9..................................................................8... ....................................text............................... ..`.data....n..........................@....rsrc....9...@...@..................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-AJOP0.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):57518
                                            Entropy (8bit):3.1813080766275093
                                            Encrypted:false
                                            SSDEEP:1536:XRtrQ+05BOlnQxXPXSiI+Zmdfu0ksMrrFGICf3n6:Btm
                                            MD5:4EA832530DD1332897B101E73053EDBC
                                            SHA1:EC90B1EEC4DC384C1E79D7F279CB59E3F260539E
                                            SHA-256:70F14D2A8BF64F88603318B841C5F52634A24BCE2CFD624606640D67E8D09D4D
                                            SHA-512:EF80A2E7B670ACD57E8BEB76BDD7700326E0A03CAC47FF212279184BB045BC5313B40A8A19D0C3CA50EA57776F914F3449B4E861D637DFAA3652A5F2A6E59601
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact....:p..datat........................................................~.~.~.~.~.~.~.~.~.~.~......................................................................................................................................................~~}~~~|~~.....................................................................................................................}.}~|~|~|}|~}~}...................~.............................................................................................~.~.~.~.~.~.~.......~.~.........................................................................................................{.....v{.r.l.[.U.O.Q.Q.QxQuRqRuSwSoVv.z.zZyTyUyU}V._x.z.}...................t.a._.[.Y.U.X.].Z.c.czat^rcrdnfjusfq`m^xp.}...........................................{.}...r.r.u.v.o.h.p.v.{.r.q|t.w~qwsy}.................}.z.}.|.|~t|s|}z.{zwxuxw.w.y.~z|u||z.x|xyz.}....~...~...................................|.y.v.w~z~..~..|~}|||}{~~}}}{|.{

                                            C:\Windows\SysWOW64\is-CJAM5.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Mon Jun 30 00:02:10 2003, 209090 bytes
                                            Category:dropped
                                            Size (bytes):209090
                                            Entropy (8bit):5.237242075062221
                                            Encrypted:false
                                            SSDEEP:6144:QBXr8o0FuNcd/7XKSZK4tRlXv2FGZGNVhra:QBXr8juN+Xv2FGZ3
                                            MD5:1B98348B9D4E31E7F73891D3CF62DA68
                                            SHA1:462D39924FAE95E11D068CAAE997FD098EA07967
                                            SHA-256:EC98CCD8B265D843B7C003452E22ADE5EC91E83397848B5EF26A0EFF83FF8FFC
                                            SHA-512:FB7D56189D9C00DB3140D700C8128C25DCA774FFF6045EA1C56460194D610422C2BC05A6E8F4AC808B4E8310AD4C5BACB3F9C049CE257C32B409ADFF84BD5612
                                            Malicious:false
                                            Preview:?_...........0...........l.!....a.>......Galaxies 5.1 Help.............. 2000 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....Galaxies 5.1 Help..................................x.x...X................................../...&....;)....z4......................................|CONTEXT..(..|CTXOMAP.....|FONT.....|KWBTREE.5...|KWDATA.....|KWMAP.....|SYSTEM.....|TOPIC.....|TTLBTREE.d...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-F6CPB.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):9123
                                            Entropy (8bit):4.638566838091547
                                            Encrypted:false
                                            SSDEEP:192:oPv95ZcDEZQFv1u5x6mgi/9mDiXrlMHMh:gWEbl/oDiXrll
                                            MD5:741BFB624BF550D7657E4ECF31AE0EF0
                                            SHA1:3C3CD9F8222E4285C190DABA100D9D9DEE243424
                                            SHA-256:D859CA6764FE55C5D3EBFD7C2EF074F5B2795A6C806B5C2C369CB0EBBA91ECD3
                                            SHA-512:58FAED78CA525F6AEDDE347E4A9A269477408F171D3DAC443C0E3838E79B1EF979459F5C88AA4D4F587BAED7ADF33B848104ACCA98E33E74E22525D71D07311C
                                            Malicious:false
                                            Preview:To: MBSS Light Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Light -- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Light.. Mathematically Beautiful Screen Savers (MBSS)..Version: 4.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Light effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to register the product...

                                            C:\Windows\SysWOW64\is-FPQL9.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):827392
                                            Entropy (8bit):5.730600542566671
                                            Encrypted:false
                                            SSDEEP:12288:E3ZSKSzLgXnH+5S8PEZFPfKYd/WK/Ggm2KiRFlqhJ6BQKEolf83il80xLG40UoZ:AIgXVfKYd/FOYwiliUo
                                            MD5:FCDCD17AD526103CCDB8892D196D1DE5
                                            SHA1:26159FE91DF957D5F76668CB425C53105115F796
                                            SHA-256:75C9D8A672FA3FA044B7F788D067755607606EE9336F87405B38996850A6E160
                                            SHA-512:250F16CC0F5C8158DA208C9867D6FE3E63E3FB4DA49687A01A95BED349C3DA3B8F74A1BD5C74BE7A7350D973CA651906DE1970FF8D0CC2BC9120B4DAE1974764
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L......I.................@..........H........P....@.................................VF.......................................7..(........9..................................................................(... ....................................text....3.......@.................. ..`.data....e...P.......P..............@....rsrc....9.......@...`..............@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-JG6KC.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):933888
                                            Entropy (8bit):5.7739554151256165
                                            Encrypted:false
                                            SSDEEP:12288:aYdU/gVzIDeCZb8wo4CcbITzWlwIjNzFUY6o1/90t7dtm97nIscBF0REXfNnWh3:aYd6gVO11CMITzBo1/+rwh
                                            MD5:40A755C77CA8211879FE6446370EEE8F
                                            SHA1:7E949B4BB0CCADA57B87998D6EF3879BF624E7B4
                                            SHA-256:BD62357E2ED0E4A72F05A86B8E9FC3237B894252C1C4654A761B076FC27517CF
                                            SHA-512:2E17C980C74EE63899A58DBE2E62505185B693FFBD636D6A3A5DCD833A62FE3F372571C07606B65836D53E8D2F0DCFFCE4CFBB10887F60A09242B51D84A8A702
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L...t^.L.........................................@.........................................................................4...(....p..6(..................................................................(... ....................................text............................... ..`.data...dg..........................@....rsrc...6(...p...0..................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-JGPHN.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11004
                                            Entropy (8bit):4.6432649199151586
                                            Encrypted:false
                                            SSDEEP:192:32lzXucTvRxvDu5ujOFTmgR7vDXSvbR20xXxMHMh:E1HjOFPD2b/Xxl
                                            MD5:F11042D12B82A7F777EFF0F11BE9CE7D
                                            SHA1:E0055CBBB7D459E03CE16C76BB358CC9C49D0D0C
                                            SHA-256:01DC1EDF9A749A17514B69D2547FE56AF58ACCB5B037F9A8DEBEC02E54E94EE1
                                            SHA-512:4DC995808DF010E6D14C95642602FD1BF732877B86BF58D6A7A5602A856A73D1A1AFEB0F96984127A8957B1F5284470A1F13B9CE58374B2C027476686369A490
                                            Malicious:false
                                            Preview:To: MBSS Gravity Wells Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Gravity Wells-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Gravity Wells.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Gravity effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window t

                                            C:\Windows\SysWOW64\is-JUSIF.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):67578
                                            Entropy (8bit):2.4386235944575896
                                            Encrypted:false
                                            SSDEEP:768:zkBcE+Psy/NwMQ6GOHQ4pnQk/4Y4Zcj+t3HuH+gMbKR0ZnBuB/mNU:Nl0ObpQG4Zcj+t3HuegMbKR0hBuB/mNU
                                            MD5:98A36CF7B2E65AE8E8736357AC9DEEA7
                                            SHA1:0C5594D2C9DEAF495C3811692B69BA76BD273531
                                            SHA-256:1509CD99352494616AE67591CE563B9F1AE6BBC8CF1705980E7B7C18B6029AD3
                                            SHA-512:4454D4685C0E1DBB2AAF54263B7F53CFA44A60D8C9D3C62F387FEFB0837CAB65E495EA411613C1AFF9B38A57097BE8B0C0D87FE019B330298DC10082CC6A3174
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact........data....................................................................................................................................................................................................................................~.~...................~.~.....................~.............................................................................~.~.~.~.....................~.~.................................................................................................................................................................................................................................~.z.~y.uxi.l.t.v.z~.~.|.~.z.{~||.z.z.|.....x.u~w~y.}..}.~......z.y.{....v.x.r.g.i{qw{x.y.}.~.|.}.~~|y{w|z~|}.|....~}}.....................~...........{..~}.|.z...|.y.}}.}{.{~~~..|.y.~........}...~}|.~............~}.{.||}|~.....~}~}......~~~}~.~....{.z.}~.}.~........~...}...............~.~.~.~~}~.~........~.|.{.}~.~.....~..~.~.~.........

                                            C:\Windows\SysWOW64\is-K99HS.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):11385
                                            Entropy (8bit):4.710178377767261
                                            Encrypted:false
                                            SSDEEP:192:6SRvQf1cdEZQdv1u5YD5PJ9hhuOf/kduIfXEyMHMh:fNEAD5xh5/kvXEyl
                                            MD5:CA47F7D68DA57F85C6C780BB1D7BC757
                                            SHA1:4F0D8DF6CD3E6F40D11EBBBB4336656D84B013DB
                                            SHA-256:2ACDB878F243F93367E99FE45E6E6DE24B595ABD9968927DC8281F557ABD2CC6
                                            SHA-512:D1D75CC982B59E832C59871223F5AC243846552A94BA58EBE32D3F991C3C2EC22E7EFDA0376035B14C99CCF59851C264E3D750F451ACA45BB6343125356E31E2
                                            Malicious:false
                                            Preview:To: MBSS Galaxies Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Galaxies product -- and other good things..Date: Sunday, January 30, 2011....-----------------------------------------------------------------------..Program: Galaxies.. Mathematically Beautiful Screen Savers (MBSS)..Version: 6.0 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display 3D Galaxy Effects by setting numerous properties... Define the Galaxy Types as well as how the Galaxies should be.. dispersed throughout the Universe. Watch as the camera tours.. the Universe, visiting the Galaxies.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista & 7... See the Registration window to register the product...

                                            C:\Windows\SysWOW64\is-M1MRN.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:MS Windows 3.1 help, Mon Apr 25 01:23:09 2005, 185175 bytes
                                            Category:dropped
                                            Size (bytes):185175
                                            Entropy (8bit):5.3405130259244045
                                            Encrypted:false
                                            SSDEEP:3072:bHXoZ4/FLTB3to7lYI0kXpbrmJ2mJFRaMV5l:boaLtto5YjkZbEj
                                            MD5:C54066E9B17D8EC0A27FCD6557D4144E
                                            SHA1:B6C8CE2E4E3FBABCFE13E7E32FD92635C2F239FA
                                            SHA-256:C5CDBD7EBF29E1FBA8266E282C8BD89561F790716C7CFE9F3D4E48A37F1C34CF
                                            SHA-512:3B4BBDC371F53196FC30ADAC3D7724BFE15B37F5E1B020878AD0E5E4F401B081A1823CFB0E5672355A7403301AFFE79B99E149ABB36F63A9B3064B80DA770629
                                            Malicious:false
                                            Preview:?_..........W............l.!...]*lB......MBSS Products.............. 2001 Patrick D. Grengs II.....BrowseButtons()...Z...main......main.....MBSS Products......................................x.x...X................................./...&....;)....z4......................................|CONTEXT.(...|CTXOMAP.Sq..|FONT..p..|KWBTREE..z..|KWDATA.vw..|KWMAP..z..|SYSTEM.....|TOPIC.....|TTLBTREE..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-PB7LK.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):32670
                                            Entropy (8bit):2.778285530693594
                                            Encrypted:false
                                            SSDEEP:192:raGFY0B7x8xWsYQ2rbJsZ9EVjGoFP43PMY9rxNxAzUhCDKBZa6jq:40VThDGoFPniypDAzq
                                            MD5:CF3CF044E4F703888217E5909C30C0EE
                                            SHA1:4D853095001069FAA9EAF66DA0520870C5B5AECB
                                            SHA-256:71C4D76CCA2CD693FA556DCF0438CB35A9D966D79F3F32F66AD4A560F2EBC908
                                            SHA-512:2F9B0DEF469B29087E87F7CF2E7B1AD503AFDB19671044718DD432014367CDEF430BBA4DC34CDFDA48DF7D4BFC2F9A4FD19C4226029DA3F6AA9719BC36AFCAFB
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....?..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Windows\SysWOW64\is-Q3TRV.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:ISO-8859 text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):10635
                                            Entropy (8bit):4.6474006203537295
                                            Encrypted:false
                                            SSDEEP:192:bwfV29cPiUvDu5ujOFTmgD29VvDVUrl4XZMHMh:m9jOFw9xD2l4XZl
                                            MD5:B62EF9BC3C7AF6DE9CD3468D476E62E0
                                            SHA1:75E8E3FA523F80F70416276E8ED11E6F0438EFF6
                                            SHA-256:4A0FB6C5D93D013BF753B67BE9743E598A565C3CE8434DF6697ECD4773739335
                                            SHA-512:9D4B5A68AF5780BAD643BDC4819D6F8F0FAE3B5C9F4A30C51084F54B1D2AAA9AAC6B2E199C3BA44AFDF2374841B51F21ED520F147D0C3B509DCE194417959CCC
                                            Malicious:false
                                            Preview:To: MBSS Starfields Enthusiast..From: Patrick D. Grengs II, application author..Subject: How to Run MBSS Starfields-- and other good things..Date: Sunday, April 19, 2009....-----------------------------------------------------------------------..Program: MBSS Starfields.. Mathematically Beautiful Screen Savers (MBSS)..Version: 3.2.1000 (Multi-Monitor and Hibernation features added)..... 2011 Patrick D. Grengs II. All rights reserved.....Purpose: Display Starfield effects with real-time 3D particle animation... Properties can be saved as Templates for later use or can be.. exchanged with other users of the product. You can configure.. the product as your Screen Saver. Notes appear below.....Status: This is a Shareware product... You may distribute it without cost... All rights are reserved by the Author.... Product has been migrated to Microsoft Windows Vista... See the Registration window to regis

                                            C:\Windows\SysWOW64\is-Q8BC7.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):56320
                                            Entropy (8bit):3.1314676065715386
                                            Encrypted:false
                                            SSDEEP:768:svLP40MOsUx1326IUbf9bbnmy8oUdLzWR9NoAYj1YDFjXKPetWT1U:sv+OsUxtbm3SR9NoAYj1YDFjaPetWT1U
                                            MD5:1CF9769524678A269C3DDD273E4D14DA
                                            SHA1:37986CB51A1E7327EF67866A25D85288420FCDB0
                                            SHA-256:9121528982D98483160E9C1EFFEEC3DC724D2D2FCC592D5C1A5C122518A17668
                                            SHA-512:94DA04F12E9B5A9AE7C2BF97477FA9CDBDC559CD9591D43B8C6B12F353506E5C33D739E5E3D516CF534F49976B6A55A7A8177A22E48D07631B10FCD29236ED95
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....m..dataf....................................................~.~.}.}.}.~.~.~.~.~.}.}.~..~.~~.~...~....~.................................................................................................................................~.~~|}|~|}{~.........~.................~.~..........................................................~...........................}.|.|~z~{}{}z~|~}~................~.~...........................................................................................~.~.}.}.~.~.~.~.~.~.~.~.~...........~.......................................................~.~.......................................|.wv.d.X.H.A.=.=.>.>q?o?p@n@uAmUu.zmyDqBwDvD~E~av.x.{..............l.S.M.J.I.E.I.P.KyZ}WvPjQp\jRgcgin[iPdays.}...........................................u...}.o.m.o.s.d.^.g~x.v.g}n{o}qxjuox}.................v.~...v.uzoztx}x.yupsszt.v.{.~u|x{~v.rwx|z....~.~...|...................................x.s.r.w}y}.~~|~z}|z{y}x}||z||z.{

                                            C:\Windows\SysWOW64\is-TC383.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, stereo 8000 Hz
                                            Category:dropped
                                            Size (bytes):58540
                                            Entropy (8bit):3.7039132612226187
                                            Encrypted:false
                                            SSDEEP:768:fngWAMVo36h+xnjr9gQg7cqOK8/atTRsq3/dR95VODSzshtdecFYPJia7giLxf:fO56h+x9gjcHKia7s2/zVOf15FYVNLxf
                                            MD5:B81F2EF2648DB1D00EBC1BB104569144
                                            SHA1:E650F0D27D772C517085ACCE7DFFCF3929D64217
                                            SHA-256:7F7D54A37CCA68A3D7998AE96DA2D8228894DEC22E354019345A4B1B2C91630E
                                            SHA-512:06FEEEDA02DA1E97893C080C03C6CFF017B015FD3B95E654DFA35C55D9A025E4C2A274381F8E6D3FA022DD908485690395DADFB3693BE7BF0DC4711DEADB8425
                                            Malicious:false
                                            Preview:RIFF....WAVEfmt ........@....>........fact.....r..data..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.991944858663837
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                            • Inno Setup installer (109748/4) 1.08%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            File name:SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
                                            File size:1'583'275 bytes
                                            MD5:034cb3e5f37e1ce4aa06fbf299f8aad2
                                            SHA1:1f37f230cfc5def3e322e7f45fea6c8c2c6332a6
                                            SHA256:705723eb97c62bb078d20146d9c62bf991ba285c420836d19e7fb186598bdf2e
                                            SHA512:6d0643780acaa1669301735fae9beaa23bf9ab6dd677a2880a1524400a0323abe545ff1bad4f1c0a324b572c83c7f0cf3f69bd2cea1d9a2dba8d0d7720b07ce0
                                            SSDEEP:24576:U2UHgbCIWFh9+OQkDpXbk66KAT+Xm4KzAfh6UkjXu0KJVFOQvvj6rzG7bZ3C:U2k2Ah9+OQsZbkvSXmofMUk60K5OaLZy
                                            TLSH:FD75336353A7A431F6CBC6B96C2E9404C9E7FE352A7070827ABCBFC95B5B589101D701
                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                            File Icon

                                            Icon Hash:fcfb7efdfaf6fade

                                            Static PE Info

                                            General

                                            Entrypoint:0x409a58
                                            Entrypoint Section:CODE
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:1
                                            OS Version Minor:0
                                            File Version Major:1
                                            File Version Minor:0
                                            Subsystem Version Major:1
                                            Subsystem Version Minor:0
                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                            Entrypoint Preview

                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            add esp, FFFFFFC4h
                                            push ebx
                                            push esi
                                            push edi
                                            xor eax, eax
                                            mov dword ptr [ebp-10h], eax
                                            mov dword ptr [ebp-24h], eax
                                            call 00007F27ECB96123h
                                            call 00007F27ECB9732Ah
                                            call 00007F27ECB99555h
                                            call 00007F27ECB9959Ch
                                            call 00007F27ECB9BDC3h
                                            call 00007F27ECB9BF2Ah
                                            xor eax, eax
                                            push ebp
                                            push 0040A10Bh
                                            push dword ptr fs:[eax]
                                            mov dword ptr fs:[eax], esp
                                            xor edx, edx
                                            push ebp
                                            push 0040A0D4h
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            mov eax, dword ptr [0040C014h]
                                            call 00007F27ECB9C950h
                                            call 00007F27ECB9C4B7h
                                            lea edx, dword ptr [ebp-10h]
                                            xor eax, eax
                                            call 00007F27ECB99B61h
                                            mov edx, dword ptr [ebp-10h]
                                            mov eax, 0040CDE4h
                                            call 00007F27ECB961D4h
                                            push 00000002h
                                            push 00000000h
                                            push 00000001h
                                            mov ecx, dword ptr [0040CDE4h]
                                            mov dl, 01h
                                            mov eax, 004072A4h
                                            call 00007F27ECB9A3CCh
                                            mov dword ptr [0040CDE8h], eax
                                            xor edx, edx
                                            push ebp
                                            push 0040A08Ch
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            call 00007F27ECB9C9C0h
                                            mov dword ptr [0040CDF0h], eax
                                            mov eax, dword ptr [0040CDF0h]
                                            cmp dword ptr [eax+0Ch], 01h
                                            jne 00007F27ECB9CAFAh
                                            mov eax, dword ptr [0040CDF0h]
                                            mov edx, 00000028h
                                            call 00007F27ECB9A7CDh
                                            mov edx, dword ptr [0040CDF0h]
                                            cmp eax, dword ptr [edx+00h]

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x39e8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000x0.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            CODE0x10000x91740x9200ea92e1415bc80e2738e334267ebbb921False0.614699272260274data6.566253815683607IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            DATA0xb0000x24c0x400f96da19d2571a42bdff1b9e8bd62ec99False0.3076171875data2.7350839451932765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                            .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                            .rsrc0x110000x39e80x3a00c3e29416764d722a8c61900f89f1a413False0.5123248922413793data5.585909086193479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x112f40xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3200EnglishUnited States0.8333333333333334
                                            RT_ICON0x11f9c0x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4608EnglishUnited States0.40479548660084624
                                            RT_STRING0x135c40x2f2data0.35543766578249336
                                            RT_STRING0x138b80x30cdata0.3871794871794872
                                            RT_STRING0x13bc40x2cedata0.42618384401114207
                                            RT_STRING0x13e940x68data0.75
                                            RT_STRING0x13efc0xb4data0.6277777777777778
                                            RT_STRING0x13fb00xaedata0.5344827586206896
                                            RT_RCDATA0x140600x2cdata1.2045454545454546
                                            RT_GROUP_ICON0x1408c0x22dataEnglishUnited States1.0294117647058822
                                            RT_VERSION0x140b00x4b8COM executable for DOSEnglishUnited States0.3269867549668874
                                            RT_MANIFEST0x145680x47eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4330434782608696

                                            Imports

                                            DLLImport
                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                            user32.dllMessageBoxA
                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                            comctl32.dllInitCommonControls
                                            advapi32.dllAdjustTokenPrivileges

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:02:23:54
                                            Start date:29/04/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
                                            Imagebase:0x400000
                                            File size:1'583'275 bytes
                                            MD5 hash:034CB3E5F37E1CE4AA06FBF299F8AAD2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:02:23:54
                                            Start date:29/04/2024
                                            Path:C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
                                            Imagebase:0x400000
                                            File size:689'152 bytes
                                            MD5 hash:213E2B12F93AD5F9881E93B9A13D031C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 5%, ReversingLabs
                                            • Detection: 0%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:02:24:46
                                            Start date:29/04/2024
                                            Path:C:\Windows\SysWOW64\notepad.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txt
                                            Imagebase:0xbd0000
                                            File size:165'888 bytes
                                            MD5 hash:E92D3A824A0578A50D2DD81B5060145F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:8
                                            Start time:02:24:46
                                            Start date:29/04/2024
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:"rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr
                                            Imagebase:0xe30000
                                            File size:61'440 bytes
                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:02:24:47
                                            Start date:29/04/2024
                                            Path:C:\Windows\SysWOW64\MBSS Light.scr
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\system32\MBSS Light.scr" /p 66834
                                            Imagebase:0x400000
                                            File size:933'888 bytes
                                            MD5 hash:40A755C77CA8211879FE6446370EEE8F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:22.6%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:2.4%
                                              Total number of Nodes:1523
                                              Total number of Limit Nodes:27
                                              execution_graph 5866 407544 ReadFile 5867 407564 5866->5867 5868 40757b 5866->5868 5869 407574 5867->5869 5870 40756a GetLastError 5867->5870 5871 4073a4 21 API calls 5869->5871 5870->5868 5870->5869 5871->5868 6712 402b48 RaiseException 6713 40294a 6714 402952 6713->6714 6715 403554 4 API calls 6714->6715 6716 402967 6714->6716 6715->6714 6717 403f4a 6718 403f53 6717->6718 6719 403f5c 6717->6719 6720 403f07 4 API calls 6718->6720 6720->6719 6227 407052 6228 40703c 6227->6228 6229 403198 4 API calls 6228->6229 6230 407044 6229->6230 6231 403198 4 API calls 6230->6231 6232 40704c 6231->6232 6233 403a52 6234 403a74 6233->6234 6235 403a5a WriteFile 6233->6235 6235->6234 6236 403a78 GetLastError 6235->6236 6236->6234 6237 402654 6238 403154 4 API calls 6237->6238 6239 402614 6238->6239 6240 402632 6239->6240 6241 403154 4 API calls 6239->6241 6240->6240 6241->6240 6242 409c56 6243 409c7b 6242->6243 6244 40961c 15 API calls 6243->6244 6248 409c80 6244->6248 6245 409cd3 6276 4026c4 GetSystemTime 6245->6276 6247 409cd8 6249 409188 33 API calls 6247->6249 6248->6245 6251 408c34 4 API calls 6248->6251 6250 409ce0 6249->6250 6252 4031e8 4 API calls 6250->6252 6253 409caf 6251->6253 6254 409ced 6252->6254 6256 409cb7 MessageBoxA 6253->6256 6255 40686c 5 API calls 6254->6255 6258 409cfa 6255->6258 6256->6245 6257 409cc4 6256->6257 6259 4057b4 5 API calls 6257->6259 6260 406608 5 API calls 6258->6260 6259->6245 6261 409d0a 6260->6261 6262 406594 5 API calls 6261->6262 6263 409d1b 6262->6263 6264 403340 4 API calls 6263->6264 6265 409d29 6264->6265 6266 4031e8 4 API calls 6265->6266 6267 409d39 6266->6267 6268 4073f8 23 API calls 6267->6268 6269 409d78 6268->6269 6270 402594 4 API calls 6269->6270 6271 409d98 6270->6271 6272 407904 5 API calls 6271->6272 6273 409dda 6272->6273 6274 407b94 23 API calls 6273->6274 6275 409e01 6274->6275 6276->6247 5881 409a58 5920 4030dc 5881->5920 5883 409a6e 5923 4042e8 5883->5923 5885 409a73 5926 406518 5885->5926 5889 409a7d 5936 408efc GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5889->5936 5898 4031e8 4 API calls 5899 409ac9 5898->5899 5900 4073f8 23 API calls 5899->5900 5901 409ae1 5900->5901 5972 409a04 FindResourceA 5901->5972 5904 4098b8 4 API calls 5906 409b56 5904->5906 5905 407830 InterlockedExchange 5907 409b18 5905->5907 5908 4073b8 20 API calls 5906->5908 5907->5904 5907->5906 5909 409b7c 5908->5909 5910 409b97 5909->5910 5912 4098b8 4 API calls 5909->5912 5911 407904 5 API calls 5910->5911 5913 409bbc 5911->5913 5912->5910 5985 4089e4 5913->5985 5917 409c00 5918 4089e4 23 API calls 5917->5918 5919 409c37 5917->5919 5918->5917 5999 403094 5920->5999 5922 4030e1 GetModuleHandleA GetCommandLineA 5922->5883 5924 403154 4 API calls 5923->5924 5925 404323 5923->5925 5924->5925 5925->5885 6000 405bf8 5926->6000 5935 406564 6F571CD0 5935->5889 5937 408f4f 5936->5937 6080 406ec4 SetErrorMode 5937->6080 5940 4071a8 5 API calls 5941 408f7f 5940->5941 5942 403198 4 API calls 5941->5942 5943 408f94 5942->5943 5944 409948 GetSystemInfo VirtualQuery 5943->5944 5945 409972 5944->5945 5946 4099fc 5944->5946 5945->5946 5947 4099dd VirtualQuery 5945->5947 5948 40999c VirtualProtect 5945->5948 5949 4099cb VirtualProtect 5945->5949 5950 4094b4 5946->5950 5947->5945 5947->5946 5948->5945 5949->5947 6084 406b0c GetCommandLineA 5950->6084 5952 409571 5953 4031b8 4 API calls 5952->5953 5955 40958b 5953->5955 5954 406b68 6 API calls 5956 4094d1 5954->5956 5958 406b68 5955->5958 5956->5952 5956->5954 5957 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5956->5957 5957->5956 5959 406bb3 GetCommandLineA 5958->5959 5960 406b8f GetModuleFileNameA 5958->5960 5962 406bb8 5959->5962 5961 403278 4 API calls 5960->5961 5963 406bb1 5961->5963 5964 406bbd 5962->5964 5967 406a2c 4 API calls 5962->5967 5968 406bc5 5962->5968 5965 406be0 5963->5965 5966 403198 4 API calls 5964->5966 5969 403198 4 API calls 5965->5969 5966->5968 5967->5962 5970 40322c 4 API calls 5968->5970 5971 406bf5 5969->5971 5970->5965 5971->5898 5973 409a19 5972->5973 5974 409a1e SizeofResource 5972->5974 5975 4098b8 4 API calls 5973->5975 5976 409a30 LoadResource 5974->5976 5977 409a2b 5974->5977 5975->5974 5979 409a43 LockResource 5976->5979 5980 409a3e 5976->5980 5978 4098b8 4 API calls 5977->5978 5978->5976 5982 409a54 5979->5982 5983 409a4f 5979->5983 5981 4098b8 4 API calls 5980->5981 5981->5979 5982->5905 5982->5907 5984 4098b8 4 API calls 5983->5984 5984->5982 5986 408a58 5985->5986 5994 408a12 5985->5994 5987 407b94 23 API calls 5986->5987 5988 408a6c 5987->5988 5990 403198 4 API calls 5988->5990 5989 403278 4 API calls 5989->5994 5991 408a81 5990->5991 5996 404b70 5991->5996 5992 403420 4 API calls 5992->5994 5993 4031e8 4 API calls 5993->5994 5994->5986 5994->5989 5994->5992 5994->5993 5995 407b94 23 API calls 5994->5995 5995->5994 5997 402594 4 API calls 5996->5997 5998 404b7b 5997->5998 5998->5917 5999->5922 6001 405890 5 API calls 6000->6001 6002 405c09 6001->6002 6003 4051d0 GetSystemDefaultLCID 6002->6003 6007 405206 6003->6007 6004 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 6004->6007 6005 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 6005->6007 6006 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6006->6007 6007->6004 6007->6005 6007->6006 6008 405268 6007->6008 6009 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 6008->6009 6010 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 6008->6010 6011 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6008->6011 6012 4052eb 6008->6012 6009->6008 6010->6008 6011->6008 6013 4031b8 4 API calls 6012->6013 6014 405305 6013->6014 6015 405314 GetSystemDefaultLCID 6014->6015 6072 40515c GetLocaleInfoA 6015->6072 6018 4031e8 4 API calls 6019 405354 6018->6019 6020 40515c 5 API calls 6019->6020 6021 405369 6020->6021 6022 40515c 5 API calls 6021->6022 6023 40538d 6022->6023 6078 4051a8 GetLocaleInfoA 6023->6078 6026 4051a8 GetLocaleInfoA 6027 4053bd 6026->6027 6028 40515c 5 API calls 6027->6028 6029 4053d7 6028->6029 6030 4051a8 GetLocaleInfoA 6029->6030 6031 4053f4 6030->6031 6032 40515c 5 API calls 6031->6032 6033 40540e 6032->6033 6034 4031e8 4 API calls 6033->6034 6035 40541b 6034->6035 6036 40515c 5 API calls 6035->6036 6037 405430 6036->6037 6038 4031e8 4 API calls 6037->6038 6039 40543d 6038->6039 6040 4051a8 GetLocaleInfoA 6039->6040 6041 40544b 6040->6041 6042 40515c 5 API calls 6041->6042 6043 405465 6042->6043 6044 4031e8 4 API calls 6043->6044 6045 405472 6044->6045 6046 40515c 5 API calls 6045->6046 6047 405487 6046->6047 6048 4031e8 4 API calls 6047->6048 6049 405494 6048->6049 6050 40515c 5 API calls 6049->6050 6051 4054a9 6050->6051 6052 4054c6 6051->6052 6053 4054b7 6051->6053 6054 40322c 4 API calls 6052->6054 6055 40322c 4 API calls 6053->6055 6056 4054c4 6054->6056 6055->6056 6057 40515c 5 API calls 6056->6057 6058 4054e8 6057->6058 6059 405505 6058->6059 6060 4054f6 6058->6060 6062 403198 4 API calls 6059->6062 6061 40322c 4 API calls 6060->6061 6063 405503 6061->6063 6062->6063 6064 4033b4 4 API calls 6063->6064 6065 405527 6064->6065 6066 4033b4 4 API calls 6065->6066 6067 405541 6066->6067 6068 4031b8 4 API calls 6067->6068 6069 40555b 6068->6069 6070 405c44 GetVersionExA 6069->6070 6071 405c5b 6070->6071 6071->5935 6073 405183 6072->6073 6074 405195 6072->6074 6076 403278 4 API calls 6073->6076 6075 40322c 4 API calls 6074->6075 6077 405193 6075->6077 6076->6077 6077->6018 6079 4051c4 6078->6079 6079->6026 6081 403414 6080->6081 6082 406efc LoadLibraryA 6081->6082 6083 406f12 6082->6083 6083->5940 6091 406a2c 6084->6091 6086 406b2f 6087 406b41 6086->6087 6088 406a2c 4 API calls 6086->6088 6089 403198 4 API calls 6087->6089 6088->6086 6090 406b56 6089->6090 6090->5956 6092 406a58 6091->6092 6093 403278 4 API calls 6092->6093 6094 406a65 6093->6094 6095 403420 4 API calls 6094->6095 6096 406a6d 6095->6096 6097 4031e8 4 API calls 6096->6097 6098 406a85 6097->6098 6099 403198 4 API calls 6098->6099 6100 406aa4 6099->6100 6100->6086 4907 407460 4908 40746c CloseHandle 4907->4908 4909 407475 4907->4909 4908->4909 6277 402e64 6278 402e69 6277->6278 6279 402e7a RtlUnwind 6278->6279 6280 402e5e 6278->6280 6281 402e9d 6279->6281 5293 409c71 5330 4098b8 5293->5330 5295 409c76 5296 409c7b 5295->5296 5436 402f24 5295->5436 5337 40961c 5296->5337 5299 409cd3 5358 4026c4 GetSystemTime 5299->5358 5301 409cd8 5359 409188 5301->5359 5302 409c80 5302->5299 5441 408c34 5302->5441 5306 4031e8 4 API calls 5307 409ced 5306->5307 5377 40686c 5307->5377 5308 409caf 5310 409cb7 MessageBoxA 5308->5310 5310->5299 5311 409cc4 5310->5311 5444 4057b4 5311->5444 5317 409d1b 5404 403340 5317->5404 5319 409d29 5320 4031e8 4 API calls 5319->5320 5321 409d39 5320->5321 5419 4073f8 5321->5419 5324 402594 4 API calls 5325 409d98 5324->5325 5426 407904 5325->5426 5327 409dda 5448 407b94 5327->5448 5329 409e01 5331 4098c1 5330->5331 5332 4098d9 5330->5332 5333 4057e0 4 API calls 5331->5333 5334 4057e0 4 API calls 5332->5334 5335 4098d3 5333->5335 5336 4098ea 5334->5336 5335->5295 5336->5295 5338 409665 5337->5338 5339 409629 5337->5339 5340 409672 5338->5340 5341 40966e 5338->5341 5339->5338 5346 409655 5339->5346 5462 406f48 GetModuleHandleA GetProcAddress 5340->5462 5342 40967b GetUserDefaultLangID 5341->5342 5348 409670 5341->5348 5342->5348 5345 409723 5347 4095d0 5 API calls 5345->5347 5456 4095d0 5346->5456 5350 40965c 5347->5350 5348->5345 5351 4096c5 5348->5351 5352 4096bb GetACP 5348->5352 5353 4096d2 5348->5353 5350->5302 5354 4095d0 5 API calls 5351->5354 5352->5348 5352->5351 5353->5345 5355 409716 5353->5355 5356 40970c GetACP 5353->5356 5354->5350 5357 4095d0 5 API calls 5355->5357 5356->5353 5356->5355 5357->5350 5358->5301 5376 4091a8 5359->5376 5362 4091cd CreateDirectoryA 5363 409245 5362->5363 5364 4091d7 GetLastError 5362->5364 5365 40322c 4 API calls 5363->5365 5364->5376 5366 40924f 5365->5366 5369 4031b8 4 API calls 5366->5369 5367 408c34 4 API calls 5367->5376 5370 409269 5369->5370 5371 4031b8 4 API calls 5370->5371 5373 409276 5371->5373 5372 4071a8 5 API calls 5372->5376 5373->5306 5375 4057e0 4 API calls 5375->5376 5376->5362 5376->5367 5376->5372 5376->5375 5564 406c30 5376->5564 5587 40907c 5376->5587 5606 404be4 5376->5606 5609 408c04 5376->5609 5726 406764 5377->5726 5380 403454 4 API calls 5381 40688e 5380->5381 5382 406608 5381->5382 5731 406828 5382->5731 5385 406646 5388 403454 4 API calls 5385->5388 5386 406638 5387 403340 4 API calls 5386->5387 5389 406644 5387->5389 5390 406659 5388->5390 5392 403198 4 API calls 5389->5392 5391 403340 4 API calls 5390->5391 5391->5389 5393 40667b 5392->5393 5394 406594 5393->5394 5395 4065c0 5394->5395 5396 40659e 5394->5396 5398 40322c 4 API calls 5395->5398 5737 406894 5396->5737 5399 4065c9 5398->5399 5399->5317 5400 4065a5 5400->5395 5401 4065af 5400->5401 5402 403340 4 API calls 5401->5402 5403 4065bd 5402->5403 5403->5317 5405 403344 5404->5405 5406 4033a5 5404->5406 5408 4031e8 5405->5408 5410 40334c 5405->5410 5407 403228 5407->5319 5412 403254 4 API calls 5408->5412 5414 4031fc 5408->5414 5409 40335b 5411 403254 4 API calls 5409->5411 5410->5406 5410->5409 5413 4031e8 4 API calls 5410->5413 5416 403375 5411->5416 5412->5414 5413->5409 5414->5407 5415 4025ac 4 API calls 5414->5415 5415->5407 5417 4031e8 4 API calls 5416->5417 5418 4033a1 5417->5418 5418->5319 5420 407402 5419->5420 5741 407490 5420->5741 5744 40748e 5420->5744 5421 40742e 5422 4073a4 21 API calls 5421->5422 5423 407442 5421->5423 5422->5423 5423->5324 5427 407911 5426->5427 5428 4057e0 4 API calls 5427->5428 5429 407965 5427->5429 5428->5429 5430 407830 InterlockedExchange 5429->5430 5431 407977 5430->5431 5432 4057e0 4 API calls 5431->5432 5433 40798d 5431->5433 5432->5433 5434 4079d0 5433->5434 5435 4057e0 4 API calls 5433->5435 5434->5327 5435->5434 5437 403154 4 API calls 5436->5437 5438 402f29 5437->5438 5747 402bcc 5438->5747 5440 402f51 5440->5440 5442 408c04 4 API calls 5441->5442 5443 408c50 5442->5443 5443->5308 5445 4057b9 5444->5445 5446 405890 5 API calls 5445->5446 5447 4057cb 5446->5447 5447->5447 5449 407ba4 5448->5449 5450 407baf 5448->5450 5750 407db4 5449->5750 5761 407b38 5450->5761 5452 407bad 5452->5329 5454 4057e0 4 API calls 5454->5452 5457 409612 5456->5457 5458 4095d8 5456->5458 5457->5350 5458->5457 5483 403420 5458->5483 5460 40960c 5487 408cdc 5460->5487 5463 406f8b 5462->5463 5481 406f82 5462->5481 5464 406f94 5463->5464 5465 406fcc 5463->5465 5510 406e8c 5464->5510 5466 406e8c RegOpenKeyExA 5465->5466 5468 406fe5 5466->5468 5470 407002 5468->5470 5471 406e80 6 API calls 5468->5471 5469 406fad 5469->5470 5513 406e80 5469->5513 5516 40322c 5470->5516 5475 406ff9 RegCloseKey 5471->5475 5473 403198 4 API calls 5477 407044 5473->5477 5475->5470 5480 403198 4 API calls 5477->5480 5482 40704c 5480->5482 5481->5473 5482->5348 5484 403426 5483->5484 5486 403437 5483->5486 5485 403254 4 API calls 5484->5485 5484->5486 5485->5486 5486->5460 5488 408cea 5487->5488 5490 408d02 5488->5490 5500 408c74 5488->5500 5491 408c74 4 API calls 5490->5491 5492 408d26 5490->5492 5491->5492 5503 407830 5492->5503 5495 408c74 4 API calls 5497 408d52 5495->5497 5496 408c74 4 API calls 5496->5497 5497->5496 5498 403278 4 API calls 5497->5498 5499 408d81 5497->5499 5498->5497 5499->5457 5501 4057e0 4 API calls 5500->5501 5502 408c85 5501->5502 5502->5490 5506 4077dc 5503->5506 5507 4077ee 5506->5507 5508 4077ff 5506->5508 5509 4077f3 InterlockedExchange 5507->5509 5508->5495 5508->5497 5509->5508 5511 406e97 5510->5511 5512 406e9d RegOpenKeyExA 5510->5512 5511->5512 5512->5469 5534 406d4c 5513->5534 5518 403230 5516->5518 5517 403252 5520 4032fc 5517->5520 5518->5517 5519 4025ac 4 API calls 5518->5519 5519->5517 5521 403300 5520->5521 5522 40333f 5520->5522 5523 4031e8 5521->5523 5524 40330a 5521->5524 5522->5481 5529 4031fc 5523->5529 5531 403254 4 API calls 5523->5531 5525 403334 5524->5525 5526 40331d 5524->5526 5530 4034f0 4 API calls 5525->5530 5528 4034f0 4 API calls 5526->5528 5527 403228 5527->5481 5533 403322 5528->5533 5529->5527 5532 4025ac 4 API calls 5529->5532 5530->5533 5531->5529 5532->5527 5533->5481 5535 406d71 RegQueryValueExA 5534->5535 5536 406d91 5535->5536 5542 406db3 5535->5542 5538 406dab 5536->5538 5540 403278 4 API calls 5536->5540 5536->5542 5543 403420 4 API calls 5536->5543 5537 403198 4 API calls 5541 406e6c RegCloseKey 5537->5541 5539 403198 4 API calls 5538->5539 5539->5542 5540->5536 5541->5470 5542->5537 5544 406dd3 RegQueryValueExA 5543->5544 5544->5535 5545 406de8 5544->5545 5545->5542 5551 4034f0 5545->5551 5548 406e42 5549 4031e8 4 API calls 5548->5549 5549->5542 5550 403420 4 API calls 5550->5548 5552 4034fd 5551->5552 5559 40352d 5551->5559 5553 403526 5552->5553 5555 403509 5552->5555 5556 403254 4 API calls 5553->5556 5554 403198 4 API calls 5557 403517 5554->5557 5560 4025c4 5555->5560 5556->5559 5557->5548 5557->5550 5559->5554 5561 4025ca 5560->5561 5562 403154 4 API calls 5561->5562 5563 4025dc 5561->5563 5562->5563 5563->5557 5613 406994 5564->5613 5567 406c62 5569 406994 5 API calls 5567->5569 5571 406cae 5567->5571 5570 406c72 5569->5570 5572 406c7e 5570->5572 5574 406970 7 API calls 5570->5574 5621 4067cc 5571->5621 5572->5571 5575 406994 5 API calls 5572->5575 5584 406ca3 5572->5584 5574->5572 5578 406c97 5575->5578 5581 406970 7 API calls 5578->5581 5578->5584 5579 406594 5 API calls 5580 406cc3 5579->5580 5582 40322c 4 API calls 5580->5582 5581->5584 5583 406ccd 5582->5583 5585 4031b8 4 API calls 5583->5585 5584->5571 5633 406c04 GetWindowsDirectoryA 5584->5633 5586 406ce7 5585->5586 5586->5376 5588 40909c 5587->5588 5589 406594 5 API calls 5588->5589 5590 4090b5 5589->5590 5591 40322c 4 API calls 5590->5591 5592 4090c0 5591->5592 5594 4068b4 6 API calls 5592->5594 5596 408c34 4 API calls 5592->5596 5598 4057e0 4 API calls 5592->5598 5599 40913c 5592->5599 5674 409008 5592->5674 5682 4033b4 5592->5682 5688 408e8c 5592->5688 5594->5592 5596->5592 5598->5592 5600 40322c 4 API calls 5599->5600 5601 409147 5600->5601 5602 4031b8 4 API calls 5601->5602 5603 409161 5602->5603 5604 403198 4 API calls 5603->5604 5605 409169 5604->5605 5605->5376 5607 4050f8 19 API calls 5606->5607 5608 404c02 5607->5608 5608->5376 5610 408c24 5609->5610 5716 408b04 5610->5716 5614 4034f0 4 API calls 5613->5614 5615 4069a7 5614->5615 5616 4069be GetEnvironmentVariableA 5615->5616 5620 4069d1 5615->5620 5635 406d28 5615->5635 5616->5615 5617 4069ca 5616->5617 5618 403198 4 API calls 5617->5618 5618->5620 5620->5567 5630 406970 5620->5630 5639 403414 5621->5639 5624 406812 5626 40322c 4 API calls 5624->5626 5625 4067fb 5625->5624 5627 406803 5625->5627 5629 406810 5626->5629 5628 403278 4 API calls 5627->5628 5628->5629 5629->5579 5641 406918 5630->5641 5634 406c25 5633->5634 5634->5571 5636 406d36 5635->5636 5637 4034f0 4 API calls 5636->5637 5638 406d44 5637->5638 5638->5615 5640 403418 GetFullPathNameA 5639->5640 5640->5624 5640->5625 5648 4068b4 5641->5648 5643 40693a 5644 406942 GetFileAttributesA 5643->5644 5645 406957 5644->5645 5646 403198 4 API calls 5645->5646 5647 40695f 5646->5647 5647->5567 5658 40668c 5648->5658 5650 4068c5 5651 4068d7 CharPrevA 5650->5651 5652 4068eb 5650->5652 5651->5650 5653 406901 5652->5653 5654 4068f6 5652->5654 5665 403454 5653->5665 5655 40322c 4 API calls 5654->5655 5657 4068ff 5655->5657 5657->5643 5660 40669d 5658->5660 5659 4066fd 5661 4065d8 IsDBCSLeadByte 5659->5661 5663 4066f8 5659->5663 5660->5659 5662 4066b9 5660->5662 5661->5663 5662->5663 5672 4065d8 IsDBCSLeadByte 5662->5672 5663->5650 5666 403486 5665->5666 5667 403459 5665->5667 5668 403198 4 API calls 5666->5668 5667->5666 5669 40346d 5667->5669 5671 40347c 5668->5671 5670 403278 4 API calls 5669->5670 5670->5671 5671->5657 5673 4065ec 5672->5673 5673->5662 5675 403198 4 API calls 5674->5675 5677 409029 5675->5677 5679 409056 5677->5679 5697 4032a8 5677->5697 5700 403494 5677->5700 5680 403198 4 API calls 5679->5680 5681 40906b 5680->5681 5681->5592 5683 4033bc 5682->5683 5684 403254 4 API calls 5683->5684 5685 4033cf 5684->5685 5686 4031e8 4 API calls 5685->5686 5687 4033f7 5686->5687 5704 408dc8 5688->5704 5690 408ea2 5691 408ea6 5690->5691 5710 406984 5690->5710 5691->5592 5694 408ed9 5713 408e04 5694->5713 5698 403278 4 API calls 5697->5698 5699 4032b5 5698->5699 5699->5677 5701 403498 5700->5701 5703 4034c3 5700->5703 5702 4034f0 4 API calls 5701->5702 5702->5703 5703->5677 5705 408dd2 5704->5705 5706 408dd6 5704->5706 5705->5690 5707 408df8 SetLastError 5706->5707 5708 408ddf Wow64DisableWow64FsRedirection 5706->5708 5709 408df3 5707->5709 5708->5709 5709->5690 5711 406918 7 API calls 5710->5711 5712 40698e GetLastError 5711->5712 5712->5694 5714 408e13 5713->5714 5715 408e09 Wow64RevertWow64FsRedirection 5713->5715 5714->5592 5715->5714 5717 403198 4 API calls 5716->5717 5723 408b35 5716->5723 5717->5723 5718 4031b8 4 API calls 5719 408be5 5718->5719 5719->5376 5720 408b4c 5722 4032fc 4 API calls 5720->5722 5721 403278 4 API calls 5721->5723 5724 408b60 5722->5724 5723->5720 5723->5721 5723->5724 5725 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5723->5725 5724->5718 5725->5723 5727 40668c IsDBCSLeadByte 5726->5727 5729 406779 5727->5729 5728 4067c2 5728->5380 5729->5728 5730 4065d8 IsDBCSLeadByte 5729->5730 5730->5729 5732 406837 5731->5732 5733 406764 IsDBCSLeadByte 5732->5733 5736 406842 5733->5736 5734 406632 5734->5385 5734->5386 5735 4065d8 IsDBCSLeadByte 5735->5736 5736->5734 5736->5735 5738 40689b 5737->5738 5739 40689f 5737->5739 5738->5400 5740 4068a6 CharPrevA 5739->5740 5740->5400 5742 403414 5741->5742 5743 4074cf CreateFileA 5742->5743 5743->5421 5745 407490 5744->5745 5746 4074cf CreateFileA 5745->5746 5746->5421 5748 402bd5 RaiseException 5747->5748 5749 402be6 5747->5749 5748->5749 5749->5440 5751 407dc9 5750->5751 5753 407dd8 5751->5753 5768 407ccc 5751->5768 5754 407e12 5753->5754 5755 407ccc 19 API calls 5753->5755 5756 407e26 5754->5756 5757 407ccc 19 API calls 5754->5757 5755->5754 5760 407e52 5756->5760 5765 407d5c 5756->5765 5757->5756 5760->5452 5762 407b8b 5761->5762 5763 407b4c 5761->5763 5762->5452 5762->5454 5763->5762 5779 407a88 5763->5779 5766 407d6b VirtualFree 5765->5766 5767 407d7d VirtualAlloc 5765->5767 5766->5767 5767->5760 5771 405814 5768->5771 5770 407cee 5770->5753 5772 405820 5771->5772 5773 4050e4 19 API calls 5772->5773 5774 40584d 5773->5774 5775 4031e8 4 API calls 5774->5775 5776 405858 5775->5776 5777 403198 4 API calls 5776->5777 5778 40586d 5777->5778 5778->5770 5780 407a93 5779->5780 5781 407aa4 5779->5781 5783 4057e0 4 API calls 5780->5783 5791 4073b8 5781->5791 5783->5781 5785 4073b8 20 API calls 5786 407ad9 5785->5786 5787 407830 InterlockedExchange 5786->5787 5788 407aee 5787->5788 5789 407b04 5788->5789 5790 4057e0 4 API calls 5788->5790 5789->5763 5790->5789 5792 4073cc 5791->5792 5793 4073dc 5792->5793 5794 407304 20 API calls 5792->5794 5793->5785 5794->5793 6294 408e76 6295 408e68 6294->6295 6296 408e04 Wow64RevertWow64FsRedirection 6295->6296 6297 408e70 6296->6297 6298 407e78 6299 407ea0 6298->6299 6301 407ea7 6298->6301 6300 407db4 21 API calls 6299->6300 6300->6301 6302 407eda 6301->6302 6303 407ed0 6301->6303 6304 407ece 6301->6304 6305 407f0f 6302->6305 6307 407ccc 19 API calls 6302->6307 6306 407ccc 19 API calls 6303->6306 6308 4050e4 19 API calls 6304->6308 6309 403198 4 API calls 6305->6309 6306->6302 6307->6305 6311 407ef6 6308->6311 6310 407f24 6309->6310 6313 407c54 6311->6313 6314 407c57 6313->6314 6315 40322c 4 API calls 6314->6315 6316 407c79 6315->6316 6317 4032fc 4 API calls 6316->6317 6318 407c83 6317->6318 6319 4057e0 4 API calls 6318->6319 6320 407c92 6319->6320 6321 403198 4 API calls 6320->6321 6322 407cac 6321->6322 6322->6302 6323 408e78 SetLastError 6324 408e81 6323->6324 6747 403f7d 6749 403fa2 6747->6749 6752 403f84 6747->6752 6748 403f8c 6750 403e8e 4 API calls 6749->6750 6749->6752 6750->6752 6751 402674 4 API calls 6753 403fca 6751->6753 6752->6748 6752->6751 5795 403d02 5801 403d12 5795->5801 5796 403ddf ExitProcess 5797 403db8 5811 403cc8 5797->5811 5799 403dea 5801->5796 5801->5797 5801->5799 5801->5801 5805 403da4 5801->5805 5806 403d8f MessageBoxA 5801->5806 5802 403cc8 4 API calls 5803 403dcc 5802->5803 5815 4019dc 5803->5815 5827 403fe4 5805->5827 5806->5797 5808 403dd1 5808->5796 5808->5799 5812 403cd6 5811->5812 5813 403ceb 5812->5813 5831 402674 5812->5831 5813->5802 5816 401abb 5815->5816 5817 4019ed 5815->5817 5816->5808 5818 401a04 RtlEnterCriticalSection 5817->5818 5819 401a0e LocalFree 5817->5819 5818->5819 5820 401a41 5819->5820 5821 401a2f VirtualFree 5820->5821 5822 401a49 5820->5822 5821->5820 5823 401a70 LocalFree 5822->5823 5824 401a87 5822->5824 5823->5823 5823->5824 5825 401aa9 RtlDeleteCriticalSection 5824->5825 5826 401a9f RtlLeaveCriticalSection 5824->5826 5825->5808 5826->5825 5828 403fe8 5827->5828 5834 403f07 5828->5834 5830 404006 5832 403154 4 API calls 5831->5832 5833 40267a 5832->5833 5833->5813 5835 403f09 5834->5835 5838 403e9c 5835->5838 5839 403154 4 API calls 5835->5839 5844 403f3d 5835->5844 5857 403e9c 5835->5857 5837 403f3c 5837->5830 5838->5837 5840 403ef2 5838->5840 5846 403ea9 5838->5846 5848 403e8e 5838->5848 5839->5835 5843 402674 4 API calls 5840->5843 5841 403ecf 5841->5830 5843->5841 5844->5830 5846->5841 5847 402674 4 API calls 5846->5847 5847->5841 5849 403e4c 5848->5849 5850 403e62 5849->5850 5851 403e7b 5849->5851 5855 403e67 5849->5855 5852 403cc8 4 API calls 5850->5852 5853 402674 4 API calls 5851->5853 5852->5855 5854 403e78 5853->5854 5854->5840 5854->5846 5855->5854 5856 402674 4 API calls 5855->5856 5856->5854 5858 403ed7 5857->5858 5863 403ea9 5857->5863 5859 403ef2 5858->5859 5860 403e8e 4 API calls 5858->5860 5861 402674 4 API calls 5859->5861 5862 403ee6 5860->5862 5865 403ecf 5861->5865 5862->5859 5862->5863 5864 402674 4 API calls 5863->5864 5863->5865 5864->5865 5865->5835 6335 404206 6336 4041cc 6335->6336 6337 40420a 6335->6337 6338 404282 6337->6338 6339 403154 4 API calls 6337->6339 6340 404323 6339->6340 6101 409f08 6131 409394 GetLastError 6101->6131 6104 409f14 6106 409f1e CreateWindowExA SetWindowLongA 6104->6106 6105 402f24 5 API calls 6105->6104 6107 4050e4 19 API calls 6106->6107 6108 409fa1 6107->6108 6109 4032fc 4 API calls 6108->6109 6110 409faf 6109->6110 6111 4032fc 4 API calls 6110->6111 6112 409fbc 6111->6112 6144 406ab8 GetCommandLineA 6112->6144 6115 4032fc 4 API calls 6116 409fd1 6115->6116 6149 4097bc 6116->6149 6119 4095d0 5 API calls 6120 409ff6 6119->6120 6121 40a02f 6120->6121 6165 409330 6120->6165 6123 40a048 6121->6123 6126 40a042 RemoveDirectoryA 6121->6126 6124 40a051 73A25CF0 6123->6124 6125 40a05c 6123->6125 6124->6125 6127 40a084 6125->6127 6173 40357c 6125->6173 6126->6123 6129 40a07a 6130 4025ac 4 API calls 6129->6130 6130->6127 6132 404be4 19 API calls 6131->6132 6133 4093db 6132->6133 6134 4071a8 5 API calls 6133->6134 6135 4093eb 6134->6135 6136 408c04 4 API calls 6135->6136 6137 409400 6136->6137 6138 4057e0 4 API calls 6137->6138 6139 40940f 6138->6139 6140 4031b8 4 API calls 6139->6140 6141 40942e 6140->6141 6142 403198 4 API calls 6141->6142 6143 409436 6142->6143 6143->6104 6143->6105 6145 406a2c 4 API calls 6144->6145 6146 406add 6145->6146 6147 403198 4 API calls 6146->6147 6148 406afb 6147->6148 6148->6115 6150 4033b4 4 API calls 6149->6150 6151 4097f7 6150->6151 6152 409829 CreateProcessA 6151->6152 6153 409835 6152->6153 6154 40983c CloseHandle 6152->6154 6155 409394 21 API calls 6153->6155 6156 409845 6154->6156 6155->6154 6186 409790 6156->6186 6159 409861 6160 409790 3 API calls 6159->6160 6161 409866 GetExitCodeProcess CloseHandle 6160->6161 6162 409886 6161->6162 6163 403198 4 API calls 6162->6163 6164 40988e 6163->6164 6164->6119 6164->6120 6166 40938a 6165->6166 6168 409343 6165->6168 6166->6121 6167 40934b Sleep 6167->6168 6168->6166 6168->6167 6169 40935b Sleep 6168->6169 6171 409372 GetLastError 6168->6171 6190 408e14 6168->6190 6169->6168 6171->6166 6172 40937c GetLastError 6171->6172 6172->6166 6172->6168 6174 403591 6173->6174 6182 4035a0 6173->6182 6175 4035b6 6174->6175 6179 40359b 6174->6179 6181 4035d0 6174->6181 6175->6129 6176 4035b1 6180 403198 4 API calls 6176->6180 6177 4035b8 6178 4031b8 4 API calls 6177->6178 6178->6175 6179->6182 6183 4035ec 6179->6183 6180->6175 6181->6175 6184 40357c 4 API calls 6181->6184 6182->6176 6182->6177 6183->6175 6198 403554 6183->6198 6184->6181 6187 4097a4 PeekMessageA 6186->6187 6188 4097b6 MsgWaitForMultipleObjects 6187->6188 6189 409798 TranslateMessage DispatchMessageA 6187->6189 6188->6156 6188->6159 6189->6187 6191 408dc8 2 API calls 6190->6191 6192 408e2a 6191->6192 6193 408e2e 6192->6193 6194 408e4a DeleteFileA GetLastError 6192->6194 6193->6168 6195 408e68 6194->6195 6196 408e04 Wow64RevertWow64FsRedirection 6195->6196 6197 408e70 6196->6197 6197->6168 6199 403566 6198->6199 6201 403578 6199->6201 6202 403604 6199->6202 6201->6183 6203 40357c 6202->6203 6207 4035d0 6203->6207 6208 40359b 6203->6208 6210 4035b6 6203->6210 6211 4035a0 6203->6211 6204 4035b1 6209 403198 4 API calls 6204->6209 6205 4035b8 6206 4031b8 4 API calls 6205->6206 6206->6210 6207->6210 6213 40357c 4 API calls 6207->6213 6208->6211 6212 4035ec 6208->6212 6209->6210 6210->6199 6211->6204 6211->6205 6212->6210 6214 403554 4 API calls 6212->6214 6213->6207 6214->6212 6341 402c08 6342 402c82 6341->6342 6345 402c19 6341->6345 6343 402c56 RtlUnwind 6344 403154 4 API calls 6343->6344 6344->6342 6345->6342 6345->6343 6348 402b28 6345->6348 6349 402b31 RaiseException 6348->6349 6350 402b47 6348->6350 6349->6350 6350->6343 6772 407512 GetFileSize 6773 40753e 6772->6773 6774 40752e GetLastError 6772->6774 6774->6773 6775 407537 6774->6775 6776 4073a4 21 API calls 6775->6776 6776->6773 6351 403018 6352 403070 6351->6352 6353 403025 6351->6353 6354 40302a RtlUnwind 6353->6354 6356 40304e 6354->6356 6355 402f78 6356->6355 6358 402be8 6356->6358 6359 402bf1 RaiseException 6358->6359 6360 402c04 6358->6360 6359->6360 6360->6352 6777 406f1f 6778 406f2c SetErrorMode 6777->6778 6361 409e20 6362 409e45 6361->6362 6363 407830 InterlockedExchange 6362->6363 6364 409e6f 6363->6364 6365 409e7f 6364->6365 6366 4098b8 4 API calls 6364->6366 6371 4075c4 SetEndOfFile 6365->6371 6366->6365 6368 409e9b 6369 4025ac 4 API calls 6368->6369 6370 409ed2 6369->6370 6372 4075d4 6371->6372 6373 4075db 6371->6373 6374 4073a4 21 API calls 6372->6374 6373->6368 6374->6373 6375 405a24 6376 405a2c 6375->6376 6380 405a34 6375->6380 6377 405a3b 6376->6377 6378 405a32 6376->6378 6379 405890 5 API calls 6377->6379 6382 40599c 6378->6382 6379->6380 6383 4059a4 6382->6383 6384 4059be 6383->6384 6387 403154 4 API calls 6383->6387 6385 4059c3 6384->6385 6386 4059da 6384->6386 6388 405890 5 API calls 6385->6388 6389 403154 4 API calls 6386->6389 6387->6383 6390 4059d6 6388->6390 6391 4059df 6389->6391 6393 403154 4 API calls 6390->6393 6392 405900 19 API calls 6391->6392 6392->6390 6394 405a08 6393->6394 6395 403154 4 API calls 6394->6395 6396 405a16 6395->6396 6396->6380 6397 403a28 ReadFile 6398 403a46 6397->6398 6399 403a49 GetLastError 6397->6399 6783 409730 6784 40973f 6783->6784 6785 409749 6783->6785 6784->6785 6786 40976e CallWindowProcA 6784->6786 6786->6785 6787 403932 6788 403924 6787->6788 6789 40374c VariantClear 6788->6789 6790 40392c 6789->6790 6215 406f3b 6216 406f2c SetErrorMode 6215->6216 6400 409e3b 6401 4098b8 4 API calls 6400->6401 6402 409e40 6401->6402 6403 409e45 6402->6403 6404 402f24 5 API calls 6402->6404 6405 407830 InterlockedExchange 6403->6405 6404->6403 6406 409e6f 6405->6406 6407 409e7f 6406->6407 6408 4098b8 4 API calls 6406->6408 6409 4075c4 22 API calls 6407->6409 6408->6407 6410 409e9b 6409->6410 6411 4025ac 4 API calls 6410->6411 6412 409ed2 6411->6412 5872 4075c4 SetEndOfFile 5873 4075d4 5872->5873 5874 4075db 5872->5874 5875 4073a4 21 API calls 5873->5875 5875->5874 6419 402ccc 6422 402cfe 6419->6422 6423 402cdd 6419->6423 6420 402d88 RtlUnwind 6421 403154 4 API calls 6420->6421 6421->6422 6423->6420 6423->6422 6424 402b28 RaiseException 6423->6424 6425 402d7f 6424->6425 6425->6420 6791 403fcd 6792 403f07 4 API calls 6791->6792 6793 403fd6 6792->6793 6794 403e9c 4 API calls 6793->6794 6795 403fe2 6794->6795 4910 4024d0 4911 4024e4 4910->4911 4912 4024f7 4910->4912 4949 401918 RtlInitializeCriticalSection 4911->4949 4913 402518 4912->4913 4914 40250e RtlEnterCriticalSection 4912->4914 4926 402300 4913->4926 4914->4913 4918 4024ed 4920 402525 4922 402581 4920->4922 4923 402577 RtlLeaveCriticalSection 4920->4923 4923->4922 4924 402531 4924->4920 4956 40215c 4924->4956 4927 402314 4926->4927 4929 402335 4927->4929 4930 4023b8 4927->4930 4928 402344 4928->4920 4936 401fd4 4928->4936 4929->4928 4970 401b74 4929->4970 4930->4928 4934 402455 4930->4934 4973 401d80 4930->4973 4981 401e84 4930->4981 4934->4928 4977 401d00 4934->4977 4937 401fe8 4936->4937 4938 401ffb 4936->4938 4940 401918 4 API calls 4937->4940 4939 402012 RtlEnterCriticalSection 4938->4939 4943 40201c 4938->4943 4939->4943 4941 401fed 4940->4941 4941->4938 4942 401ff1 4941->4942 4948 402052 4942->4948 4943->4948 5063 401ee0 4943->5063 4946 402147 4946->4924 4947 40213d RtlLeaveCriticalSection 4947->4946 4948->4924 4950 40193c RtlEnterCriticalSection 4949->4950 4951 401946 4949->4951 4950->4951 4952 401964 LocalAlloc 4951->4952 4953 40197e 4952->4953 4954 4019c3 RtlLeaveCriticalSection 4953->4954 4955 4019cd 4953->4955 4954->4955 4955->4912 4955->4918 4957 40217a 4956->4957 4958 402175 4956->4958 4960 4021ab RtlEnterCriticalSection 4957->4960 4963 4021b5 4957->4963 4964 40217e 4957->4964 4959 401918 4 API calls 4958->4959 4959->4957 4960->4963 4961 4021c1 4965 4022e3 RtlLeaveCriticalSection 4961->4965 4966 4022ed 4961->4966 4962 402244 4962->4964 4967 401d80 7 API calls 4962->4967 4963->4961 4963->4962 4968 402270 4963->4968 4964->4920 4965->4966 4966->4920 4967->4964 4968->4961 4969 401d00 7 API calls 4968->4969 4969->4961 4971 40215c 9 API calls 4970->4971 4972 401b95 4971->4972 4972->4928 4974 401d92 4973->4974 4975 401d89 4973->4975 4974->4930 4975->4974 4976 401b74 9 API calls 4975->4976 4976->4974 4978 401d1e 4977->4978 4979 401d4e 4977->4979 4978->4928 4979->4978 4986 401c68 4979->4986 5041 401768 4981->5041 4983 401e99 4984 401ea6 4983->4984 5052 401dcc 4983->5052 4984->4930 4987 401c7a 4986->4987 4988 401c9d 4987->4988 4989 401caf 4987->4989 4999 40188c 4988->4999 4991 40188c 3 API calls 4989->4991 4992 401cad 4991->4992 4993 401cc5 4992->4993 5009 401b44 4992->5009 4993->4978 4995 401cd4 4996 401cee 4995->4996 5014 401b98 4995->5014 5019 4013a0 4996->5019 5000 4018b2 4999->5000 5001 40190b 4999->5001 5023 401658 5000->5023 5001->4992 5006 4018e6 5006->5001 5008 4013a0 LocalAlloc 5006->5008 5008->5001 5010 401b61 5009->5010 5011 401b52 5009->5011 5010->4995 5012 401d00 9 API calls 5011->5012 5013 401b5f 5012->5013 5013->4995 5015 401bab 5014->5015 5016 401b9d 5014->5016 5015->4996 5017 401b74 9 API calls 5016->5017 5018 401baa 5017->5018 5018->4996 5021 4013ab 5019->5021 5020 4013c6 5020->4993 5021->5020 5022 4012e4 LocalAlloc 5021->5022 5022->5020 5024 40168f 5023->5024 5025 4016cf 5024->5025 5026 4016a9 VirtualFree 5024->5026 5027 40132c 5025->5027 5026->5024 5028 401348 5027->5028 5035 4012e4 5028->5035 5031 40150c 5034 40153b 5031->5034 5032 401594 5032->5006 5033 401568 VirtualFree 5033->5034 5034->5032 5034->5033 5038 40128c 5035->5038 5039 401298 LocalAlloc 5038->5039 5040 4012aa 5038->5040 5039->5040 5040->5006 5040->5031 5043 401787 5041->5043 5042 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5042->5043 5043->5042 5044 40183b 5043->5044 5046 40132c LocalAlloc 5043->5046 5047 401821 5043->5047 5048 4017d6 5043->5048 5049 4017e7 5044->5049 5059 4015c4 5044->5059 5046->5043 5050 40150c VirtualFree 5047->5050 5051 40150c VirtualFree 5048->5051 5049->4983 5050->5049 5051->5049 5053 401d80 9 API calls 5052->5053 5054 401de0 5053->5054 5055 40132c LocalAlloc 5054->5055 5056 401df0 5055->5056 5057 401b44 9 API calls 5056->5057 5058 401df8 5056->5058 5057->5058 5058->4984 5060 40160a 5059->5060 5061 401626 VirtualAlloc 5060->5061 5062 40163a 5060->5062 5061->5060 5061->5062 5062->5049 5065 401ef0 5063->5065 5064 401f1c 5066 401d00 9 API calls 5064->5066 5068 401f40 5064->5068 5065->5064 5065->5068 5069 401e58 5065->5069 5066->5068 5068->4946 5068->4947 5074 4016d8 5069->5074 5072 401e75 5072->5065 5073 401dcc 9 API calls 5073->5072 5077 4016f4 5074->5077 5076 4016fe 5078 4015c4 VirtualAlloc 5076->5078 5077->5076 5079 40175b 5077->5079 5080 40132c LocalAlloc 5077->5080 5081 40174f 5077->5081 5084 401430 5077->5084 5082 40170a 5078->5082 5079->5072 5079->5073 5080->5077 5083 40150c VirtualFree 5081->5083 5082->5079 5083->5079 5085 40143f VirtualAlloc 5084->5085 5087 40146c 5085->5087 5088 40148f 5085->5088 5089 4012e4 LocalAlloc 5087->5089 5088->5077 5090 401478 5089->5090 5090->5088 5091 40147c VirtualFree 5090->5091 5091->5088 6426 4028d2 6427 4028da 6426->6427 6428 403554 4 API calls 6427->6428 6429 4028ef 6427->6429 6428->6427 6430 4025ac 4 API calls 6429->6430 6431 4028f4 6430->6431 6796 4019d3 6797 4019ba 6796->6797 6798 4019c3 RtlLeaveCriticalSection 6797->6798 6799 4019cd 6797->6799 6798->6799 6800 4065d4 IsDBCSLeadByte 6801 4065ec 6800->6801 6432 40a0d9 6441 409448 6432->6441 6435 402f24 5 API calls 6436 40a0e3 6435->6436 6437 403198 4 API calls 6436->6437 6438 40a102 6437->6438 6439 403198 4 API calls 6438->6439 6440 40a10a 6439->6440 6450 4055fc 6441->6450 6443 409463 6444 409491 6443->6444 6456 407130 6443->6456 6447 403198 4 API calls 6444->6447 6446 409481 6449 409489 MessageBoxA 6446->6449 6448 4094a6 6447->6448 6448->6435 6449->6444 6451 403154 4 API calls 6450->6451 6452 405601 6451->6452 6453 405619 6452->6453 6454 403154 4 API calls 6452->6454 6453->6443 6455 40560f 6454->6455 6455->6443 6457 4055fc 4 API calls 6456->6457 6458 40713f 6457->6458 6459 407153 6458->6459 6460 407145 6458->6460 6462 407163 6459->6462 6465 40716f 6459->6465 6461 40322c 4 API calls 6460->6461 6464 407151 6461->6464 6467 4070f4 6462->6467 6464->6446 6474 4032b8 6465->6474 6468 40322c 4 API calls 6467->6468 6469 407103 6468->6469 6470 407120 6469->6470 6471 406894 CharPrevA 6469->6471 6470->6464 6472 40710f 6471->6472 6472->6470 6473 4032fc 4 API calls 6472->6473 6473->6470 6475 403278 4 API calls 6474->6475 6476 4032c2 6475->6476 6476->6464 6805 407bdb 6808 407be1 6805->6808 6806 40322c 4 API calls 6807 407c79 6806->6807 6809 4032fc 4 API calls 6807->6809 6808->6806 6810 407c83 6809->6810 6811 4057e0 4 API calls 6810->6811 6812 407c92 6811->6812 6813 403198 4 API calls 6812->6813 6814 407cac 6813->6814 6217 4074dc SetFilePointer 6218 40750f 6217->6218 6219 4074ff GetLastError 6217->6219 6219->6218 6220 407508 6219->6220 6221 4073a4 21 API calls 6220->6221 6221->6218 5092 4075e0 WriteFile 5093 407600 5092->5093 5094 407607 5092->5094 5098 4073a4 GetLastError 5093->5098 5096 407618 5094->5096 5101 407304 5094->5101 5099 407304 20 API calls 5098->5099 5100 4073b5 5099->5100 5100->5094 5110 4071a8 FormatMessageA 5101->5110 5104 40734c 5117 4057e0 5104->5117 5107 40735b 5121 403198 5107->5121 5111 4071ce 5110->5111 5125 403278 5111->5125 5114 4050e4 5152 4050f8 5114->5152 5118 4057e7 5117->5118 5119 4031e8 4 API calls 5118->5119 5120 4057ff 5119->5120 5120->5107 5122 4031b7 5121->5122 5123 40319e 5121->5123 5122->5096 5123->5122 5124 4025ac 4 API calls 5123->5124 5124->5122 5130 403254 5125->5130 5127 403288 5128 403198 4 API calls 5127->5128 5129 4032a0 5128->5129 5129->5104 5129->5114 5131 403274 5130->5131 5132 403258 5130->5132 5131->5127 5135 402594 5132->5135 5134 403261 5134->5127 5136 402598 5135->5136 5137 4025a2 5135->5137 5136->5137 5139 403154 5136->5139 5137->5134 5137->5137 5140 403164 5139->5140 5141 40318c TlsGetValue 5139->5141 5140->5137 5142 403196 5141->5142 5143 40316f 5141->5143 5142->5137 5147 40310c 5143->5147 5145 403174 TlsGetValue 5146 403184 5145->5146 5146->5137 5148 403120 LocalAlloc 5147->5148 5149 403116 5147->5149 5150 40313e TlsSetValue 5148->5150 5151 403132 5148->5151 5149->5148 5150->5151 5151->5145 5153 405115 5152->5153 5160 404da8 5153->5160 5156 405141 5157 403278 4 API calls 5156->5157 5159 4050f3 5157->5159 5159->5104 5163 404dc3 5160->5163 5161 404dd5 5161->5156 5165 404b34 5161->5165 5163->5161 5168 404eca 5163->5168 5175 404d9c 5163->5175 5285 405890 5165->5285 5167 404b45 5167->5156 5169 404edb 5168->5169 5172 404f29 5168->5172 5169->5172 5173 404faf 5169->5173 5171 404f47 5171->5163 5172->5171 5178 404d44 5172->5178 5173->5171 5182 404d88 5173->5182 5176 403198 4 API calls 5175->5176 5177 404da6 5176->5177 5177->5163 5179 404d52 5178->5179 5185 404b4c 5179->5185 5181 404d80 5181->5172 5215 4039a4 5182->5215 5188 405900 5185->5188 5187 404b65 5187->5181 5189 40590e 5188->5189 5198 404c2c LoadStringA 5189->5198 5192 4050e4 19 API calls 5193 405946 5192->5193 5201 4031e8 5193->5201 5199 403278 4 API calls 5198->5199 5200 404c59 5199->5200 5200->5192 5202 4031ec 5201->5202 5203 4031fc 5201->5203 5202->5203 5205 403254 4 API calls 5202->5205 5204 403228 5203->5204 5211 4025ac 5203->5211 5207 4031b8 5204->5207 5205->5203 5209 4031be 5207->5209 5208 4031e3 5208->5187 5209->5208 5210 4025ac 4 API calls 5209->5210 5210->5209 5212 4025b0 5211->5212 5213 4025ba 5211->5213 5212->5213 5214 403154 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5212->5214 5213->5204 5213->5213 5214->5213 5216 4039ab 5215->5216 5221 4038b4 5216->5221 5218 4039cb 5219 403198 4 API calls 5218->5219 5220 4039d2 5219->5220 5220->5171 5222 4038d5 5221->5222 5223 4038c8 5221->5223 5225 403934 5222->5225 5226 4038db 5222->5226 5249 403780 5223->5249 5227 403993 5225->5227 5228 40393b 5225->5228 5230 4038e1 5226->5230 5231 4038ee 5226->5231 5236 4037f4 3 API calls 5227->5236 5232 403941 5228->5232 5233 40394b 5228->5233 5229 4038d0 5229->5218 5256 403894 5230->5256 5235 403894 6 API calls 5231->5235 5271 403864 5232->5271 5238 4037f4 3 API calls 5233->5238 5239 4038fc 5235->5239 5236->5229 5240 40395d 5238->5240 5261 4037f4 5239->5261 5242 403864 9 API calls 5240->5242 5244 403976 5242->5244 5243 403917 5267 40374c 5243->5267 5246 40374c VariantClear 5244->5246 5248 40398b 5246->5248 5247 40392c 5247->5218 5248->5218 5250 4037f0 5249->5250 5251 403744 5249->5251 5250->5229 5251->5249 5252 403793 VariantClear 5251->5252 5253 403198 4 API calls 5251->5253 5254 4037ab 5251->5254 5255 4037dc VariantCopyInd 5251->5255 5252->5251 5253->5251 5254->5229 5255->5250 5255->5251 5276 4036b8 5256->5276 5259 40374c VariantClear 5260 4038a9 5259->5260 5260->5229 5262 403845 VariantChangeTypeEx 5261->5262 5263 40380a VariantChangeTypeEx 5261->5263 5266 403832 5262->5266 5264 403826 5263->5264 5265 40374c VariantClear 5264->5265 5265->5266 5266->5243 5268 403766 5267->5268 5269 403759 5267->5269 5268->5247 5269->5268 5270 403779 VariantClear 5269->5270 5270->5247 5282 40369c SysStringLen 5271->5282 5274 40374c VariantClear 5275 403882 5274->5275 5275->5229 5277 4036cb 5276->5277 5278 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5277->5278 5279 4036db 5277->5279 5280 40372e 5278->5280 5281 4036ed MultiByteToWideChar SysAllocStringLen 5279->5281 5280->5259 5281->5280 5283 403610 7 API calls 5282->5283 5284 4036b3 5283->5284 5284->5274 5286 40589c 5285->5286 5287 404c2c 5 API calls 5286->5287 5288 4058c2 5287->5288 5289 4031e8 4 API calls 5288->5289 5290 4058cd 5289->5290 5291 403198 4 API calls 5290->5291 5292 4058e2 5291->5292 5292->5167 6481 409ee4 6482 409f14 6481->6482 6483 409f1e CreateWindowExA SetWindowLongA 6482->6483 6484 4050e4 19 API calls 6483->6484 6485 409fa1 6484->6485 6486 4032fc 4 API calls 6485->6486 6487 409faf 6486->6487 6488 4032fc 4 API calls 6487->6488 6489 409fbc 6488->6489 6490 406ab8 5 API calls 6489->6490 6491 409fc8 6490->6491 6492 4032fc 4 API calls 6491->6492 6493 409fd1 6492->6493 6494 4097bc 29 API calls 6493->6494 6495 409fe3 6494->6495 6496 4095d0 5 API calls 6495->6496 6497 409ff6 6495->6497 6496->6497 6498 409330 9 API calls 6497->6498 6500 40a02f 6497->6500 6498->6500 6499 40a048 6501 40a051 73A25CF0 6499->6501 6502 40a05c 6499->6502 6500->6499 6503 40a042 RemoveDirectoryA 6500->6503 6501->6502 6504 40a084 6502->6504 6505 40357c 4 API calls 6502->6505 6503->6499 6506 40a07a 6505->6506 6507 4025ac 4 API calls 6506->6507 6507->6504 6819 402be9 RaiseException 6820 402c04 6819->6820 6522 402af2 6523 402afe 6522->6523 6526 402ed0 6523->6526 6527 403154 4 API calls 6526->6527 6529 402ee0 6527->6529 6528 402b03 6529->6528 6531 402b0c 6529->6531 6532 402b25 6531->6532 6533 402b15 RaiseException 6531->6533 6532->6528 6533->6532 6534 405af2 6536 405af4 6534->6536 6535 405b30 6539 405890 5 API calls 6535->6539 6536->6535 6537 405b47 6536->6537 6538 405b2a 6536->6538 6543 404c2c 5 API calls 6537->6543 6538->6535 6540 405b9c 6538->6540 6541 405b43 6539->6541 6542 405900 19 API calls 6540->6542 6545 403198 4 API calls 6541->6545 6542->6541 6544 405b70 6543->6544 6546 405900 19 API calls 6544->6546 6547 405bd6 6545->6547 6546->6541 6566 409ef6 6567 409f3a CreateWindowExA SetWindowLongA 6566->6567 6568 409efa 6566->6568 6569 409fa1 6567->6569 6570 4050e4 19 API calls 6567->6570 6568->6567 6571 4032fc 4 API calls 6569->6571 6570->6569 6572 409faf 6571->6572 6573 4032fc 4 API calls 6572->6573 6574 409fbc 6573->6574 6575 406ab8 5 API calls 6574->6575 6576 409fc8 6575->6576 6577 4032fc 4 API calls 6576->6577 6578 409fd1 6577->6578 6579 4097bc 29 API calls 6578->6579 6580 409fe3 6579->6580 6581 4095d0 5 API calls 6580->6581 6582 409ff6 6580->6582 6581->6582 6583 40a02f 6582->6583 6584 409330 9 API calls 6582->6584 6585 40a048 6583->6585 6588 40a042 RemoveDirectoryA 6583->6588 6584->6583 6586 40a051 73A25CF0 6585->6586 6587 40a05c 6585->6587 6586->6587 6589 40a084 6587->6589 6590 40357c 4 API calls 6587->6590 6588->6585 6591 40a07a 6590->6591 6592 4025ac 4 API calls 6591->6592 6592->6589 6825 402dfa 6826 402e26 6825->6826 6827 402e0d 6825->6827 6829 402ba4 6827->6829 6830 402bc9 6829->6830 6831 402bad 6829->6831 6830->6826 6832 402bb5 RaiseException 6831->6832 6832->6830 6593 403a80 CloseHandle 6594 403a90 6593->6594 6595 403a91 GetLastError 6593->6595 6600 404283 6601 4042c3 6600->6601 6602 403154 4 API calls 6601->6602 6603 404323 6602->6603 6837 404185 6838 4041ff 6837->6838 6839 4041cc 6838->6839 6840 403154 4 API calls 6838->6840 6841 404323 6840->6841 6608 403e87 6609 403e4c 6608->6609 6610 403e62 6609->6610 6611 403e7b 6609->6611 6615 403e67 6609->6615 6612 403cc8 4 API calls 6610->6612 6613 402674 4 API calls 6611->6613 6612->6615 6614 403e78 6613->6614 6615->6614 6616 402674 4 API calls 6615->6616 6616->6614 6846 408d88 6849 408c58 6846->6849 6850 408c61 6849->6850 6851 403198 4 API calls 6850->6851 6852 408c6f 6850->6852 6851->6850 6617 40a091 6618 40a003 6617->6618 6619 40a02f 6618->6619 6620 409330 9 API calls 6618->6620 6621 40a048 6619->6621 6624 40a042 RemoveDirectoryA 6619->6624 6620->6619 6622 40a051 73A25CF0 6621->6622 6623 40a05c 6621->6623 6622->6623 6625 40a084 6623->6625 6626 40357c 4 API calls 6623->6626 6624->6621 6627 40a07a 6626->6627 6628 4025ac 4 API calls 6627->6628 6628->6625 6629 408a92 6630 408a9b 6629->6630 6631 403198 4 API calls 6630->6631 6639 408b35 6631->6639 6632 408b60 6633 4031b8 4 API calls 6632->6633 6634 408be5 6633->6634 6635 408b4c 6638 4032fc 4 API calls 6635->6638 6636 403278 4 API calls 6636->6639 6637 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6637->6639 6638->6632 6639->6632 6639->6635 6639->6636 6639->6637 6653 40a096 6654 40a09f 6653->6654 6656 40a0ca 6653->6656 6663 4092a0 6654->6663 6658 403198 4 API calls 6656->6658 6657 40a0a4 6657->6656 6660 40a0c2 MessageBoxA 6657->6660 6659 40a102 6658->6659 6661 403198 4 API calls 6659->6661 6660->6656 6662 40a10a 6661->6662 6664 409307 ExitWindowsEx 6663->6664 6665 4092ac GetCurrentProcess OpenProcessToken 6663->6665 6667 4092be 6664->6667 6666 4092c2 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6665->6666 6665->6667 6666->6664 6666->6667 6667->6657 6668 403a97 6669 403aac 6668->6669 6670 403bbc GetStdHandle 6669->6670 6671 403b0e CreateFileA 6669->6671 6681 403ab2 6669->6681 6672 403c17 GetLastError 6670->6672 6675 403bba 6670->6675 6671->6672 6673 403b2c 6671->6673 6672->6681 6674 403b3b GetFileSize 6673->6674 6673->6675 6674->6672 6677 403b4e SetFilePointer 6674->6677 6678 403be7 GetFileType 6675->6678 6675->6681 6677->6672 6682 403b6a ReadFile 6677->6682 6680 403c02 CloseHandle 6678->6680 6678->6681 6680->6681 6682->6672 6683 403b8c 6682->6683 6683->6675 6684 403b9f SetFilePointer 6683->6684 6684->6672 6685 403bb0 SetEndOfFile 6684->6685 6685->6672 6685->6675 6865 4011aa 6866 4011ac GetStdHandle 6865->6866 6693 4028ac 6694 402594 4 API calls 6693->6694 6695 4028b6 6694->6695 6700 4050b0 6701 4050c3 6700->6701 6702 404da8 19 API calls 6701->6702 6703 4050d7 6702->6703 6708 401ab9 6709 401a96 6708->6709 6710 401aa9 RtlDeleteCriticalSection 6709->6710 6711 401a9f RtlLeaveCriticalSection 6709->6711 6711->6710

                                              Executed Functions

                                              Function 00409948 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 163 409948-40996c GetSystemInfo VirtualQuery 164 409972 163->164 165 4099fc-409a03 163->165 166 4099f1-4099f6 164->166 166->165 167 409974-40997b 166->167 168 4099dd-4099ef VirtualQuery 167->168 169 40997d-409981 167->169 168->165 168->166 169->168 170 409983-40998b 169->170 171 40999c-4099ad VirtualProtect 170->171 172 40998d-409990 170->172 174 4099b1-4099b3 171->174 175 4099af 171->175 172->171 173 409992-409995 172->173 173->171 176 409997-40999a 173->176 177 4099c2-4099c5 174->177 175->174 176->171 176->174 178 4099b5-4099be call 409940 177->178 179 4099c7-4099c9 177->179 178->177 179->168 181 4099cb-4099d8 VirtualProtect 179->181 181->168
                                              APIs
                                              • GetSystemInfo.KERNEL32(?), ref: 0040995A
                                              • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409965
                                              • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 004099A6
                                              • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 004099D8
                                              • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 004099E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                              • String ID:
                                              • API String ID: 2441996862-0
                                              • Opcode ID: 2c2c90e72dc40e46b51dc553d84ebc029875cc2798a18ec57c7a7b28b8fc0619
                                              • Instruction ID: c51dc94dc7e70e4f078c95023904a162ea503a2a47d9e89981edb447ffe3f24e
                                              • Opcode Fuzzy Hash: 2c2c90e72dc40e46b51dc553d84ebc029875cc2798a18ec57c7a7b28b8fc0619
                                              • Instruction Fuzzy Hash: 5F216DF12002046BDA309A598D85E6BB7D89B45360F08492FFA89E37C3D738ED40D669
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                              • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                              • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                              • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409EE4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 105COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
                                              • SetWindowLongA.USER32(0001046E,000000FC,00409730), ref: 00409F57
                                                • Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FC8,?), ref: 00406AD0
                                                • Part of subcall function 004097BC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000,0040988F), ref: 0040982C
                                                • Part of subcall function 004097BC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000), ref: 00409840
                                                • Part of subcall function 004097BC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
                                                • Part of subcall function 004097BC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
                                                • Part of subcall function 004097BC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8), ref: 00409874
                                              • RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
                                              • 73A25CF0.USER32(0001046E,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC$`@A
                                              • API String ID: 978128352-2136915388
                                              • Opcode ID: 236cca2b7f0ad913bc20f36f3a7df695144f04c2335042181becfcebe84b62ef
                                              • Instruction ID: 4f29ae81ace6c5531c846cbde0b22070d88524e95894dc47e3de1b2ea254153d
                                              • Opcode Fuzzy Hash: 236cca2b7f0ad913bc20f36f3a7df695144f04c2335042181becfcebe84b62ef
                                              • Instruction Fuzzy Hash: 19412A70600205DFD711EBA9EE85B9E7BA5EB88304F10427BF510B72E2DB789805DB5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409F08 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,02071E74), ref: 004093B8
                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
                                              • SetWindowLongA.USER32(0001046E,000000FC,00409730), ref: 00409F57
                                                • Part of subcall function 00406AB8: GetCommandLineA.KERNEL32(00000000,00406AFC,?,?,?,?,00000000,?,00409FC8,?), ref: 00406AD0
                                                • Part of subcall function 004097BC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000,0040988F), ref: 0040982C
                                                • Part of subcall function 004097BC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000), ref: 00409840
                                                • Part of subcall function 004097BC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
                                                • Part of subcall function 004097BC: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
                                                • Part of subcall function 004097BC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8), ref: 00409874
                                              • RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
                                              • 73A25CF0.USER32(0001046E,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                              • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC$`@A
                                              • API String ID: 240127915-2136915388
                                              • Opcode ID: cecf565c0961afba62185dae83a1111a0a24350c08567557d89fa88e41d9bdcc
                                              • Instruction ID: 8d10768f6f352a97fd7f45d9d75da35781c42c574274e542ef9de71c66c7d0f2
                                              • Opcode Fuzzy Hash: cecf565c0961afba62185dae83a1111a0a24350c08567557d89fa88e41d9bdcc
                                              • Instruction Fuzzy Hash: 26410B70A00205DBD711EBA9EE86B9E7BA5EB48304F10427BF510B73E2DB789805DB5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00408EFC Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A87), ref: 00408F1C
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F22
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95,?,?,?,?,00000000,?,00409A87), ref: 00408F36
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408F3C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                              • API String ID: 1646373207-2130885113
                                              • Opcode ID: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                              • Instruction ID: ef4badd54955bda93fd7c631ce084268f05c1d5093e10ec72b10b69b713a5d4b
                                              • Opcode Fuzzy Hash: 8f04cc14bccfcdb17213992c023d8f7c3ecead8bf0913e3ac44b7e7d270b511d
                                              • Instruction Fuzzy Hash: D701F770108301EEE700BB72DE57B163A59D745718F60443FF248761C2CE7C4904CA2D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409EF6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00409F40
                                              • SetWindowLongA.USER32(0001046E,000000FC,00409730), ref: 00409F57
                                              • RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
                                              • 73A25CF0.USER32(0001046E,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$CreateDirectoryLongRemove
                                              • String ID: /SL5="$%x,%d,%d,$`@A
                                              • API String ID: 3138356250-1763504858
                                              • Opcode ID: b613a7ce4edcb41dc67f34e270572c8bd45005561bf10fdcf5b8ae4482e344bf
                                              • Instruction ID: 92da378220fa86c3d7769582b63b95c30d1cbd5b696cf01c1bf744cbf4438da8
                                              • Opcode Fuzzy Hash: b613a7ce4edcb41dc67f34e270572c8bd45005561bf10fdcf5b8ae4482e344bf
                                              • Instruction Fuzzy Hash: B6313870A00205DFC715EBA9EE85B9E3BA5EB48304F10427BE450B73E2DB789805DB9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004097BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000,0040988F), ref: 0040982C
                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8,00000000), ref: 00409840
                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409859
                                              • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 0040986B
                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004098B4,02071E74,004098A8), ref: 00409874
                                                • Part of subcall function 00409394: GetLastError.KERNEL32(00000000,00409437,?,0040B240,?,02071E74), ref: 004093B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                              • String ID: D
                                              • API String ID: 3356880605-2746444292
                                              • Opcode ID: c5e523d568ed87ab69b8de1fa4de2ba8e9d12516204b82cc72ca68b77ef72ee6
                                              • Instruction ID: 4b44df64f6e4367ebc453b3e314358db19e806afbd12f45635a8daf6f5489de3
                                              • Opcode Fuzzy Hash: c5e523d568ed87ab69b8de1fa4de2ba8e9d12516204b82cc72ca68b77ef72ee6
                                              • Instruction Fuzzy Hash: F71145716102086EDB10FBE6CC52F9E77ACDF49714F50413BBA04F72C6DA785D048669
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 144 4019dc-4019e7 145 401abb-401abd 144->145 146 4019ed-401a02 144->146 147 401a04-401a09 RtlEnterCriticalSection 146->147 148 401a0e-401a2d LocalFree 146->148 147->148 149 401a41-401a47 148->149 150 401a49-401a6e call 4012dc * 3 149->150 151 401a2f-401a3f VirtualFree 149->151 158 401a70-401a85 LocalFree 150->158 159 401a87-401a9d 150->159 151->149 158->158 158->159 161 401aa9-401ab3 RtlDeleteCriticalSection 159->161 162 401a9f-401aa4 RtlLeaveCriticalSection 159->162 162->161
                                              APIs
                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                              • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
                                              • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                              • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                              • String ID:
                                              • API String ID: 3782394904-0
                                              • Opcode ID: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
                                              • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                              • Opcode Fuzzy Hash: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
                                              • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 183 403d02-403d10 184 403d12-403d19 183->184 185 403d29-403d30 183->185 186 403ddf-403de5 ExitProcess 184->186 187 403d1f 184->187 188 403d32-403d3c 185->188 189 403d3e-403d45 185->189 187->185 192 403d21-403d23 187->192 188->185 190 403d47-403d51 189->190 191 403db8-403dcc call 403cc8 * 2 call 4019dc 189->191 193 403d56-403d62 190->193 208 403dd1-403dd8 191->208 192->185 195 403dea-403e19 call 4030b4 192->195 193->193 197 403d64-403d6e 193->197 200 403d73-403d84 197->200 200->200 203 403d86-403d8d 200->203 206 403da4-403db3 call 403fe4 call 403f67 203->206 207 403d8f-403da2 MessageBoxA 203->207 206->191 207->191 208->195 210 403dda call 4030b4 208->210 210->186
                                              APIs
                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                              • ExitProcess.KERNEL32 ref: 00403DE5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ExitMessageProcess
                                              • String ID: Error$Runtime error at 00000000
                                              • API String ID: 1220098344-2970929446
                                              • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                              • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                              • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                              • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409C56 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Message
                                              • String ID: .tmp$`@A
                                              • API String ID: 2030045667-1248094772
                                              • Opcode ID: e37c67d54dac57feaabedb1cd41a5786e804cc8be819c9315e680249df306dc9
                                              • Instruction ID: 59ccd3a8e5ff0a6346b3f4a7db234678dac937939a17de0d6313a761c5d443a3
                                              • Opcode Fuzzy Hash: e37c67d54dac57feaabedb1cd41a5786e804cc8be819c9315e680249df306dc9
                                              • Instruction Fuzzy Hash: B141C130604241DFD715EF29DE92A5A7BA6FB49308B11457AF800B73E2CB79AC01DB9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409C71 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409CBA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Message
                                              • String ID: .tmp$`@A
                                              • API String ID: 2030045667-1248094772
                                              • Opcode ID: f91dc667a2d24a60a81ae003db88dd446dde78fb0bef1b00c0f9948de59b2fab
                                              • Instruction ID: 097be32f3f4cb42389ad5c0a501b1885a0adcc09f85d4dbd7a75a59d9c7c1898
                                              • Opcode Fuzzy Hash: f91dc667a2d24a60a81ae003db88dd446dde78fb0bef1b00c0f9948de59b2fab
                                              • Instruction Fuzzy Hash: 6A41AF30600245DFD715EF29DE92A5A7BA6FB49308B10457AF800B73E2CB79AC01DB9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091CE
                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409277,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID: .tmp
                                              • API String ID: 1375471231-2986845003
                                              • Opcode ID: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                              • Instruction ID: b3c939f821d6d3b02d73a6ffc60c10d65ff6e2c1a1ef0f9f166dc2fc0ea9728e
                                              • Opcode Fuzzy Hash: 2a9b5b531dfd0466f51cddb5784c326d8b9171bad11d05e807471eb9e268ae76
                                              • Instruction Fuzzy Hash: 16214774A00209ABDB01EFA1C9429DFB7B9EB88304F50457FE501B73C2DA7C9E058BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409330 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 339 409330-409341 340 409343-409344 339->340 341 40938a-40938f 339->341 342 409346-409349 340->342 343 409356-409359 342->343 344 40934b-409354 Sleep 342->344 345 409364-409369 call 408e14 343->345 346 40935b-40935f Sleep 343->346 344->345 348 40936e-409370 345->348 346->345 348->341 349 409372-40937a GetLastError 348->349 349->341 350 40937c-409384 GetLastError 349->350 350->341 351 409386-409388 350->351 351->341 351->342
                                              APIs
                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040934F
                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040935F
                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 00409372
                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040937C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLastSleep
                                              • String ID:
                                              • API String ID: 1458359878-0
                                              • Opcode ID: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                              • Instruction ID: e54841d902c556b0a825a3a9b48dc11fcb5fd53647a295a33fe7abc41a02d5de
                                              • Opcode Fuzzy Hash: 3a4a69ca31a42f451232f6dfa0c76d71d3bd0a4d90442bfbcbe60d550a1314de
                                              • Instruction Fuzzy Hash: C6F0B472A0031497CB34A5EF9986A6F628DEADA768710403BFD04F73C3D538DD014AAD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00408E14 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,00000000,00408E71,?,0000000D,00000000), ref: 00408E4B
                                              • GetLastError.KERNEL32(00000000,00000000,00408E71,?,0000000D,00000000), ref: 00408E53
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 2018770650-0
                                              • Opcode ID: 5ad5950806733bcf976988d4047345537b4de7b768f241e6fe6ec66469b23289
                                              • Instruction ID: 8e3a3489f19a851cbc55d1ffa575bc1ec5a38ce87ee949def71102c7139105aa
                                              • Opcode Fuzzy Hash: 5ad5950806733bcf976988d4047345537b4de7b768f241e6fe6ec66469b23289
                                              • Instruction Fuzzy Hash: 6FF0AF71A04308AACB01DBB59D4189EB3A8EB4871875049BBE804F36C1EA385E0095D8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040A091 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • RemoveDirectoryA.KERNEL32(00000000,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A043
                                              • 73A25CF0.USER32(0001046E,0040A096,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A057
                                                • Part of subcall function 00409330: Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040934F
                                                • Part of subcall function 00409330: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 00409372
                                                • Part of subcall function 00409330: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A02F,000000FA,00000032,0040A096), ref: 0040937C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$DirectoryRemoveSleep
                                              • String ID:
                                              • API String ID: 936953547-0
                                              • Opcode ID: 0a9a254d274ac92dca22db73f0530a1f3c1fd5e301e13facd71e410900e3005e
                                              • Instruction ID: e699c83f6f305330f0c2698d9d65548414d6799202a3aea6d5bad6df6870d186
                                              • Opcode Fuzzy Hash: 0a9a254d274ac92dca22db73f0530a1f3c1fd5e301e13facd71e410900e3005e
                                              • Instruction Fuzzy Hash: FBF03170641201DBD725EB69EEC9B1637A5AF84309F00413BA101B62F1CB7C8851DB4E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406EC4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 421 406ec4-406f17 SetErrorMode call 403414 LoadLibraryA
                                              APIs
                                              • SetErrorMode.KERNEL32(00008000), ref: 00406ECE
                                              • LoadLibraryA.KERNEL32(00000000,00000000,00406F18,?,00000000,00406F36,?,00008000), ref: 00406EFD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLibraryLoadMode
                                              • String ID:
                                              • API String ID: 2987862817-0
                                              • Opcode ID: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                              • Instruction ID: 5e20ffdb52ff7e8261d23daca573ea8644dcd49689b218f11c6781c5bce8f48d
                                              • Opcode Fuzzy Hash: 730de3fdc093f184fd2de9ac27439434a3bd3e782f0b7281efe78e7bb3385372
                                              • Instruction Fuzzy Hash: D7F089705147047EDB119F769C6241ABBECD749B047534875F910A26D2E53C4C208568
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407544 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040755B
                                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0040756A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastRead
                                              • String ID:
                                              • API String ID: 1948546556-0
                                              • Opcode ID: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                              • Instruction ID: 34e576fd7e6559e3ef6c853e67441063c40c11266019ec046b6cc2e4d5471cd5
                                              • Opcode Fuzzy Hash: 92944724dee91b38b7ee5b374f910e74d6c8544434624f4b14ecda59d71e3572
                                              • Instruction Fuzzy Hash: ABE06DA1A081507AEB20965AAC85FAB66DC8BC5314F04417BF904DB282C678DC00C27A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407584 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075A3
                                              • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075AB
                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020703AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FilePointer
                                              • String ID:
                                              • API String ID: 1156039329-0
                                              • Opcode ID: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                              • Instruction ID: 1215520e40270bbf1c42edbfe5ddbfad2f0444ede1f1e4d22e24bec04403dad1
                                              • Opcode Fuzzy Hash: 64234936368745cadff0884a95fa07edb9d6d799bdb4626fca8da24a174aceff
                                              • Instruction Fuzzy Hash: 6FE092B66081006BD700D55DC881A9B33DCDFC5364F044136BA54EB2C1D6B5EC008376
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004074DC Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004074F3
                                              • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004074FF
                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020703AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FilePointer
                                              • String ID:
                                              • API String ID: 1156039329-0
                                              • Opcode ID: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                              • Instruction ID: 3a188f8a391a656106576682ef5fc0e36605e971047c99b326a67709d18e7f8b
                                              • Opcode Fuzzy Hash: 7dcdc125b41699120aae8acb46450914bebfaac92dc1c1f3d4146a6219e6b847
                                              • Instruction Fuzzy Hash: B4E04FB1600210AFEB20EEB98981B9272D89F44364F0485B6EA14DF2C6D274DC00C766
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Virtual$AllocFree
                                              • String ID:
                                              • API String ID: 2087232378-0
                                              • Opcode ID: c2c164bf1270d4a813d1c1f6386065a20bb20e5e17a0c6be31043b1a06862ade
                                              • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                              • Opcode Fuzzy Hash: c2c164bf1270d4a813d1c1f6386065a20bb20e5e17a0c6be31043b1a06862ade
                                              • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                              • String ID:
                                              • API String ID: 1658689577-0
                                              • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                              • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                              • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                              • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004068B4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CharPrev
                                              • String ID:
                                              • API String ID: 122130370-0
                                              • Opcode ID: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                              • Instruction ID: 028ce23b60034aad2079abf39c8673be77ca980571763ae766079fdae63e366f
                                              • Opcode Fuzzy Hash: 71189d5fdb67734adcc989176e972d73cabe0a8508cd7dda32cb2fd1e54b45a1
                                              • Instruction Fuzzy Hash: 59F0BE523019341BC6117A7F18815AFA7888B86709752417FF506FB382DE3EAE6352AE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040748E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                              • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                              • Opcode Fuzzy Hash: 15eb5b8bcf830c4b195572af03a6c999168ba8d47e453751ce572d84692466fb
                                              • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407490 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004074D0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                              • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                              • Opcode Fuzzy Hash: 460f9172ef9680e9bf065e809d42603cad769bb4ead04fe75bdd308fccde6f1f
                                              • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406918 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004068B4: CharPrevA.USER32(00000000,00000000,?,?,?,00000000,0040693A,00000000,00406960,?,?,?,?,00000000,?,00406975), ref: 004068DC
                                              • GetFileAttributesA.KERNEL32(00000000,00000000,00406960,?,?,?,?,00000000,?,00406975,00406CA3,00000000,00406CE8,?,?,?), ref: 00406943
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AttributesCharFilePrev
                                              • String ID:
                                              • API String ID: 4082512850-0
                                              • Opcode ID: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                              • Instruction ID: 89044d1ea86e4fdb03922753e0a58770fdf95516ab6f2bcb8662fa4781c06fed
                                              • Opcode Fuzzy Hash: ce07a51bfea017e2e55e9614cb9ba507b4cfa1873d9ff840f51688b3279052b8
                                              • Instruction Fuzzy Hash: 04E09B713043047FD701EFB2DD53E59B7ECD789704B524476B501F7682D5785E108468
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004075E0 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004075F7
                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020703AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastWrite
                                              • String ID:
                                              • API String ID: 442123175-0
                                              • Opcode ID: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                              • Instruction ID: cd18fb99e22355188e9d2f817127a110343b64b119c62ac1cd4bac3fbb067e43
                                              • Opcode Fuzzy Hash: 40637416ea930bd2570c4396363680a61cc257afb866cc0a67376a26f5c88c76
                                              • Instruction Fuzzy Hash: 66E06D726081106BEB10A65ED880E6B67DCCFC6364F04447BBA04EB241C575AC0096B6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004071A8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00408F7F,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00408F95), ref: 004071C7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FormatMessage
                                              • String ID:
                                              • API String ID: 1306739567-0
                                              • Opcode ID: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                              • Instruction ID: 5be2c53bb0bc0b7205463fa080de9070734fc39b970025fcf129f6524892d52e
                                              • Opcode Fuzzy Hash: b5d7a52e02d208d464bf7f6ecdaab9899475a573c382e68083ca8db3329c0493
                                              • Instruction Fuzzy Hash: F8E0D8B179830135F22500A44C87B76160E4780700F20403A3B10EE3D2D9BEA50A415F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004075C4 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNEL32(?,02088000,00409E9B,00000000), ref: 004075CB
                                                • Part of subcall function 004073A4: GetLastError.KERNEL32(004072A4,00407442,?,?,020703AC,?,00409AE1,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 004073A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileLast
                                              • String ID:
                                              • API String ID: 734332943-0
                                              • Opcode ID: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                              • Instruction ID: 3dced8f94abca6fd64a7c9696b134c452ef52fe1396460a469a389ba9e9200de
                                              • Opcode Fuzzy Hash: db8739a5fd2cf61c38ac8d555984da3fa994a5017d3c1d655494e9af8eb405ba
                                              • Instruction Fuzzy Hash: 78C04CA160410057DB50A7BE8AC2A0672D85F5820430441B6B908DB287D678EC009615
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406F1F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                              • Instruction ID: f94a5d2238f2ee5303b4d558b5d93000027bb0092eeb8c65c9d9a83f01a259cd
                                              • Opcode Fuzzy Hash: 3473aa6fdb671349066f074fc3b2aebd5c1d3b8cb352d1e979c386aa55b3b604
                                              • Instruction Fuzzy Hash: A4B09BB661C2015DE705DAD5745153863D4D7C47103E14577F114D25C0D53C94154518
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406F3B Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(?,00406F3D), ref: 00406F30
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                              • Instruction ID: 8ce709a7dcc0858879a49907ae7d49f16bd3fabbd46d8b550b3201db24fc95e8
                                              • Opcode Fuzzy Hash: 5557acf2148e23312bf2bdc7768f633380236e382c485dac7de260305449c299
                                              • Instruction Fuzzy Hash: 46A022B8C00003B2CE80E2F08080A3C23282A883003C00AA2320EB2080C23EC0000A0A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407DB4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E44
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                              • Instruction ID: e346e479d4e19dc6fbf4ec70e04c611644565a823529d475df5ed673f567dbda
                                              • Opcode Fuzzy Hash: 4b604b7c04c55a97cf12a425da2613599e639526dade8246110179d0dcd9af86
                                              • Instruction Fuzzy Hash: 521172716082059BDB10FF19C881B5B3794AF84359F04847AF958AB3C6DA38EC008B6B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,004018BF), ref: 004016B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
                                              • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                              • Opcode Fuzzy Hash: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
                                              • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407460 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandle
                                              • String ID:
                                              • API String ID: 2962429428-0
                                              • Opcode ID: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                              • Instruction ID: 0a303eee8e17872e34e3f08f3f74197a254d67d3e0467507f6d8b9a4d6bdce8a
                                              • Opcode Fuzzy Hash: 57bb830fb3630d9a83ec57f7eac22a277ae175c199a92d969abe11a9c095749b
                                              • Instruction Fuzzy Hash: 9FD0A7C1B00A6017D315F6BF498865B96C85F88685F08843BF684E73D1D67CAC00C3CD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407D5C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E3A), ref: 00407D73
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                              • Instruction ID: 987a95dec6bedafdacc6f30d71d69a0298e18a8a9a30f6cccb61f0e346f0d057
                                              • Opcode Fuzzy Hash: f18d662fc38f0284a7c8bdb2170b2a8644905928442529ab0c2341243e9dd2c5
                                              • Instruction Fuzzy Hash: 6FD0E9B17557045BDB90EEB94CC1B1237D97F48600F5044B66904EB296E674E800D614
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 004092A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004092AF
                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004092B5
                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004092CE
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092F5
                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004092FA
                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040930B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 107509674-3733053543
                                              • Opcode ID: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                              • Instruction ID: 46e638963846eb8b1a8eef1e5041d40b59806408d3aca7422040dec9ba119927
                                              • Opcode Fuzzy Hash: 2a0162333a77e08806ee048c8adb2592b0adbd8e17023ac1d43b711a23017a7c
                                              • Instruction Fuzzy Hash: 3FF012B079430276E620AAB58D07F6B62885BC5B48F50493EBA51FA1D3D7BCD8044A6E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409A04 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409A0E
                                              • SizeofResource.KERNEL32(00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4,?,00000000,0040A10B), ref: 00409A21
                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4,?,00000000), ref: 00409A33
                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409AF9,00000000,0040A08C,?,00000001,00000000,00000002,00000000,0040A0D4), ref: 00409A44
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Resource$FindLoadLockSizeof
                                              • String ID:
                                              • API String ID: 3473537107-0
                                              • Opcode ID: 13ffe1952f0d95e29d084444e35be522072a07585fb49b2685a126b429e6487b
                                              • Instruction ID: d67f3324bf52c58dde7a17cbdb2efc6a036c8c105ddb558a6a56d7c7a7ea3d45
                                              • Opcode Fuzzy Hash: 13ffe1952f0d95e29d084444e35be522072a07585fb49b2685a126b429e6487b
                                              • Instruction Fuzzy Hash: 30E07E913A434225FA6036F708C3B6A014C8BA670EF04503BBB00792C3DEBC8C04452E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                              • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                              • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                              • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTime.KERNEL32(?), ref: 004026CE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: SystemTime
                                              • String ID:
                                              • API String ID: 2656138-0
                                              • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                              • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                              • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                              • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409A78), ref: 00405C52
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID:
                                              • API String ID: 1889659487-0
                                              • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                              • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                              • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                              • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004082E8 Relevance: .5, Instructions: 545COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                              • Instruction ID: bf64fe3dbf7489daa5b396f442bfdc43c732794851cc1dd68f6a4bedb61b4a1f
                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                              • Instruction Fuzzy Hash: 7F32E875E00219DFCB14CF99CA80A9DB7B2BF88314F24816AD855B7395DB34AE42CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406F48 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406F71
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406F77
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0040704D), ref: 00406FC5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressCloseHandleModuleProc
                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                              • API String ID: 4190037839-2401316094
                                              • Opcode ID: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                              • Instruction ID: 82a514a35929d101a3f87db01d263b67a2005a07a92a8f1bbb0e3c876c3699bd
                                              • Opcode Fuzzy Hash: f607686cc0d7273f9df9d94dd6e76e9aefdf0fdd96e28e4fed3be5d0e4603d73
                                              • Instruction Fuzzy Hash: F3214130E44209AFDB10EAA1CC56B9F77B8AB44304F60857BA605F72C1D77CAA05C79E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                              • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                              • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                              • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                              • String ID:
                                              • API String ID: 1694776339-0
                                              • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                              • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                              • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                              • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoLocale$DefaultSystem
                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                              • API String ID: 1044490935-665933166
                                              • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                              • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                              • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                              • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocString
                                              • String ID:
                                              • API String ID: 262959230-0
                                              • Opcode ID: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                              • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                              • Opcode Fuzzy Hash: daf431a3c2bb6397145c0312c95092c7dd6e0c4ca2be07fc82856b41fd6094de
                                              • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,02070400,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040192E
                                              • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,02070400,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 00401941
                                              • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,02070400,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 0040196B
                                              • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,02070400,?,00000000,?,?,00401B95,00401BAA,00401CEE), ref: 004019C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                              • String ID:
                                              • API String ID: 730355536-0
                                              • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                              • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                              • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                              • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000,00409A6E), ref: 004030E3
                                              • GetCommandLineA.KERNEL32(00000000,00409A6E), ref: 004030EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2231806346.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2231789589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231820577.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2231836328.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CommandHandleLineModule
                                              • String ID: U1hd.@
                                              • API String ID: 2123368496-2904493091
                                              • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                              • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                              • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                              • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:14.6%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:6.4%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:83
                                              execution_graph 47294 44ab84 47295 44ab92 47294->47295 47297 44abb1 47294->47297 47295->47297 47298 44aa68 47295->47298 47299 44aa9b 47298->47299 47309 414a90 47299->47309 47301 44aaae 47302 44aadb 73A1A570 47301->47302 47332 40357c 47301->47332 47313 41a190 47302->47313 47306 44ab0c 47321 44a79c 47306->47321 47308 44ab20 73A1A480 47308->47297 47310 414a9e 47309->47310 47346 4034e0 47310->47346 47312 414aab 47312->47301 47314 41a257 47313->47314 47315 41a1bb 47313->47315 47316 403400 4 API calls 47314->47316 47370 403520 47315->47370 47317 41a26f SelectObject 47316->47317 47317->47306 47319 41a213 47320 41a24b CreateFontIndirectA 47319->47320 47320->47314 47322 44a7b3 47321->47322 47323 44a846 47322->47323 47324 44a82f 47322->47324 47325 44a7c6 47322->47325 47323->47308 47326 44a83f DrawTextA 47324->47326 47325->47323 47327 402648 4 API calls 47325->47327 47326->47323 47328 44a7d7 47327->47328 47329 44a7f5 MultiByteToWideChar DrawTextW 47328->47329 47330 402660 4 API calls 47329->47330 47331 44a827 47330->47331 47331->47308 47333 403580 47332->47333 47334 4035bf 47332->47334 47335 403450 47333->47335 47336 40358a 47333->47336 47334->47302 47342 4034bc 4 API calls 47335->47342 47343 403464 47335->47343 47337 4035b4 47336->47337 47338 40359d 47336->47338 47340 4038a4 4 API calls 47337->47340 47373 4038a4 47338->47373 47345 4035a2 47340->47345 47341 403490 47341->47302 47342->47343 47343->47341 47344 402660 4 API calls 47343->47344 47344->47341 47345->47302 47351 4034bc 47346->47351 47348 4034f0 47356 403400 47348->47356 47352 4034c0 47351->47352 47353 4034dc 47351->47353 47360 402648 47352->47360 47353->47348 47355 4034c9 47355->47348 47357 403406 47356->47357 47358 40341f 47356->47358 47357->47358 47365 402660 47357->47365 47358->47312 47361 40264c 47360->47361 47362 402656 47360->47362 47361->47362 47364 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47361->47364 47362->47355 47362->47362 47364->47362 47366 402664 47365->47366 47367 40266e 47365->47367 47366->47367 47369 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47366->47369 47367->47358 47367->47367 47369->47367 47371 4034e0 4 API calls 47370->47371 47372 40352a 47371->47372 47372->47319 47374 4038b1 47373->47374 47381 4038e1 47373->47381 47376 4038da 47374->47376 47378 4038bd 47374->47378 47375 403400 4 API calls 47377 4038cb 47375->47377 47379 4034bc 4 API calls 47376->47379 47377->47345 47382 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47378->47382 47379->47381 47381->47375 47382->47377 47383 41fb00 47384 41fb09 47383->47384 47387 41fda4 47384->47387 47386 41fb16 47388 41fe96 47387->47388 47389 41fdbb 47387->47389 47388->47386 47389->47388 47408 41f964 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 47389->47408 47391 41fdf1 47392 41fdf5 47391->47392 47393 41fe1b 47391->47393 47409 41fb44 47392->47409 47418 41f964 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 47393->47418 47397 41fe29 47399 41fe53 47397->47399 47400 41fe2d 47397->47400 47398 41fb44 10 API calls 47403 41fe19 47398->47403 47402 41fb44 10 API calls 47399->47402 47401 41fb44 10 API calls 47400->47401 47404 41fe3f 47401->47404 47405 41fe65 47402->47405 47403->47386 47406 41fb44 10 API calls 47404->47406 47407 41fb44 10 API calls 47405->47407 47406->47403 47407->47403 47408->47391 47410 41fb5f 47409->47410 47411 41f8e4 4 API calls 47410->47411 47412 41fb75 47410->47412 47411->47412 47419 41f8e4 47412->47419 47414 41fbbd 47415 41fbe0 SetScrollInfo 47414->47415 47427 41fa44 47415->47427 47418->47397 47438 418188 47419->47438 47421 41f901 GetWindowLongA 47422 41f93e 47421->47422 47423 41f91e 47421->47423 47441 41f870 GetWindowLongA GetSystemMetrics GetSystemMetrics 47422->47441 47440 41f870 GetWindowLongA GetSystemMetrics GetSystemMetrics 47423->47440 47426 41f92a 47426->47414 47428 41fa52 47427->47428 47429 41fa5a 47427->47429 47428->47398 47430 41fa97 47429->47430 47431 41fa99 47429->47431 47432 41fa89 47429->47432 47433 41fad9 GetScrollPos 47430->47433 47443 417df0 IsWindowVisible ScrollWindow SetWindowPos 47431->47443 47442 417df0 IsWindowVisible ScrollWindow SetWindowPos 47432->47442 47433->47428 47436 41fae4 47433->47436 47437 41faf3 SetScrollPos 47436->47437 47437->47428 47439 418192 47438->47439 47439->47421 47440->47426 47441->47426 47442->47430 47443->47430 47444 420540 47445 420553 47444->47445 47465 415ad8 47445->47465 47447 42069a 47448 4206b1 47447->47448 47472 41467c KiUserCallbackDispatcher 47447->47472 47452 4206c8 47448->47452 47473 4146c0 KiUserCallbackDispatcher 47448->47473 47449 42058e 47449->47447 47450 4205f9 47449->47450 47458 4205ea MulDiv 47449->47458 47470 4207f0 20 API calls 47450->47470 47455 4206ea 47452->47455 47474 420008 12 API calls 47452->47474 47456 420612 47456->47447 47471 420008 12 API calls 47456->47471 47469 41a2ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 47458->47469 47461 42062f 47462 42064b MulDiv 47461->47462 47463 42066e 47461->47463 47462->47463 47463->47447 47464 420677 MulDiv 47463->47464 47464->47447 47466 415aea 47465->47466 47475 414418 47466->47475 47468 415b02 47468->47449 47469->47450 47470->47456 47471->47461 47472->47448 47473->47452 47474->47455 47476 414432 47475->47476 47479 4105f0 47476->47479 47478 414448 47478->47468 47482 40de3c 47479->47482 47481 4105f6 47481->47478 47483 40de9e 47482->47483 47485 40de4f 47482->47485 47489 40deac 47483->47489 47487 40deac 19 API calls 47485->47487 47488 40de79 47487->47488 47488->47481 47490 40debc 47489->47490 47492 40ded2 47490->47492 47501 40d778 47490->47501 47521 40e234 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47490->47521 47504 40e0e4 47492->47504 47495 40deda 47496 40d778 5 API calls 47495->47496 47497 40df46 47495->47497 47507 40dcf8 47495->47507 47496->47495 47498 40e0e4 5 API calls 47497->47498 47500 40dea8 47498->47500 47500->47481 47522 40eba0 47501->47522 47530 40d654 47504->47530 47539 40e0ec 47507->47539 47512 40eb04 5 API calls 47513 40dd41 47512->47513 47514 40dd53 47513->47514 47515 40dd5c 47513->47515 47520 40dd59 47513->47520 47558 40dc60 19 API calls 47514->47558 47555 40db70 47515->47555 47559 403420 47520->47559 47521->47490 47525 40d918 47522->47525 47528 40d923 47525->47528 47526 40d782 47526->47490 47528->47526 47529 40d964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47528->47529 47529->47528 47531 40eba0 5 API calls 47530->47531 47532 40d661 47531->47532 47533 40d674 47532->47533 47537 40eca4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47532->47537 47533->47495 47535 40d66f 47538 40d5f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47535->47538 47537->47535 47538->47533 47563 40d8fc 47539->47563 47541 40dd2b 47546 40eb04 47541->47546 47543 40eba0 5 API calls 47544 40e110 47543->47544 47544->47541 47566 40e070 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47544->47566 47547 40d918 5 API calls 47546->47547 47548 40eb19 47547->47548 47549 4034e0 4 API calls 47548->47549 47550 40eb27 47549->47550 47567 403744 47550->47567 47552 40eb2e 47553 40d918 5 API calls 47552->47553 47554 40dd36 47553->47554 47554->47512 47571 40ad14 19 API calls 47555->47571 47557 40db98 47557->47520 47558->47520 47561 403426 47559->47561 47560 40344b 47560->47495 47561->47560 47562 402660 4 API calls 47561->47562 47562->47561 47564 40eba0 5 API calls 47563->47564 47565 40d906 47564->47565 47565->47541 47565->47543 47566->47541 47568 40374a 47567->47568 47570 40375b 47567->47570 47569 4034bc 4 API calls 47568->47569 47568->47570 47569->47570 47570->47552 47571->47557 47572 475fc4 47573 475fcf 47572->47573 47575 475fe5 GetLastError 47573->47575 47576 476010 47573->47576 47580 451084 47573->47580 47575->47576 47577 475fef GetLastError 47575->47577 47577->47576 47578 475ff9 GetTickCount 47577->47578 47578->47576 47579 476007 Sleep 47578->47579 47579->47573 47586 450ea0 47580->47586 47582 45109a 47583 45109e 47582->47583 47584 4510ba DeleteFileA GetLastError 47582->47584 47583->47573 47592 450edc 47584->47592 47587 450eae 47586->47587 47588 450eaa 47586->47588 47589 450eb7 Wow64DisableWow64FsRedirection 47587->47589 47590 450ed0 SetLastError 47587->47590 47588->47582 47591 450ecb 47589->47591 47590->47591 47591->47582 47593 450ee1 Wow64RevertWow64FsRedirection 47592->47593 47594 450eeb 47592->47594 47593->47594 47594->47583 47595 402584 47596 402598 47595->47596 47597 4025ab 47595->47597 47625 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47596->47625 47599 4025c2 RtlEnterCriticalSection 47597->47599 47600 4025cc 47597->47600 47599->47600 47611 4023b4 13 API calls 47600->47611 47601 40259d 47601->47597 47603 4025a1 47601->47603 47604 4025d5 47605 4025d9 47604->47605 47612 402088 47604->47612 47607 402635 47605->47607 47608 40262b RtlLeaveCriticalSection 47605->47608 47608->47607 47609 4025e5 47609->47605 47626 402210 9 API calls 47609->47626 47611->47604 47613 40209c 47612->47613 47614 4020af 47612->47614 47633 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 47613->47633 47616 4020c6 RtlEnterCriticalSection 47614->47616 47619 4020d0 47614->47619 47616->47619 47617 4020a1 47617->47614 47618 4020a5 47617->47618 47622 402106 47618->47622 47619->47622 47627 401f94 47619->47627 47622->47609 47623 4021f1 RtlLeaveCriticalSection 47624 4021fb 47623->47624 47624->47609 47625->47601 47626->47605 47628 401fa4 47627->47628 47629 401ff4 47628->47629 47630 401fd0 47628->47630 47634 401f0c 47628->47634 47629->47623 47629->47624 47630->47629 47639 401db4 47630->47639 47633->47617 47643 40178c 47634->47643 47637 401f29 47637->47628 47640 401e02 47639->47640 47641 401dd2 47639->47641 47640->47641 47666 401d1c 47640->47666 47641->47629 47646 4017a8 47643->47646 47645 4017b2 47662 401678 VirtualAlloc 47645->47662 47646->47645 47649 401803 47646->47649 47652 40180f 47646->47652 47654 4014e4 47646->47654 47663 4013e0 LocalAlloc 47646->47663 47664 4015c0 VirtualFree 47649->47664 47650 4017be 47650->47652 47652->47637 47653 401e80 9 API calls 47652->47653 47653->47637 47655 4014f3 VirtualAlloc 47654->47655 47657 401520 47655->47657 47658 401543 47655->47658 47665 401398 LocalAlloc 47657->47665 47658->47646 47660 40152c 47660->47658 47661 401530 VirtualFree 47660->47661 47661->47658 47662->47650 47663->47646 47664->47652 47665->47660 47667 401d2e 47666->47667 47668 401d51 47667->47668 47669 401d63 47667->47669 47679 401940 47668->47679 47671 401940 3 API calls 47669->47671 47672 401d61 47671->47672 47678 401d79 47672->47678 47689 401bf8 9 API calls 47672->47689 47674 401d88 47675 401da2 47674->47675 47690 401c4c 9 API calls 47674->47690 47691 401454 LocalAlloc 47675->47691 47678->47641 47680 401966 47679->47680 47688 4019bf 47679->47688 47692 40170c 47680->47692 47684 401983 47687 40199a 47684->47687 47697 4015c0 VirtualFree 47684->47697 47687->47688 47698 401454 LocalAlloc 47687->47698 47688->47672 47689->47674 47690->47675 47691->47678 47694 401743 47692->47694 47693 401783 47696 4013e0 LocalAlloc 47693->47696 47694->47693 47695 40175d VirtualFree 47694->47695 47695->47694 47696->47684 47697->47687 47698->47688 47699 4169c4 47700 4169d7 47699->47700 47701 4169ef 47699->47701 47702 416a42 47700->47702 47703 4169d9 47700->47703 47704 4169ea 47701->47704 47724 416938 PtInRect GetCapture 47701->47724 47716 415218 47702->47716 47706 416a0c 47703->47706 47707 4169de 47703->47707 47709 415218 59 API calls 47704->47709 47714 416a79 47704->47714 47706->47704 47715 421a94 6 API calls 47706->47715 47707->47704 47711 416aa9 GetCapture 47707->47711 47709->47714 47711->47704 47712 416a4b 47712->47714 47723 416878 PtInRect 47712->47723 47715->47704 47717 415225 47716->47717 47718 415280 47717->47718 47719 41528b 47717->47719 47722 415289 47717->47722 47718->47722 47726 415004 46 API calls 47718->47726 47725 424b34 13 API calls 47719->47725 47722->47712 47723->47714 47724->47704 47725->47722 47726->47722 47727 422804 47728 422817 47727->47728 47730 422834 47727->47730 47728->47730 47767 408c5c 47728->47767 47729 422aa7 47730->47729 47732 42286e 47730->47732 47733 422a49 47730->47733 47752 4228c5 47732->47752 47775 423150 GetSystemMetrics 47732->47775 47734 422a91 47733->47734 47735 422a9b 47733->47735 47778 421dd4 11 API calls 47734->47778 47735->47729 47739 422ac0 47735->47739 47740 422adf 47735->47740 47737 422971 47741 4229b3 47737->47741 47742 42297d 47737->47742 47738 422a24 47744 422a3e ShowWindow 47738->47744 47747 422ad7 SetWindowPos 47739->47747 47748 422ae9 GetActiveWindow 47740->47748 47746 4229cd ShowWindow 47741->47746 47749 422987 SendMessageA 47742->47749 47744->47729 47745 422909 47776 423148 GetSystemMetrics 47745->47776 47751 418188 47746->47751 47747->47729 47753 422af4 47748->47753 47754 422b13 47748->47754 47755 418188 47749->47755 47757 4229ef CallWindowProcA 47751->47757 47752->47737 47752->47738 47762 422afc IsIconic 47753->47762 47758 422b19 47754->47758 47759 422b3e 47754->47759 47756 4229ab ShowWindow 47755->47756 47760 422a02 SendMessageA 47756->47760 47777 414c6c 47757->47777 47763 422b30 SetWindowPos SetActiveWindow 47758->47763 47764 422b48 ShowWindow 47759->47764 47760->47729 47762->47754 47765 422b06 47762->47765 47763->47729 47764->47729 47779 41ef9c GetCurrentThreadId 73A25940 47765->47779 47768 408c68 47767->47768 47781 406d8c LoadStringA 47768->47781 47773 403400 4 API calls 47774 408cae 47773->47774 47774->47730 47775->47745 47776->47752 47777->47760 47778->47735 47780 41efca 47779->47780 47780->47754 47782 4034e0 4 API calls 47781->47782 47783 406db9 47782->47783 47784 403450 47783->47784 47785 403454 47784->47785 47786 403464 47784->47786 47785->47786 47788 4034bc 4 API calls 47785->47788 47787 403490 47786->47787 47789 402660 4 API calls 47786->47789 47787->47773 47788->47786 47789->47787 47790 4797c1 47791 4797ca 47790->47791 47794 4797f5 47790->47794 47793 4797e7 47791->47793 47791->47794 47792 479834 47795 479847 47792->47795 47796 479854 47792->47796 48107 47087c 162 API calls 47793->48107 47794->47792 48109 4781e4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47794->48109 47799 47984b 47795->47799 47800 479889 47795->47800 47802 47986e 47796->47802 47803 47985d 47796->47803 47805 47984f 47799->47805 47811 4798e7 47799->47811 47812 4798cc 47799->47812 47808 479892 47800->47808 47809 4798ad 47800->47809 47801 4797ec 47801->47794 48108 408b80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47801->48108 48112 478420 36 API calls 47802->48112 48111 4783b0 36 API calls 47803->48111 47804 479827 48110 4783b0 36 API calls 47804->48110 47818 479910 47805->47818 47819 47992e 47805->47819 48113 478420 36 API calls 47808->48113 48114 478420 36 API calls 47809->48114 48116 478420 36 API calls 47811->48116 48115 478420 36 API calls 47812->48115 47821 479925 47818->47821 48117 4783b0 36 API calls 47818->48117 48119 47807c 23 API calls 47819->48119 48118 47807c 23 API calls 47821->48118 47822 47992c 47825 479944 47822->47825 47826 47993e 47822->47826 47827 479942 47825->47827 47828 47838c 36 API calls 47825->47828 47826->47827 47906 47838c 47826->47906 47911 475968 47827->47911 47828->47827 48175 477d10 36 API calls 47906->48175 47908 4783a7 48176 408b80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 47908->48176 48177 42d77c GetWindowsDirectoryA 47911->48177 47913 475986 47914 403450 4 API calls 47913->47914 47915 475993 47914->47915 48179 42d7a8 GetSystemDirectoryA 47915->48179 47917 47599b 47918 403450 4 API calls 47917->47918 47919 4759a8 47918->47919 48181 42d7d4 47919->48181 47921 4759b0 47922 403450 4 API calls 47921->47922 47923 4759bd 47922->47923 47924 4759c6 47923->47924 47925 4759e2 47923->47925 48237 42d0ec 47924->48237 47926 403400 4 API calls 47925->47926 47928 4759e0 47926->47928 47930 475a27 47928->47930 48245 42c7c4 47928->48245 48185 4757f0 47930->48185 47931 403450 4 API calls 47931->47928 47936 403450 4 API calls 47938 475a0f 47936->47938 47937 403450 4 API calls 47939 475a43 47937->47939 47938->47930 47943 403450 4 API calls 47938->47943 47940 475a61 47939->47940 47941 4035c0 4 API calls 47939->47941 47942 4757f0 8 API calls 47940->47942 47941->47940 47944 475a70 47942->47944 47943->47930 47945 403450 4 API calls 47944->47945 47946 475a7d 47945->47946 47947 475aa5 47946->47947 47948 42c3a4 5 API calls 47946->47948 47949 475b0c 47947->47949 47953 4757f0 8 API calls 47947->47953 47950 475a93 47948->47950 47951 475b36 47949->47951 47952 475b15 47949->47952 47955 4035c0 4 API calls 47950->47955 48196 42c3a4 47951->48196 47956 42c3a4 5 API calls 47952->47956 47957 475abd 47953->47957 47955->47947 47959 475b22 47956->47959 47960 403450 4 API calls 47957->47960 47958 475b43 48206 4035c0 47958->48206 47963 4035c0 4 API calls 47959->47963 47961 475aca 47960->47961 47964 475add 47961->47964 48253 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47961->48253 47965 475b34 47963->47965 47967 4757f0 8 API calls 47964->47967 48228 4758d4 47965->48228 47969 475aec 47967->47969 47971 403450 4 API calls 47969->47971 47973 475af9 47971->47973 47972 403400 4 API calls 47974 475b6f 47972->47974 47973->47949 48254 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 47973->48254 47976 475dc4 47974->47976 47977 475dcc 47976->47977 47977->47977 48303 4521a0 47977->48303 47980 403450 4 API calls 47981 475df9 47980->47981 47982 403494 4 API calls 47981->47982 47983 475e06 47982->47983 47984 40357c 4 API calls 47983->47984 47985 475e14 47984->47985 47986 455970 23 API calls 47985->47986 47987 475e1c 47986->47987 47988 475e2f 47987->47988 48337 455168 6 API calls 47987->48337 47990 42c3a4 5 API calls 47988->47990 47991 475e3c 47990->47991 47992 4035c0 4 API calls 47991->47992 47993 475e4c 47992->47993 47994 475e56 CreateDirectoryA 47993->47994 47995 475e60 GetLastError 47994->47995 48017 475ebc 47994->48017 47996 4506dc 4 API calls 47995->47996 47998 475e78 47996->47998 47997 4035c0 4 API calls 47999 475ed1 47997->47999 48338 406d08 19 API calls 47998->48338 48321 475d6c 47999->48321 48003 475e88 48339 42e660 FormatMessageA 48003->48339 48017->47997 48107->47801 48109->47804 48110->47792 48111->47805 48112->47805 48113->47805 48114->47805 48115->47805 48116->47805 48117->47821 48118->47822 48119->47822 48175->47908 48178 42d79d 48177->48178 48178->47913 48180 42d7c9 48179->48180 48180->47917 48182 403400 4 API calls 48181->48182 48183 42d7e4 GetModuleHandleA GetProcAddress 48182->48183 48184 42d7fd 48183->48184 48184->47921 48255 42dc44 48185->48255 48187 475816 48188 47583c 48187->48188 48189 47581a 48187->48189 48190 403400 4 API calls 48188->48190 48258 42db74 48189->48258 48192 475843 48190->48192 48192->47937 48193 475831 RegCloseKey 48193->48192 48195 403400 4 API calls 48195->48193 48197 42c3d0 48196->48197 48198 42c3ae 48196->48198 48279 403494 48197->48279 48278 42c874 CharPrevA 48198->48278 48202 42c3b5 48202->48197 48203 42c3bf 48202->48203 48204 4035c0 4 API calls 48203->48204 48205 42c3cd 48204->48205 48205->47958 48207 4035c4 48206->48207 48212 40357c 48206->48212 48208 403450 48207->48208 48209 4035e2 48207->48209 48210 4035d4 48207->48210 48207->48212 48216 4034bc 4 API calls 48208->48216 48217 403464 48208->48217 48215 4034bc 4 API calls 48209->48215 48214 403450 4 API calls 48210->48214 48211 403490 48211->47965 48212->48208 48213 4035bf 48212->48213 48218 40358a 48212->48218 48213->47965 48214->48212 48219 4035f5 48215->48219 48216->48217 48217->48211 48222 402660 4 API calls 48217->48222 48220 4035b4 48218->48220 48221 40359d 48218->48221 48226 403450 4 API calls 48219->48226 48224 4038a4 4 API calls 48220->48224 48223 4038a4 4 API calls 48221->48223 48222->48211 48225 4035a2 48223->48225 48224->48225 48225->47965 48227 403621 48226->48227 48227->47965 48229 4758e2 48228->48229 48230 42dc44 RegOpenKeyExA 48229->48230 48231 47590a 48230->48231 48232 47593b 48231->48232 48233 42db74 6 API calls 48231->48233 48232->47972 48234 475920 48233->48234 48235 42db74 6 API calls 48234->48235 48236 475932 RegCloseKey 48235->48236 48236->48232 48238 4038a4 4 API calls 48237->48238 48239 42d0ff 48238->48239 48240 42d116 GetEnvironmentVariableA 48239->48240 48244 42d129 48239->48244 48283 42da10 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48239->48283 48240->48239 48241 42d122 48240->48241 48243 403400 4 API calls 48241->48243 48243->48244 48244->47931 48284 42c5b4 48245->48284 48248 42c7e1 48287 403778 48248->48287 48249 42c7d8 48250 403400 4 API calls 48249->48250 48252 42c7df 48250->48252 48252->47936 48253->47964 48254->47949 48256 42dc55 RegOpenKeyExA 48255->48256 48257 42dc4f 48255->48257 48256->48187 48257->48256 48261 42da40 48258->48261 48262 42da65 RegQueryValueExA 48261->48262 48268 42da85 48262->48268 48277 42daa7 48262->48277 48263 403400 4 API calls 48264 42db60 48263->48264 48264->48193 48264->48195 48265 42da9f 48266 403400 4 API calls 48265->48266 48266->48277 48267 4034e0 4 API calls 48267->48268 48268->48265 48268->48267 48269 403744 4 API calls 48268->48269 48268->48277 48270 42dac7 RegQueryValueExA 48269->48270 48270->48262 48271 42dadc 48270->48271 48272 4038a4 4 API calls 48271->48272 48271->48277 48273 42db22 48272->48273 48274 42db36 48273->48274 48276 403744 4 API calls 48273->48276 48275 403450 4 API calls 48274->48275 48275->48277 48276->48274 48277->48263 48278->48202 48281 403498 48279->48281 48280 4034ba 48280->47958 48281->48280 48282 402660 4 API calls 48281->48282 48282->48280 48283->48239 48294 42c5bc 48284->48294 48288 4037aa 48287->48288 48290 40377d 48287->48290 48289 403400 4 API calls 48288->48289 48293 4037a0 48289->48293 48290->48288 48291 403791 48290->48291 48292 4034e0 4 API calls 48291->48292 48292->48293 48293->48252 48295 42c5cd 48294->48295 48296 42c62d 48295->48296 48298 42c5e9 48295->48298 48299 42c5bb 48296->48299 48302 42c3e8 IsDBCSLeadByte 48296->48302 48298->48299 48301 42c3e8 IsDBCSLeadByte 48298->48301 48299->48248 48299->48249 48301->48298 48302->48299 48310 4521c0 48303->48310 48306 4521e5 CreateDirectoryA 48307 45225d 48306->48307 48308 4521ef GetLastError 48306->48308 48309 403494 4 API calls 48307->48309 48308->48310 48311 452267 48309->48311 48310->48306 48312 4506dc 4 API calls 48310->48312 48318 42e660 5 API calls 48310->48318 48319 4506ac 4 API calls 48310->48319 48351 42d858 48310->48351 48374 451f2c 48310->48374 48393 406d08 19 API calls 48310->48393 48394 408bac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48310->48394 48313 403420 4 API calls 48311->48313 48312->48310 48314 452281 48313->48314 48316 403420 4 API calls 48314->48316 48317 45228e 48316->48317 48317->47980 48318->48310 48319->48310 48458 40d0e4 48321->48458 48337->47988 48338->48003 48340 42e686 48339->48340 48341 4034e0 4 API calls 48340->48341 48342 42e6a3 48341->48342 48343 4506ac 48342->48343 48344 4506cc 48343->48344 48509 4505ac 48344->48509 48347 408bac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48347->48017 48352 42d0ec 5 API calls 48351->48352 48353 42d87e 48352->48353 48354 42d88a 48353->48354 48404 42cc2c 48353->48404 48356 42d0ec 5 API calls 48354->48356 48358 42d8d6 48354->48358 48357 42d89a 48356->48357 48359 42d8a6 48357->48359 48362 42cc2c 7 API calls 48357->48362 48395 42c6fc 48358->48395 48359->48358 48360 42d8cb 48359->48360 48363 42d0ec 5 API calls 48359->48363 48360->48358 48364 42d77c GetWindowsDirectoryA 48360->48364 48362->48359 48366 42d8bf 48363->48366 48364->48358 48366->48360 48369 42cc2c 7 API calls 48366->48369 48367 42c3a4 5 API calls 48368 42d8eb 48367->48368 48370 403494 4 API calls 48368->48370 48369->48360 48371 42d8f5 48370->48371 48372 403420 4 API calls 48371->48372 48373 42d90f 48372->48373 48373->48310 48375 451f4c 48374->48375 48376 42c3a4 5 API calls 48375->48376 48377 451f65 48376->48377 48378 403494 4 API calls 48377->48378 48383 451f70 48378->48383 48380 42caa4 6 API calls 48380->48383 48381 4506dc 4 API calls 48381->48383 48383->48380 48383->48381 48386 451fec 48383->48386 48425 451eb8 48383->48425 48433 403634 48383->48433 48439 45116c 48383->48439 48447 408bac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48383->48447 48387 403494 4 API calls 48386->48387 48388 451ff7 48387->48388 48389 403420 4 API calls 48388->48389 48390 452011 48389->48390 48391 403400 4 API calls 48390->48391 48392 452019 48391->48392 48392->48310 48393->48310 48394->48310 48407 403738 48395->48407 48398 42c742 48401 403494 4 API calls 48398->48401 48399 42c72b 48399->48398 48400 42c733 48399->48400 48403 4034e0 4 API calls 48400->48403 48402 42c740 48401->48402 48402->48367 48403->48402 48409 42cbb0 48404->48409 48408 40373c GetFullPathNameA 48407->48408 48408->48398 48408->48399 48415 42caa4 48409->48415 48411 42cbd2 48412 42cbda GetFileAttributesA 48411->48412 48413 403400 4 API calls 48412->48413 48414 42cbf7 48413->48414 48414->48354 48416 42c5bc IsDBCSLeadByte 48415->48416 48417 42cab5 48416->48417 48418 42cac7 CharPrevA 48417->48418 48419 42cadb 48417->48419 48418->48417 48420 42caf1 48419->48420 48421 42cae6 48419->48421 48423 403778 4 API calls 48420->48423 48422 403494 4 API calls 48421->48422 48424 42caef 48422->48424 48423->48424 48424->48411 48426 403400 4 API calls 48425->48426 48428 451ed9 48426->48428 48430 451f06 48428->48430 48448 403510 48428->48448 48451 403800 48428->48451 48431 403400 4 API calls 48430->48431 48432 451f1b 48431->48432 48432->48383 48434 40363c 48433->48434 48435 4034bc 4 API calls 48434->48435 48436 40364f 48435->48436 48437 403450 4 API calls 48436->48437 48438 403677 48437->48438 48440 450ea0 2 API calls 48439->48440 48442 451182 48440->48442 48441 451186 48441->48383 48442->48441 48455 42cc40 48442->48455 48445 450edc Wow64RevertWow64FsRedirection 48446 4511c1 48445->48446 48446->48383 48447->48383 48449 4034e0 4 API calls 48448->48449 48450 40351d 48449->48450 48450->48428 48452 403804 48451->48452 48454 40382f 48451->48454 48453 4038a4 4 API calls 48452->48453 48453->48454 48454->48428 48456 42cbb0 7 API calls 48455->48456 48457 42cc4a GetLastError 48456->48457 48457->48445 48459 40d0ee 48458->48459 48469 40d1a8 FindResourceA 48459->48469 48461 40d11c 48462 475c90 48461->48462 48481 40cf38 48462->48481 48464 475cc5 48465 403420 4 API calls 48464->48465 48466 475d55 48465->48466 48467 403400 4 API calls 48466->48467 48470 40d1d4 LoadResource 48469->48470 48471 40d1cd 48469->48471 48473 40d1e7 48470->48473 48474 40d1ee SizeofResource LockResource 48470->48474 48479 40d134 19 API calls 48471->48479 48480 40d134 19 API calls 48473->48480 48477 40d20c 48474->48477 48475 40d1d3 48475->48470 48477->48461 48478 40d1ed 48478->48474 48479->48475 48480->48478 48486 40cde8 48481->48486 48483 40cf52 48498 40cf20 48483->48498 48485 40cf6d 48485->48464 48487 40cdf5 48486->48487 48488 40ce11 48487->48488 48489 40ce46 48487->48489 48502 406e60 48488->48502 48506 406e20 CreateFileA 48489->48506 48492 40ce18 48496 40ce3f 48492->48496 48505 408ccc 19 API calls 48492->48505 48493 40ce50 48493->48496 48507 408ccc 19 API calls 48493->48507 48496->48483 48497 40ce77 48497->48496 48499 40cf34 48498->48499 48500 40cf28 48498->48500 48499->48485 48508 40cc50 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48500->48508 48503 403738 48502->48503 48504 406e7c CreateFileA 48503->48504 48504->48492 48505->48496 48506->48493 48507->48497 48508->48499 48510 403400 4 API calls 48509->48510 48515 4505dd 48510->48515 48511 403420 4 API calls 48512 45068d 48511->48512 48512->48347 48513 4505f4 48516 40357c 4 API calls 48513->48516 48514 4034e0 4 API calls 48514->48515 48515->48513 48515->48514 48517 40357c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48515->48517 48518 450608 48515->48518 48516->48518 48517->48515 48518->48511 48889 40cdcc 48892 406eb0 WriteFile 48889->48892 48893 406ecd 48892->48893 48894 490b04 48948 403344 48894->48948 48896 490b12 48951 4056a0 48896->48951 48898 490b17 48954 4098ec 48898->48954 48902 490b21 48964 4108fc 48902->48964 48904 490b26 48968 4128d0 48904->48968 48906 490b30 48973 418fe8 GetVersion 48906->48973 49246 4032fc 48948->49246 48950 403349 GetModuleHandleA GetCommandLineA 48950->48896 48953 4056db 48951->48953 49247 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48951->49247 48953->48898 49248 408fc4 48954->49248 48963 409b20 6F571CD0 48963->48902 48965 410906 48964->48965 48966 410945 GetCurrentThreadId 48965->48966 48967 410960 48966->48967 48967->48904 49328 40aea4 48968->49328 48972 4128fc 48972->48906 49340 41ddcc 8 API calls 48973->49340 48975 419001 49342 418ee0 GetCurrentProcessId 48975->49342 49246->48950 49247->48953 49249 408c5c 5 API calls 49248->49249 49250 408fd5 49249->49250 49251 40857c GetSystemDefaultLCID 49250->49251 49255 4085b2 49251->49255 49252 406d8c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49252->49255 49253 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 49253->49255 49254 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49254->49255 49255->49252 49255->49253 49255->49254 49259 408614 49255->49259 49256 406d8c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49256->49259 49257 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 49257->49259 49258 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49258->49259 49259->49256 49259->49257 49259->49258 49260 408697 49259->49260 49261 403420 4 API calls 49260->49261 49262 4086b1 49261->49262 49263 4086c0 GetSystemDefaultLCID 49262->49263 49320 408508 GetLocaleInfoA 49263->49320 49266 403450 4 API calls 49267 408700 49266->49267 49268 408508 5 API calls 49267->49268 49269 408715 49268->49269 49270 408508 5 API calls 49269->49270 49271 408739 49270->49271 49326 408554 GetLocaleInfoA 49271->49326 49274 408554 GetLocaleInfoA 49275 408769 49274->49275 49276 408508 5 API calls 49275->49276 49277 408783 49276->49277 49278 408554 GetLocaleInfoA 49277->49278 49279 4087a0 49278->49279 49280 408508 5 API calls 49279->49280 49281 4087ba 49280->49281 49282 403450 4 API calls 49281->49282 49283 4087c7 49282->49283 49284 408508 5 API calls 49283->49284 49285 4087dc 49284->49285 49286 403450 4 API calls 49285->49286 49287 4087e9 49286->49287 49288 408554 GetLocaleInfoA 49287->49288 49289 4087f7 49288->49289 49290 408508 5 API calls 49289->49290 49291 408811 49290->49291 49292 403450 4 API calls 49291->49292 49293 40881e 49292->49293 49294 408508 5 API calls 49293->49294 49295 408833 49294->49295 49296 403450 4 API calls 49295->49296 49297 408840 49296->49297 49298 408508 5 API calls 49297->49298 49299 408855 49298->49299 49300 408872 49299->49300 49301 408863 49299->49301 49303 403494 4 API calls 49300->49303 49302 403494 4 API calls 49301->49302 49304 408870 49302->49304 49303->49304 49305 408508 5 API calls 49304->49305 49306 408894 49305->49306 49307 4088b1 49306->49307 49308 4088a2 49306->49308 49310 403400 4 API calls 49307->49310 49309 403494 4 API calls 49308->49309 49311 4088af 49309->49311 49310->49311 49312 403634 4 API calls 49311->49312 49313 4088d3 49312->49313 49314 403634 4 API calls 49313->49314 49315 4088ed 49314->49315 49316 403420 4 API calls 49315->49316 49317 408907 49316->49317 49318 409010 GetVersionExA 49317->49318 49319 409027 49318->49319 49319->48963 49321 408541 49320->49321 49322 40852f 49320->49322 49324 403494 4 API calls 49321->49324 49323 4034e0 4 API calls 49322->49323 49325 40853f 49323->49325 49324->49325 49325->49266 49327 408570 49326->49327 49327->49274 49329 40aeab 49328->49329 49329->49329 49330 40aeca 49329->49330 49339 40addc 19 API calls 49329->49339 49332 410fb4 49330->49332 49335 410fd6 49332->49335 49333 406d8c 5 API calls 49333->49335 49334 403450 4 API calls 49334->49335 49335->49333 49335->49334 49336 410ff5 49335->49336 49337 403400 4 API calls 49336->49337 49338 41100a 49337->49338 49338->48972 49339->49329 49341 41de46 49340->49341 49341->48975 49358 407860 49342->49358 49345 407860 19 API calls 49346 418f41 GlobalAddAtomA 49345->49346 49347 418f59 49346->49347 49362 40b560 49347->49362 49359 407873 49358->49359 49360 407558 19 API calls 49359->49360 49361 407887 GlobalAddAtomA GetCurrentThreadId 49360->49361 49361->49345 49363 40b56b 49362->49363 49364 40b58b 49363->49364 49399 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49363->49399 49366 423070 49364->49366 49367 42307a 49366->49367 49400 4101c8 49367->49400 49371 423097 49399->49364 49401 4101cf 49400->49401 49403 4101f2 49401->49403 49409 410360 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49401->49409 49404 4231e4 LoadCursorA 49403->49404 49405 423203 49404->49405 49406 423217 LoadCursorA 49405->49406 49408 423234 49405->49408 49408->49371 49409->49403 50980 42228c 50981 42229b 50980->50981 50986 42121c 50981->50986 50984 4222bb 50987 42128b 50986->50987 51000 42122b 50986->51000 50990 42129c 50987->50990 51011 412478 GetMenuItemCount GetMenuStringA GetMenuState 50987->51011 50989 4212ca 50996 42133d 50989->50996 51001 4212e5 50989->51001 50990->50989 50991 421362 50990->50991 50993 421376 SetMenu 50991->50993 51008 42133b 50991->51008 50992 42138e 51014 421164 10 API calls 50992->51014 50993->51008 50998 421351 50996->50998 50996->51008 50997 421395 50997->50984 51009 422190 10 API calls 50997->51009 51002 42135a SetMenu 50998->51002 51000->50987 51010 408ccc 19 API calls 51000->51010 51003 421308 GetMenu 51001->51003 51001->51008 51002->51008 51004 421312 51003->51004 51005 42132b 51003->51005 51007 421325 SetMenu 51004->51007 51012 412478 GetMenuItemCount GetMenuStringA GetMenuState 51005->51012 51007->51005 51008->50992 51013 421dd4 11 API calls 51008->51013 51009->50984 51010->51000 51011->50990 51012->51008 51013->50992 51014->50997 51015 40d014 51016 40d01c 51015->51016 51017 40d04a 51016->51017 51018 40d03f 51016->51018 51022 40d046 51016->51022 51020 40d060 51017->51020 51021 40d04e 51017->51021 51027 4062a0 GlobalHandle GlobalUnWire GlobalFree 51018->51027 51029 406284 GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 51020->51029 51028 406274 GlobalAlloc GlobalFix 51021->51028 51025 40d05c 51025->51022 51026 408c5c 5 API calls 51025->51026 51026->51022 51027->51022 51028->51025 51029->51025 51030 416594 73A25CF0 51031 479727 51032 4502b0 5 API calls 51031->51032 51033 47973b 51032->51033 51034 47889c 23 API calls 51033->51034 51035 47975f 51034->51035 51036 416ba0 51039 41369c 51036->51039 51038 416bac 51040 4136a7 GetWindowThreadProcessId 51039->51040 51041 4136cc 51039->51041 51040->51041 51042 4136b2 GetCurrentProcessId 51040->51042 51041->51038 51042->51041 51043 4136bc GetPropA 51042->51043 51043->51041 51044 466924 51045 46695a 51044->51045 51071 466b47 51044->51071 51047 46698e 51045->51047 51050 4669b6 51045->51050 51051 4669c7 51045->51051 51052 4669a5 51045->51052 51053 4669d8 51045->51053 51054 4669e9 51045->51054 51046 403400 4 API calls 51049 466bd3 51046->51049 51048 4641fc 19 API calls 51047->51048 51047->51071 51063 466a0b 51048->51063 51059 403400 4 API calls 51049->51059 51195 466378 36 API calls 51050->51195 51196 4664c0 52 API calls 51051->51196 51194 466210 41 API calls 51052->51194 51197 466694 58 API calls 51053->51197 51198 4668b4 40 API calls 51054->51198 51062 466bdb 51059->51062 51061 4669ab 51061->51047 51061->51071 51063->51071 51074 466a4d 51063->51074 51199 48cf80 18 API calls 51063->51199 51065 464138 19 API calls 51065->51074 51066 466b34 51080 47bf8c 51066->51080 51067 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51067->51074 51068 414a90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51068->51074 51069 42caa4 6 API calls 51069->51074 51071->51046 51074->51065 51074->51066 51074->51067 51074->51068 51074->51069 51074->51071 51075 465c24 23 API calls 51074->51075 51077 466bb5 51074->51077 51097 465b50 51074->51097 51104 465488 51074->51104 51124 47bb48 51074->51124 51200 465ff0 19 API calls 51074->51200 51075->51074 51078 465c24 23 API calls 51077->51078 51078->51071 51081 47bfc3 51080->51081 51082 47bfd6 51081->51082 51083 47bfcc 51081->51083 51087 47bff2 51082->51087 51088 461e6c 20 API calls 51082->51088 51201 47bea4 51083->51201 51085 47bfd1 51210 47b14c 51085->51210 51087->51085 51089 455970 23 API calls 51087->51089 51091 47c034 51088->51091 51089->51085 51209 477d10 36 API calls 51091->51209 51094 47c0a2 51095 403400 4 API calls 51094->51095 51096 47c0b7 51095->51096 51096->51071 51098 465b61 51097->51098 51099 465b5c 51097->51099 51587 465008 42 API calls 51098->51587 51103 465b5f 51099->51103 51502 4655c8 51099->51502 51101 465b69 51101->51074 51103->51074 51105 4654af 51104->51105 51603 476d64 51105->51603 51107 4654c1 51108 461e6c 20 API calls 51107->51108 51123 46551f 51107->51123 51110 4654cf 51108->51110 51109 403400 4 API calls 51111 465550 51109->51111 51112 40357c 4 API calls 51110->51112 51111->51074 51113 4654dc 51112->51113 51114 40357c 4 API calls 51113->51114 51115 4654e9 51114->51115 51116 40357c 4 API calls 51115->51116 51117 4654f6 51116->51117 51118 40357c 4 API calls 51117->51118 51119 465504 51118->51119 51120 414ac0 4 API calls 51119->51120 51121 465512 51120->51121 51122 4621a4 11 API calls 51121->51122 51122->51123 51123->51109 51646 466fc4 51124->51646 51127 47bb94 51129 414a90 4 API calls 51127->51129 51130 47bba4 51129->51130 51131 403450 4 API calls 51130->51131 51132 47bbb1 51131->51132 51649 4672ac 51132->51649 51135 47bbc1 51136 414a90 4 API calls 51135->51136 51138 47bbd1 51136->51138 51139 403450 4 API calls 51138->51139 51140 47bbde 51139->51140 51141 464df0 SendMessageA 51140->51141 51142 47bbf7 51141->51142 51143 47bc35 51142->51143 51854 473510 23 API calls 51142->51854 51678 424184 IsIconic 51143->51678 51147 47bc65 51149 47b14c 18 API calls 51147->51149 51148 47bc50 SetActiveWindow 51148->51147 51150 47bc78 51149->51150 51686 46fbf4 51150->51686 51194->51061 51195->51047 51196->51047 51197->51047 51198->51047 51199->51074 51200->51074 51203 47bed4 51201->51203 51202 47bf67 51202->51085 51203->51202 51215 42ed78 51203->51215 51231 476edc 51203->51231 51235 47291c 51203->51235 51238 47b3f0 51203->51238 51328 472948 19 API calls 51203->51328 51209->51087 51211 47b16f 51210->51211 51213 47b19d 51210->51213 51501 48cea0 18 API calls 51211->51501 51214 47a908 PostMessageA 51213->51214 51214->51094 51216 42ed84 51215->51216 51217 42eda7 GetActiveWindow GetFocus 51216->51217 51329 41ee4c GetCurrentThreadId 73A25940 51217->51329 51220 42eddb 51222 42ee6a SetFocus 51220->51222 51223 42ede9 CreateWindowExA 51220->51223 51221 42edcb RegisterClassA 51221->51220 51224 403400 4 API calls 51222->51224 51223->51222 51225 42ee1c 51223->51225 51226 42ee86 51224->51226 51331 424224 51225->51331 51226->51203 51228 42ee44 51229 42ee4c CreateWindowExA 51228->51229 51229->51222 51230 42ee62 ShowWindow 51229->51230 51230->51222 51232 476f83 51231->51232 51233 476ef0 51231->51233 51232->51203 51233->51232 51337 4550d0 15 API calls 51233->51337 51338 472878 51235->51338 51239 455970 23 API calls 51238->51239 51240 47b435 51239->51240 51241 47b440 51240->51241 51242 47b44c 51240->51242 51243 455970 23 API calls 51241->51243 51244 455970 23 API calls 51242->51244 51245 47b44a 51243->51245 51244->51245 51246 47b45c 51245->51246 51247 47b468 51245->51247 51248 455970 23 API calls 51246->51248 51249 455970 23 API calls 51247->51249 51250 47b466 51248->51250 51249->51250 51251 475650 39 API calls 51250->51251 51252 47b47c 51251->51252 51253 403494 4 API calls 51252->51253 51254 47b489 51253->51254 51255 40357c 4 API calls 51254->51255 51256 47b494 51255->51256 51257 455970 23 API calls 51256->51257 51258 47b49c 51257->51258 51259 475650 39 API calls 51258->51259 51260 47b4a7 51259->51260 51261 47b4cd 51260->51261 51262 403494 4 API calls 51260->51262 51264 47b605 51261->51264 51265 47b4f2 51261->51265 51263 47b4ba 51262->51263 51266 40357c 4 API calls 51263->51266 51268 47b61b 51264->51268 51271 42cc40 7 API calls 51264->51271 51346 47b37c 51265->51346 51269 47b4c5 51266->51269 51272 475650 39 API calls 51268->51272 51273 455970 23 API calls 51269->51273 51275 47b613 51271->51275 51276 47b62a 51272->51276 51273->51261 51274 47b515 51279 475650 39 API calls 51274->51279 51275->51268 51280 47b6d9 51275->51280 51277 475650 39 API calls 51276->51277 51281 47b64a 51277->51281 51284 47b524 51279->51284 51282 455970 23 API calls 51280->51282 51376 4719f4 51281->51376 51327 47b5f1 51282->51327 51350 4718cc 51284->51350 51286 47b5f6 51289 455970 23 API calls 51286->51289 51288 47b657 51294 4506dc 4 API calls 51288->51294 51288->51327 51289->51327 51290 47b546 51292 47b5bd 51290->51292 51293 4506dc 4 API calls 51290->51293 51291 403420 4 API calls 51295 47b71d 51291->51295 51296 407894 19 API calls 51292->51296 51292->51327 51297 47b557 51293->51297 51298 47b66c 51294->51298 51299 403420 4 API calls 51295->51299 51300 47b5e9 51296->51300 51301 40357c 4 API calls 51297->51301 51302 40357c 4 API calls 51298->51302 51303 47b72a 51299->51303 51304 455970 23 API calls 51300->51304 51305 47b564 51301->51305 51306 47b679 51302->51306 51307 403420 4 API calls 51303->51307 51304->51327 51409 406d08 19 API calls 51305->51409 51411 406d08 19 API calls 51306->51411 51310 47b737 51307->51310 51310->51203 51311 47b57f 51313 42e660 5 API calls 51311->51313 51312 47b694 51314 42e660 5 API calls 51312->51314 51315 47b590 51313->51315 51316 47b6a5 51314->51316 51317 4506ac 4 API calls 51315->51317 51318 4506ac 4 API calls 51316->51318 51319 47b5a5 51317->51319 51320 47b6ba 51318->51320 51321 40357c 4 API calls 51319->51321 51322 40357c 4 API calls 51320->51322 51324 47b5ae 51321->51324 51323 47b6c3 51322->51323 51412 408bac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51323->51412 51410 408bac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51324->51410 51327->51291 51328->51203 51330 41eed1 51329->51330 51330->51220 51330->51221 51332 424256 51331->51332 51333 424236 GetWindowTextA 51331->51333 51335 403494 4 API calls 51332->51335 51334 4034e0 4 API calls 51333->51334 51336 424254 51334->51336 51335->51336 51336->51228 51337->51232 51339 472884 51338->51339 51340 4728ac 51338->51340 51341 4728a5 51339->51341 51344 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51339->51344 51340->51203 51345 472738 19 API calls 51341->51345 51344->51341 51345->51340 51347 47b388 51346->51347 51348 47b3a3 51347->51348 51413 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51347->51413 51348->51274 51402 45151c 51348->51402 51351 4718f3 51350->51351 51352 4718fc 51350->51352 51351->51352 51353 471923 51351->51353 51414 453578 51352->51414 51454 4715e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51353->51454 51357 403400 4 API calls 51359 4719df 51357->51359 51358 47194c 51455 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51358->51455 51359->51290 51361 471956 51456 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51361->51456 51363 471960 51457 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51363->51457 51365 47196b 51458 4715e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51365->51458 51367 471978 51459 4715e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51367->51459 51369 471983 51460 407220 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 51369->51460 51371 47198b 51461 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51371->51461 51373 471996 51462 47174c 27 API calls 51373->51462 51375 4719aa 51375->51290 51377 471a24 51376->51377 51378 471a1b 51376->51378 51481 4537f8 51377->51481 51378->51377 51379 471a4b 51378->51379 51492 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51379->51492 51383 403400 4 API calls 51385 471b05 51383->51385 51384 471a72 51493 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51384->51493 51385->51288 51387 471a7c 51494 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51387->51494 51389 471a86 51495 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51389->51495 51391 471a91 51496 4715e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51391->51496 51393 471a9e 51497 4715e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51393->51497 51395 471aa9 51498 407220 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 51395->51498 51397 471ab1 51499 4715fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51397->51499 51399 471abc 51500 47174c 27 API calls 51399->51500 51401 471ad0 51401->51288 51403 450ea0 2 API calls 51402->51403 51404 451532 51403->51404 51405 42cc08 GetFileAttributesA 51404->51405 51408 451536 51404->51408 51406 451551 GetLastError 51405->51406 51407 450edc Wow64RevertWow64FsRedirection 51406->51407 51407->51408 51408->51274 51408->51286 51409->51311 51410->51292 51411->51312 51412->51327 51413->51348 51415 45359e 51414->51415 51416 4535c9 51415->51416 51417 4535ba 51415->51417 51419 403634 4 API calls 51416->51419 51418 403494 4 API calls 51417->51418 51424 4535c4 51418->51424 51420 4535e1 51419->51420 51421 4535fb 51420->51421 51422 403634 4 API calls 51420->51422 51479 42c7f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51421->51479 51422->51421 51463 450f64 51424->51463 51425 453605 51428 453620 51425->51428 51480 42c7f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 51425->51480 51430 453671 51428->51430 51431 45363a 51428->51431 51438 45366f 51428->51438 51429 453714 51433 453720 GetLastError 51429->51433 51434 453729 CloseHandle 51429->51434 51432 42d77c GetWindowsDirectoryA 51430->51432 51435 42d7a8 GetSystemDirectoryA 51431->51435 51436 45367e 51432->51436 51437 453741 51433->51437 51470 4534e4 51434->51470 51440 453647 51435->51440 51441 42c3a4 5 API calls 51436->51441 51442 403420 4 API calls 51437->51442 51438->51424 51445 42c79c 5 API calls 51438->51445 51443 42c3a4 5 API calls 51440->51443 51444 453689 51441->51444 51446 45375b 51442->51446 51447 453652 51443->51447 51448 403634 4 API calls 51444->51448 51445->51424 51449 403400 4 API calls 51446->51449 51450 403634 4 API calls 51447->51450 51448->51438 51451 453763 51449->51451 51450->51438 51452 403400 4 API calls 51451->51452 51453 45376b 51452->51453 51453->51357 51454->51358 51455->51361 51456->51363 51457->51365 51458->51367 51459->51369 51460->51371 51461->51373 51462->51375 51464 450ea0 2 API calls 51463->51464 51465 450f7d 51464->51465 51466 450f81 51465->51466 51467 450f88 CreateProcessA GetLastError 51465->51467 51466->51429 51468 450edc Wow64RevertWow64FsRedirection 51467->51468 51469 450fdd 51468->51469 51469->51429 51471 45351c 51470->51471 51472 453508 WaitForInputIdle 51470->51472 51473 45353c GetExitCodeProcess 51471->51473 51477 453523 MsgWaitForMultipleObjects 51471->51477 51472->51471 51474 453550 CloseHandle 51473->51474 51475 45354a 51473->51475 51474->51437 51475->51474 51477->51471 51478 45353a 51477->51478 51478->51473 51479->51425 51480->51428 51482 453813 51481->51482 51483 42c79c 5 API calls 51482->51483 51484 453831 51482->51484 51483->51484 51485 453882 ShellExecuteEx 51484->51485 51486 4538a6 51485->51486 51487 45389d GetLastError 51485->51487 51488 4538bf 51486->51488 51489 4534e4 4 API calls 51486->51489 51487->51488 51490 403400 4 API calls 51488->51490 51489->51488 51491 4538d4 51490->51491 51491->51383 51492->51384 51493->51387 51494->51389 51495->51391 51496->51393 51497->51395 51498->51397 51499->51399 51500->51401 51501->51213 51504 46560f 51502->51504 51503 465a7b 51506 465a96 51503->51506 51507 465ac7 51503->51507 51504->51503 51505 4656ca 51504->51505 51509 403494 4 API calls 51504->51509 51508 4656e5 51505->51508 51512 465726 51505->51512 51510 403494 4 API calls 51506->51510 51511 403494 4 API calls 51507->51511 51513 403494 4 API calls 51508->51513 51514 46564e 51509->51514 51515 465aa4 51510->51515 51516 465ad5 51511->51516 51521 403400 4 API calls 51512->51521 51518 4656f3 51513->51518 51519 414a90 4 API calls 51514->51519 51599 4646e4 12 API calls 51515->51599 51600 4646e4 12 API calls 51516->51600 51522 414a90 4 API calls 51518->51522 51523 46566f 51519->51523 51525 465724 51521->51525 51527 465714 51522->51527 51528 403634 4 API calls 51523->51528 51524 465ab2 51526 403400 4 API calls 51524->51526 51544 46580a 51525->51544 51588 464df0 51525->51588 51530 465af8 51526->51530 51532 403634 4 API calls 51527->51532 51533 46567f 51528->51533 51536 403400 4 API calls 51530->51536 51531 46588c 51534 403400 4 API calls 51531->51534 51532->51525 51537 414a90 4 API calls 51533->51537 51547 46588a 51534->51547 51535 465746 51538 465784 51535->51538 51539 46574c 51535->51539 51540 465b00 51536->51540 51541 465693 51537->51541 51545 403400 4 API calls 51538->51545 51542 403494 4 API calls 51539->51542 51543 403420 4 API calls 51540->51543 51541->51505 51546 414a90 4 API calls 51541->51546 51548 46575a 51542->51548 51549 465b0d 51543->51549 51544->51531 51550 46584b 51544->51550 51551 465782 51545->51551 51552 4656ba 51546->51552 51594 46522c 39 API calls 51547->51594 51554 475650 39 API calls 51548->51554 51549->51103 51555 403494 4 API calls 51550->51555 51562 4650e4 39 API calls 51551->51562 51556 403634 4 API calls 51552->51556 51558 465772 51554->51558 51559 465859 51555->51559 51556->51505 51557 4658b5 51564 465916 51557->51564 51565 4658c0 51557->51565 51560 403634 4 API calls 51558->51560 51561 414a90 4 API calls 51559->51561 51560->51551 51563 46587a 51561->51563 51567 4657ab 51562->51567 51566 403634 4 API calls 51563->51566 51568 403400 4 API calls 51564->51568 51569 403494 4 API calls 51565->51569 51566->51547 51570 4657b6 51567->51570 51571 46580c 51567->51571 51572 46591e 51568->51572 51577 4658ce 51569->51577 51574 403494 4 API calls 51570->51574 51573 403400 4 API calls 51571->51573 51575 465914 51572->51575 51586 4659c7 51572->51586 51573->51544 51579 4657c4 51574->51579 51575->51572 51595 48ce84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51575->51595 51577->51572 51577->51575 51580 403634 4 API calls 51577->51580 51578 465941 51578->51586 51596 48d0ec 18 API calls 51578->51596 51579->51544 51582 403634 4 API calls 51579->51582 51580->51577 51582->51579 51584 465a68 51598 4290ec SendMessageA SendMessageA 51584->51598 51597 42909c SendMessageA 51586->51597 51587->51101 51601 429fe8 SendMessageA 51588->51601 51590 464dff 51591 464e1f 51590->51591 51602 429fe8 SendMessageA 51590->51602 51591->51535 51593 464e0f 51593->51535 51594->51557 51595->51578 51596->51586 51597->51584 51598->51503 51599->51524 51600->51524 51601->51590 51602->51593 51604 476d92 51603->51604 51609 476dc8 51603->51609 51620 454220 51604->51620 51605 403420 4 API calls 51606 476ec9 51605->51606 51606->51107 51608 476dbc 51608->51609 51610 476e92 51608->51610 51611 472dc8 19 API calls 51608->51611 51613 475650 39 API calls 51608->51613 51616 476e40 51608->51616 51627 476924 31 API calls 51608->51627 51609->51605 51610->51107 51611->51608 51612 475650 39 API calls 51612->51616 51613->51608 51615 42c824 5 API calls 51615->51616 51616->51608 51616->51612 51616->51615 51617 42c84c 5 API calls 51616->51617 51619 476e7f 51616->51619 51628 476a70 52 API calls 51616->51628 51617->51616 51619->51609 51621 454231 51620->51621 51622 454235 51621->51622 51623 45423e 51621->51623 51629 453f24 51622->51629 51637 454004 29 API calls 51623->51637 51626 45423b 51626->51608 51627->51608 51628->51616 51630 42dc44 RegOpenKeyExA 51629->51630 51631 453f41 51630->51631 51632 453f8f 51631->51632 51638 453e58 51631->51638 51632->51626 51635 453e58 6 API calls 51636 453f70 RegCloseKey 51635->51636 51636->51626 51637->51626 51643 42db80 51638->51643 51640 403420 4 API calls 51641 453f0a 51640->51641 51641->51635 51642 453e80 51642->51640 51644 42da40 6 API calls 51643->51644 51645 42db89 51644->51645 51645->51642 51857 467050 51646->51857 51650 4672d5 51649->51650 51651 467322 51650->51651 51652 414a90 4 API calls 51650->51652 51654 403420 4 API calls 51651->51654 51653 4672eb 51652->51653 51966 461f90 6 API calls 51653->51966 51656 4673cc 51654->51656 51656->51135 51853 408b80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51656->51853 51657 4672f3 51658 414ac0 4 API calls 51657->51658 51659 467301 51658->51659 51660 46730e 51659->51660 51662 467327 51659->51662 51967 477d10 36 API calls 51660->51967 51663 46733f 51662->51663 51665 462074 CharNextA 51662->51665 51968 477d10 36 API calls 51663->51968 51666 46733b 51665->51666 51666->51663 51667 467355 51666->51667 51668 467371 51667->51668 51669 46735b 51667->51669 51671 42c894 CharNextA 51668->51671 51969 477d10 36 API calls 51669->51969 51672 46737e 51671->51672 51672->51651 51970 462100 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51672->51970 51674 467395 51675 4506dc 4 API calls 51674->51675 51676 4673a2 51675->51676 51971 477d10 36 API calls 51676->51971 51679 424195 SetActiveWindow 51678->51679 51684 4241cb 51678->51684 51680 4235f4 3 API calls 51679->51680 51681 4241ab 51680->51681 51972 423abc 51681->51972 51683 4241b2 51683->51684 51685 4241c5 SetFocus 51683->51685 51684->51147 51684->51148 51685->51684 51687 455970 23 API calls 51686->51687 51688 46fc40 51687->51688 51979 407248 51688->51979 51690 46fc4a 51982 468b10 51690->51982 51695 475650 39 API calls 51696 46fca6 51695->51696 51698 46fcb6 51696->51698 52461 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51696->52461 51699 46fccd 51698->51699 52462 451ac0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51698->52462 51701 472618 20 API calls 51699->51701 51702 46fcd8 51701->51702 51703 403450 4 API calls 51702->51703 51704 46fcf5 51703->51704 51705 403450 4 API calls 51704->51705 51706 46fd03 51705->51706 51992 4690f8 51706->51992 51710 46fd69 52030 46fb4c 51710->52030 51852 408b80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51854->51143 51858 414a90 4 API calls 51857->51858 51859 467082 51858->51859 51911 461f04 51859->51911 51862 414ac0 4 API calls 51863 467094 51862->51863 51864 4670a3 51863->51864 51866 4670bc 51863->51866 51940 477d10 36 API calls 51864->51940 51868 467103 51866->51868 51870 4670ea 51866->51870 51867 403420 4 API calls 51869 466fe3 51867->51869 51871 467160 51868->51871 51884 467107 51868->51884 51869->51127 51869->51852 51941 477d10 36 API calls 51870->51941 51943 42ca34 CharNextA 51871->51943 51874 46716f 51875 467173 51874->51875 51879 46718c 51874->51879 51944 477d10 36 API calls 51875->51944 51877 467147 51942 477d10 36 API calls 51877->51942 51878 4671b0 51945 477d10 36 API calls 51878->51945 51879->51878 51920 462074 51879->51920 51884->51877 51884->51879 51887 4671c9 51888 403778 4 API calls 51887->51888 51889 4671df 51888->51889 51928 42c894 51889->51928 51892 4671f0 51946 462100 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51892->51946 51893 46721e 51895 42c7c4 5 API calls 51893->51895 51897 467229 51895->51897 51896 467203 51898 4506dc 4 API calls 51896->51898 51899 42c3a4 5 API calls 51897->51899 51900 467210 51898->51900 51901 467234 51899->51901 51947 477d10 36 API calls 51900->51947 51903 42caa4 6 API calls 51901->51903 51904 46723f 51903->51904 51932 466fe4 51904->51932 51906 467247 51907 42cc2c 7 API calls 51906->51907 51908 46724f 51907->51908 51909 4670b7 51908->51909 51948 477d10 36 API calls 51908->51948 51909->51867 51916 461f1e 51911->51916 51912 406b50 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51912->51916 51914 42caa4 6 API calls 51914->51916 51915 403450 4 API calls 51915->51916 51916->51912 51916->51914 51916->51915 51917 461f67 51916->51917 51949 42c9a4 51916->51949 51918 403420 4 API calls 51917->51918 51919 461f81 51918->51919 51919->51862 51921 46207e 51920->51921 51922 462095 CharNextA 51921->51922 51923 462091 51921->51923 51922->51921 51923->51878 51924 4620a4 51923->51924 51925 4620ae 51924->51925 51926 4620db 51925->51926 51927 4620df CharNextA 51925->51927 51926->51878 51926->51887 51927->51925 51929 42c8aa 51928->51929 51930 42c8ec 51928->51930 51929->51930 51931 42c8dd CharNextA 51929->51931 51930->51892 51930->51893 51931->51929 51933 466ff7 51932->51933 51934 467049 51932->51934 51933->51934 51935 41ee4c 2 API calls 51933->51935 51934->51906 51936 467007 51935->51936 51937 467021 SHPathPrepareForWriteA 51936->51937 51960 41ef00 51937->51960 51940->51909 51941->51909 51942->51909 51943->51874 51944->51909 51945->51909 51946->51896 51947->51909 51948->51909 51950 403494 4 API calls 51949->51950 51951 42c9b4 51950->51951 51952 403744 4 API calls 51951->51952 51955 42c9ea 51951->51955 51958 42c3e8 IsDBCSLeadByte 51951->51958 51952->51951 51954 42ca2e 51954->51916 51955->51954 51957 4037b8 4 API calls 51955->51957 51959 42c3e8 IsDBCSLeadByte 51955->51959 51957->51955 51958->51951 51959->51955 51961 41ef34 51960->51961 51962 41ef08 IsWindow 51960->51962 51961->51906 51963 41ef22 51962->51963 51964 41ef17 EnableWindow 51962->51964 51963->51961 51963->51962 51965 402660 4 API calls 51963->51965 51964->51963 51965->51963 51966->51657 51967->51651 51968->51651 51969->51651 51970->51674 51971->51651 51973 423b0a 51972->51973 51975 423acb 51972->51975 51973->51683 51974 423b02 51978 40b370 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51974->51978 51975->51973 51975->51974 51977 423af6 SetWindowPos 51975->51977 51977->51974 51977->51975 51978->51973 51980 403738 51979->51980 51981 407252 SetCurrentDirectoryA 51980->51981 51981->51690 51983 468b37 51982->51983 51984 468bb4 51983->51984 51985 472dc8 19 API calls 51983->51985 52467 44f0d8 51984->52467 51985->51983 51988 457a98 51989 457a9e 51988->51989 51990 457d60 4 API calls 51989->51990 51991 457aba 51990->51991 51991->51695 51993 469136 51992->51993 51994 469126 51992->51994 51996 403400 4 API calls 51993->51996 51995 403494 4 API calls 51994->51995 51997 469134 51995->51997 51996->51997 51998 453a74 5 API calls 51997->51998 51999 46914a 51998->51999 52000 453ab0 5 API calls 51999->52000 52001 469158 52000->52001 52002 4690d0 5 API calls 52001->52002 52003 46916c 52002->52003 52004 457b54 4 API calls 52003->52004 52005 469184 52004->52005 52006 403420 4 API calls 52005->52006 52007 46919e 52006->52007 52008 403400 4 API calls 52007->52008 52009 4691a6 52008->52009 52010 4692ec 52009->52010 52011 4034e0 4 API calls 52010->52011 52012 469326 52011->52012 52013 46933e 52012->52013 52014 46932f 52012->52014 52016 403400 4 API calls 52013->52016 52015 475650 39 API calls 52014->52015 52017 46933c 52015->52017 52016->52017 52018 475650 39 API calls 52017->52018 52019 469361 52018->52019 52020 46938e 52019->52020 52476 4691b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52019->52476 52022 475650 39 API calls 52020->52022 52023 4693c4 52022->52023 52024 457b54 4 API calls 52023->52024 52025 4693e2 52024->52025 52026 403400 4 API calls 52025->52026 52027 4693f7 52026->52027 52028 403420 4 API calls 52027->52028 52029 469404 52028->52029 52029->51710 52031 46fb8d 52030->52031 52032 46fb5c 52030->52032 52034 468c80 52031->52034 52032->52031 52033 472c88 19 API calls 52032->52033 52033->52032 52035 468c8e 52034->52035 52036 468c89 52034->52036 52477 424454 52035->52477 52481 408b80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 52036->52481 52461->51698 52462->51699 52470 44f0ec 52467->52470 52471 44f0fd 52470->52471 52472 44f11e MulDiv 52471->52472 52473 44f0e9 52471->52473 52474 418188 52472->52474 52473->51988 52475 44f149 SendMessageA 52474->52475 52475->52473 52476->52020 52478 424457 52477->52478 53491 4135e4 SetWindowLongA GetWindowLongA 53492 413641 SetPropA SetPropA 53491->53492 53493 413623 GetWindowLongA 53491->53493 53497 41f344 KiUserCallbackDispatcher 53492->53497 53493->53492 53494 413632 SetWindowLongA 53493->53494 53494->53492 53495 413691 53497->53495 53498 404d2a 53506 404d3a 53498->53506 53499 404e07 ExitProcess 53500 404de0 53514 404cf0 53500->53514 53501 404e12 53504 404cf0 4 API calls 53505 404df4 53504->53505 53518 401a90 53505->53518 53506->53499 53506->53500 53506->53501 53507 404db7 MessageBoxA 53506->53507 53508 404dcc 53506->53508 53507->53500 53530 40500c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53508->53530 53511 404df9 53511->53499 53511->53501 53515 404cfe 53514->53515 53517 404d13 53515->53517 53531 402728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53515->53531 53517->53504 53519 401aa1 53518->53519 53520 401b6f 53518->53520 53521 401ac2 LocalFree 53519->53521 53522 401ab8 RtlEnterCriticalSection 53519->53522 53520->53511 53523 401af5 53521->53523 53522->53521 53524 401ae3 VirtualFree 53523->53524 53525 401afd 53523->53525 53524->53523 53526 401b24 LocalFree 53525->53526 53527 401b3b 53525->53527 53526->53526 53526->53527 53528 401b53 RtlLeaveCriticalSection 53527->53528 53529 401b5d RtlDeleteCriticalSection 53527->53529 53528->53529 53529->53511 53531->53517 53532 416aea 53533 416b92 53532->53533 53534 416b02 53532->53534 53551 4152c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53533->53551 53536 416b10 53534->53536 53537 416b1c SendMessageA 53534->53537 53538 416b36 53536->53538 53539 416b1a CallWindowProcA 53536->53539 53547 416b70 53537->53547 53548 41a000 GetSysColor 53538->53548 53539->53547 53542 416b41 SetTextColor 53543 416b56 53542->53543 53549 41a000 GetSysColor 53543->53549 53545 416b5b SetBkColor 53550 41a688 GetSysColor CreateBrushIndirect 53545->53550 53548->53542 53549->53545 53550->53547 53551->53547 53552 4165ec 53553 416653 53552->53553 53554 4165f9 53552->53554 53559 4164f8 CreateWindowExA 53554->53559 53555 416600 SetPropA SetPropA 53555->53553 53556 416633 53555->53556 53557 416646 SetWindowPos 53556->53557 53557->53553 53559->53555 53560 489c38 53561 489c72 53560->53561 53562 489c7e 53561->53562 53563 489c74 53561->53563 53565 489c8d 53562->53565 53566 489cb6 53562->53566 53756 409038 MessageBeep 53563->53756 53757 4466d4 18 API calls 53565->53757 53571 489cee 53566->53571 53572 489cc5 53566->53572 53567 403420 4 API calls 53569 48a2ca 53567->53569 53573 403400 4 API calls 53569->53573 53570 489c9a 53574 406b50 4 API calls 53570->53574 53581 489cfd 53571->53581 53582 489d26 53571->53582 53759 4466d4 18 API calls 53572->53759 53576 48a2d2 53573->53576 53577 489ca5 53574->53577 53758 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53577->53758 53578 489cd2 53760 406ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53578->53760 53762 4466d4 18 API calls 53581->53762 53588 489d4e 53582->53588 53589 489d35 53582->53589 53583 489cdd 53761 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53583->53761 53586 489d0a 53763 406bd4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53586->53763 53595 489d5d 53588->53595 53596 489d82 53588->53596 53765 407220 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 53589->53765 53590 489d15 53764 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53590->53764 53593 489d3d 53766 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53593->53766 53767 4466d4 18 API calls 53595->53767 53600 489dba 53596->53600 53601 489d91 53596->53601 53598 489d6a 53599 407248 SetCurrentDirectoryA 53598->53599 53602 489d72 53599->53602 53606 489dc9 53600->53606 53607 489df2 53600->53607 53769 4466d4 18 API calls 53601->53769 53768 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53602->53768 53605 489d9e 53608 42c6fc 5 API calls 53605->53608 53771 4466d4 18 API calls 53606->53771 53614 489e3e 53607->53614 53615 489e01 53607->53615 53610 489da9 53608->53610 53770 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53610->53770 53611 489dd6 53772 407198 8 API calls 53611->53772 53621 489e4d 53614->53621 53622 489e76 53614->53622 53774 4466d4 18 API calls 53615->53774 53616 489de1 53773 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53616->53773 53619 489e10 53775 4466d4 18 API calls 53619->53775 53778 4466d4 18 API calls 53621->53778 53628 489eae 53622->53628 53629 489e85 53622->53629 53623 489e21 53776 48993c 9 API calls 53623->53776 53626 489e5a 53630 42c79c 5 API calls 53626->53630 53627 489e2d 53777 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53627->53777 53637 489ebd 53628->53637 53638 489ee6 53628->53638 53780 4466d4 18 API calls 53629->53780 53633 489e65 53630->53633 53779 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53633->53779 53634 489e92 53636 42c7c4 5 API calls 53634->53636 53639 489e9d 53636->53639 53782 4466d4 18 API calls 53637->53782 53644 489f1e 53638->53644 53645 489ef5 53638->53645 53781 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53639->53781 53642 489eca 53783 42c7f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53642->53783 53650 489f2d 53644->53650 53651 489f56 53644->53651 53785 4466d4 18 API calls 53645->53785 53646 489ed5 53784 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53646->53784 53649 489f02 53652 42c824 5 API calls 53649->53652 53787 4466d4 18 API calls 53650->53787 53658 489fa2 53651->53658 53659 489f65 53651->53659 53654 489f0d 53652->53654 53786 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53654->53786 53655 489f3a 53657 42c84c 5 API calls 53655->53657 53660 489f45 53657->53660 53664 489fb1 53658->53664 53665 489ff4 53658->53665 53789 4466d4 18 API calls 53659->53789 53788 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53660->53788 53663 489f74 53790 4466d4 18 API calls 53663->53790 53793 4466d4 18 API calls 53664->53793 53672 48a003 53665->53672 53673 48a067 53665->53673 53668 489f85 53791 42c448 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 53668->53791 53670 489fc4 53794 4466d4 18 API calls 53670->53794 53671 489f91 53792 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53671->53792 53747 4466d4 18 API calls 53672->53747 53680 48a0a6 53673->53680 53681 48a076 53673->53681 53677 489fd5 53795 489b34 12 API calls 53677->53795 53678 48a010 53682 42c548 8 API calls 53678->53682 53693 48a0e5 53680->53693 53694 48a0b5 53680->53694 53799 4466d4 18 API calls 53681->53799 53685 48a01e 53682->53685 53683 489fe3 53796 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53683->53796 53688 48a022 53685->53688 53689 48a057 53685->53689 53687 48a083 53691 451084 5 API calls 53687->53691 53748 4466d4 18 API calls 53688->53748 53798 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53689->53798 53696 48a090 53691->53696 53702 48a124 53693->53702 53703 48a0f4 53693->53703 53801 4466d4 18 API calls 53694->53801 53800 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53696->53800 53697 48a031 53749 4513fc 53697->53749 53698 48a0c2 53701 450eec 5 API calls 53698->53701 53705 48a0cf 53701->53705 53710 48a16c 53702->53710 53711 48a133 53702->53711 53803 4466d4 18 API calls 53703->53803 53704 48a041 53797 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53704->53797 53802 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53705->53802 53709 48a101 53712 45158c 5 API calls 53709->53712 53718 48a17b 53710->53718 53719 48a1b4 53710->53719 53805 4466d4 18 API calls 53711->53805 53714 48a10e 53712->53714 53804 4467ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53714->53804 53715 48a142 53806 4466d4 18 API calls 53715->53806 53808 4466d4 18 API calls 53718->53808 53724 48a1c7 53719->53724 53730 48a27d 53719->53730 53721 48a153 53807 446954 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53721->53807 53722 48a18a 53809 4466d4 18 API calls 53722->53809 53811 4466d4 18 API calls 53724->53811 53725 48a19b 53810 446954 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53725->53810 53728 48a1f4 53812 4466d4 18 API calls 53728->53812 53735 489c79 53730->53735 53817 446678 18 API calls 53730->53817 53733 48a20b 53813 407d7c 7 API calls 53733->53813 53734 48a296 53736 42e660 5 API calls 53734->53736 53735->53567 53737 48a29e 53736->53737 53818 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53737->53818 53740 48a22d 53814 4466d4 18 API calls 53740->53814 53742 48a241 53815 4084a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53742->53815 53744 48a24c 53816 446a28 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53744->53816 53746 48a258 53747->53678 53748->53697 53750 450ea0 2 API calls 53749->53750 53752 451415 53750->53752 53751 451419 53751->53704 53752->53751 53753 45143d MoveFileA GetLastError 53752->53753 53754 450edc Wow64RevertWow64FsRedirection 53753->53754 53755 451463 53754->53755 53755->53704 53756->53735 53757->53570 53758->53735 53759->53578 53760->53583 53761->53735 53762->53586 53763->53590 53764->53735 53765->53593 53766->53735 53767->53598 53768->53735 53769->53605 53770->53735 53771->53611 53772->53616 53773->53735 53774->53619 53775->53623 53776->53627 53777->53735 53778->53626 53779->53735 53780->53634 53781->53735 53782->53642 53783->53646 53784->53735 53785->53649 53786->53735 53787->53655 53788->53735 53789->53663 53790->53668 53791->53671 53792->53735 53793->53670 53794->53677 53795->53683 53796->53735 53797->53735 53798->53735 53799->53687 53800->53735 53801->53698 53802->53735 53803->53709 53804->53735 53805->53715 53806->53721 53807->53735 53808->53722 53809->53725 53810->53735 53811->53728 53812->53733 53813->53740 53814->53742 53815->53744 53816->53746 53817->53734 53818->53735 53819 416272 53820 41629e 53819->53820 53821 41627e GetClassInfoA 53819->53821 53821->53820 53822 416292 GetClassInfoA 53821->53822 53822->53820 53823 423bb4 53828 423bea 53823->53828 53826 423c94 53831 423c9b 53826->53831 53832 423ccf 53826->53832 53827 423c35 53829 423c3b 53827->53829 53830 423cf8 53827->53830 53849 423c0b 53828->53849 53917 423b10 53828->53917 53833 423c40 53829->53833 53834 423c6d 53829->53834 53837 423d13 53830->53837 53838 423d0a 53830->53838 53839 423ca1 53831->53839 53876 423f59 53831->53876 53835 424042 IsIconic 53832->53835 53836 423cda 53832->53836 53843 423c46 53833->53843 53844 423d9e 53833->53844 53834->53849 53865 423c86 53834->53865 53866 423de7 53834->53866 53840 424056 GetFocus 53835->53840 53835->53849 53845 423ce3 53836->53845 53846 42407e 53836->53846 53932 42413c 11 API calls 53837->53932 53847 423d20 53838->53847 53848 423d11 53838->53848 53841 423ebb SendMessageA 53839->53841 53842 423caf 53839->53842 53840->53849 53852 424067 53840->53852 53841->53849 53842->53849 53875 423c68 53842->53875 53893 423efe 53842->53893 53853 423dc6 PostMessageA 53843->53853 53854 423c4f 53843->53854 53937 423b2c NtdllDefWindowProc_A 53844->53937 53857 424095 53845->53857 53845->53875 53942 4247f8 WinHelpA PostMessageA 53846->53942 53851 424184 11 API calls 53847->53851 53933 423b2c NtdllDefWindowProc_A 53848->53933 53851->53849 53858 41ef9c 2 API calls 53852->53858 53921 423b2c NtdllDefWindowProc_A 53853->53921 53860 423c58 53854->53860 53861 423e4d 53854->53861 53863 4240b3 53857->53863 53864 42409e 53857->53864 53868 42406e 53858->53868 53869 423c61 53860->53869 53870 423d76 IsIconic 53860->53870 53871 423e56 53861->53871 53872 423e87 53861->53872 53862 424093 53862->53849 53943 4244d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53863->53943 53873 42447c 5 API calls 53864->53873 53874 423db3 53865->53874 53865->53875 53922 423b2c NtdllDefWindowProc_A 53866->53922 53868->53849 53880 424076 SetFocus 53868->53880 53869->53875 53881 423d39 53869->53881 53883 423d92 53870->53883 53884 423d86 53870->53884 53882 423abc 5 API calls 53871->53882 53930 423b2c NtdllDefWindowProc_A 53872->53930 53873->53849 53887 424120 12 API calls 53874->53887 53875->53849 53931 423b2c NtdllDefWindowProc_A 53875->53931 53876->53849 53890 423f7f IsWindowEnabled 53876->53890 53879 423ded 53888 423e2b 53879->53888 53889 423e09 53879->53889 53880->53849 53881->53849 53934 422bf4 ShowWindow PostMessageA PostQuitMessage 53881->53934 53897 423e5e 53882->53897 53936 423b2c NtdllDefWindowProc_A 53883->53936 53935 423b68 15 API calls 53884->53935 53887->53849 53923 423a2c 53888->53923 53894 423abc 5 API calls 53889->53894 53890->53849 53898 423f8d 53890->53898 53893->53849 53901 423f20 IsWindowEnabled 53893->53901 53902 423e11 PostMessageA 53894->53902 53904 41ef00 6 API calls 53897->53904 53909 423e70 53897->53909 53910 423f94 IsWindowVisible 53898->53910 53899 423e8d 53900 423ea5 53899->53900 53906 41ee4c 2 API calls 53899->53906 53907 423a2c 6 API calls 53900->53907 53901->53849 53908 423f2e 53901->53908 53902->53849 53904->53909 53906->53900 53907->53849 53939 4122b8 7 API calls 53908->53939 53938 423b2c NtdllDefWindowProc_A 53909->53938 53910->53849 53912 423fa2 GetFocus 53910->53912 53913 418188 53912->53913 53914 423fb7 SetFocus 53913->53914 53940 4151e8 53914->53940 53918 423b25 53917->53918 53919 423b1a 53917->53919 53918->53826 53918->53827 53919->53918 53920 4086c0 7 API calls 53919->53920 53920->53918 53921->53849 53922->53879 53924 423a3c 53923->53924 53926 423ab5 PostMessageA 53923->53926 53925 423a42 EnumWindows 53924->53925 53924->53926 53925->53926 53927 423a5e GetWindow GetWindowLongA 53925->53927 53944 4239c4 GetWindow 53925->53944 53926->53849 53928 423a7d 53927->53928 53928->53926 53929 423aa9 SetWindowPos 53928->53929 53929->53926 53929->53928 53930->53899 53931->53849 53932->53849 53933->53849 53934->53849 53935->53849 53936->53849 53937->53849 53938->53849 53939->53849 53941 415203 SetFocus 53940->53941 53941->53849 53942->53862 53943->53862 53945 4239e5 GetWindowLongA 53944->53945 53946 4239f1 53944->53946 53945->53946 53947 42e23b SetErrorMode 53948 41edfc 53949 41ee41 53948->53949 53950 41ee0b IsWindowVisible 53948->53950 53950->53949 53951 41ee15 IsWindowEnabled 53950->53951 53951->53949 53952 41ee1f 53951->53952 53953 402648 4 API calls 53952->53953 53954 41ee29 EnableWindow 53953->53954 53954->53949

                                              Executed Functions

                                              Function 0046AC90 Relevance: 76.2, APIs: 4, Strings: 39, Instructions: 906timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LocalFileTimeToFileTime.KERNEL32(-00000034,?,00000000,0046BC78,?,00000000,0046BCC1,?,00000000,0046BDFA,?,00000000,?,00000000,?,0046C7BA), ref: 0046AEF6
                                                • Part of subcall function 00453230: FindClose.KERNEL32(00000000,000000FF,0046AF0D,00000000,0046BC78,?,00000000,0046BCC1,?,00000000,0046BDFA,?,00000000,?,00000000), ref: 00453246
                                                • Part of subcall function 00468DA4: FileTimeToLocalFileTime.KERNEL32(?), ref: 00468DAC
                                                • Part of subcall function 00468DA4: FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00468DBB
                                                • Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720
                                                • Part of subcall function 00452B60: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452D37,?,00000000,00452DFB), ref: 00452C87
                                              Strings
                                              • , xrefs: 0046B170, 0046B338, 0046B3B6
                                              • Time stamp of our file: (failed to read), xrefs: 0046AF48
                                              • Time stamp of existing file: %s, xrefs: 0046AFCC
                                              • Time stamp of our file: %s, xrefs: 0046AF3C
                                              • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046B384
                                              • .tmp, xrefs: 0046B54F
                                              • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046B492
                                              • Couldn't read time stamp. Skipping., xrefs: 0046B2CD
                                              • Dest file exists., xrefs: 0046AF5C
                                              • Version of existing file: %u.%u.%u.%u, xrefs: 0046B11D
                                              • Version of existing file: (none), xrefs: 0046B292
                                              • Will register the file (a type library) later., xrefs: 0046BA82
                                              • Dest filename: %s, xrefs: 0046AE35
                                              • Existing file is a newer version. Skipping., xrefs: 0046B1A3
                                              • Existing file has a later time stamp. Skipping., xrefs: 0046B367
                                              • Version of our file: %u.%u.%u.%u, xrefs: 0046B091
                                              • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046B42E
                                              • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046B25C
                                              • Non-default bitness: 32-bit, xrefs: 0046AE5C
                                              • Installing the file., xrefs: 0046B4A1
                                              • Incrementing shared file count (64-bit)., xrefs: 0046BAFB
                                              • -- File entry --, xrefs: 0046ACE3
                                              • Time stamp of existing file: (failed to read), xrefs: 0046AFD8
                                              • Same time stamp. Skipping., xrefs: 0046B2ED
                                              • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046B268
                                              • Uninstaller requires administrator: %s, xrefs: 0046B70D
                                              • InUn, xrefs: 0046B6DD
                                              • Dest file is protected by Windows File Protection., xrefs: 0046AE8E
                                              • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046AF6F
                                              • Incrementing shared file count (32-bit)., xrefs: 0046BB14
                                              • Will register the file (a DLL/OCX) later., xrefs: 0046BA8E
                                              • @, xrefs: 0046AD90
                                              • Version of our file: (none), xrefs: 0046B09D
                                              • Non-default bitness: 64-bit, xrefs: 0046AE50
                                              • User opted not to overwrite the existing file. Skipping., xrefs: 0046B3E5
                                              • Failed to strip read-only attribute., xrefs: 0046B46B
                                              • Same version. Skipping., xrefs: 0046B27D
                                              • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046B24D
                                              • Stripped read-only attribute., xrefs: 0046B45F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Time$File$Local$CloseFindFullNamePathQuerySystemValue
                                              • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                              • API String ID: 2131814033-2943590984
                                              • Opcode ID: f1a007bcf6fb64027c7e4f2ae45ad7fe9a3a2d5b46875a34aaa58e0779901e16
                                              • Instruction ID: f65b5c2ab3d31a984aea8a7ca3a316d928a56dcdaf1079f5525a9e75dbf3fe7a
                                              • Opcode Fuzzy Hash: f1a007bcf6fb64027c7e4f2ae45ad7fe9a3a2d5b46875a34aaa58e0779901e16
                                              • Instruction Fuzzy Hash: F0926030A042489BDB11DFA5C495BDDBBB5EF05308F1440ABE844AB392E7789E85CF5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423BB4 Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1498 423bb4-423be8 1499 423bea-423beb 1498->1499 1500 423c1c-423c33 call 423b10 1498->1500 1501 423bed-423c09 call 40b3e4 1499->1501 1505 423c94-423c99 1500->1505 1506 423c35 1500->1506 1534 423c0b-423c13 1501->1534 1535 423c18-423c1a 1501->1535 1510 423c9b 1505->1510 1511 423ccf-423cd4 1505->1511 1508 423c3b-423c3e 1506->1508 1509 423cf8-423d08 1506->1509 1512 423c40 1508->1512 1513 423c6d-423c70 1508->1513 1516 423d13-423d1b call 42413c 1509->1516 1517 423d0a-423d0f 1509->1517 1519 423ca1-423ca9 1510->1519 1520 423f59-423f61 1510->1520 1514 424042-424050 IsIconic 1511->1514 1515 423cda-423cdd 1511->1515 1525 423c46-423c49 1512->1525 1526 423d9e-423dae call 423b2c 1512->1526 1529 423d51-423d58 1513->1529 1530 423c76-423c77 1513->1530 1521 424056-424061 GetFocus 1514->1521 1522 4240fa-424102 1514->1522 1527 423ce3-423ce4 1515->1527 1528 42407e-424093 call 4247f8 1515->1528 1516->1522 1532 423d20-423d28 call 424184 1517->1532 1533 423d11-423d34 call 423b2c 1517->1533 1523 423ebb-423ee2 SendMessageA 1519->1523 1524 423caf-423cb4 1519->1524 1520->1522 1531 423f67-423f72 call 418188 1520->1531 1521->1522 1538 424067-424070 call 41ef9c 1521->1538 1548 424119-42411f 1522->1548 1523->1522 1546 423ff2-423ffd 1524->1546 1547 423cba-423cbb 1524->1547 1539 423dc6-423ddc PostMessageA call 423b2c 1525->1539 1540 423c4f-423c52 1525->1540 1526->1522 1550 424095-42409c 1527->1550 1551 423cea-423ced 1527->1551 1528->1522 1529->1522 1542 423d5e-423d65 1529->1542 1543 423ee7-423eee 1530->1543 1544 423c7d-423c80 1530->1544 1531->1522 1583 423f78-423f87 call 418188 IsWindowEnabled 1531->1583 1532->1522 1533->1522 1534->1548 1535->1500 1535->1501 1538->1522 1596 424076-42407c SetFocus 1538->1596 1591 423de1-423de2 1539->1591 1557 423c58-423c5b 1540->1557 1558 423e4d-423e54 1540->1558 1542->1522 1562 423d6b-423d71 1542->1562 1543->1522 1573 423ef4-423ef9 call 404e54 1543->1573 1563 423c86-423c89 1544->1563 1564 423de7-423e07 call 423b2c 1544->1564 1546->1522 1569 424003-424015 1546->1569 1566 423cc1-423cc4 1547->1566 1567 42401a-424025 1547->1567 1560 4240b3-4240c6 call 4244d4 1550->1560 1561 42409e-4240b1 call 42447c 1550->1561 1570 423cf3 1551->1570 1571 4240c8-4240cf 1551->1571 1576 423c61-423c62 1557->1576 1577 423d76-423d84 IsIconic 1557->1577 1578 423e56-423e69 call 423abc 1558->1578 1579 423e87-423e98 call 423b2c 1558->1579 1560->1522 1561->1522 1562->1522 1581 423db3-423dc1 call 424120 1563->1581 1582 423c8f 1563->1582 1612 423e2b-423e48 call 423a2c PostMessageA 1564->1612 1613 423e09-423e26 call 423abc PostMessageA 1564->1613 1587 423cca 1566->1587 1588 423efe-423f06 1566->1588 1567->1522 1590 42402b-42403d 1567->1590 1569->1522 1589 4240f3-4240f4 call 423b2c 1570->1589 1585 4240e2-4240f1 1571->1585 1586 4240d1-4240e0 1571->1586 1573->1522 1597 423c68 1576->1597 1598 423d39-423d41 1576->1598 1604 423d92-423d99 call 423b2c 1577->1604 1605 423d86-423d8d call 423b68 1577->1605 1627 423e7b-423e82 call 423b2c 1578->1627 1628 423e6b-423e75 call 41ef00 1578->1628 1632 423e9a-423ea0 call 41ee4c 1579->1632 1633 423eae-423eb6 call 423a2c 1579->1633 1581->1522 1582->1589 1583->1522 1629 423f8d-423f9c call 418188 IsWindowVisible 1583->1629 1585->1522 1586->1522 1587->1589 1588->1522 1594 423f0c-423f13 1588->1594 1620 4240f9 1589->1620 1590->1522 1591->1522 1594->1522 1611 423f19-423f28 call 418188 IsWindowEnabled 1594->1611 1596->1522 1597->1589 1598->1522 1614 423d47-423d4c call 422bf4 1598->1614 1604->1522 1605->1522 1611->1522 1643 423f2e-423f44 call 4122b8 1611->1643 1612->1522 1613->1522 1614->1522 1620->1522 1627->1522 1628->1627 1629->1522 1650 423fa2-423fed GetFocus call 418188 SetFocus call 4151e8 SetFocus 1629->1650 1647 423ea5-423ea8 1632->1647 1633->1522 1643->1522 1653 423f4a-423f54 1643->1653 1647->1633 1650->1522 1653->1522
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c619cfdb2417a1dd765c9684dc00ff7da98e4790b272c6bac34776b85a7bb18
                                              • Instruction ID: b3874c0ebfa8e5c98eb4c3a27b14194d81e346ea4a69c1a5551916dd99319231
                                              • Opcode Fuzzy Hash: 7c619cfdb2417a1dd765c9684dc00ff7da98e4790b272c6bac34776b85a7bb18
                                              • Instruction Fuzzy Hash: E4E1B134704125EFD710DF6AE585A5E77B0EB44304FA580A6E5069B362CB7CEE82DB18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00422804 Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1814 422804-422815 1815 422817-422821 1814->1815 1816 422839-422858 1814->1816 1815->1816 1817 422823-422834 call 408c5c call 40311c 1815->1817 1818 422b4e-422b65 1816->1818 1819 42285e-422868 1816->1819 1817->1816 1821 422a49-422a8f call 402c00 1819->1821 1822 42286e-4228b3 call 402c00 1819->1822 1833 422a91-422a96 call 421dd4 1821->1833 1834 422a9b-422aa5 1821->1834 1831 422957-42296b 1822->1831 1832 4228b9-4228c3 1822->1832 1840 422971-42297b 1831->1840 1841 422a24-422a44 call 418188 ShowWindow 1831->1841 1838 4228c5-4228dc call 414664 1832->1838 1839 4228ff-422913 call 423150 1832->1839 1833->1834 1836 422aa7-422aaf call 416658 1834->1836 1837 422ab4-422abe 1834->1837 1836->1818 1844 422ac0-422add call 418188 SetWindowPos 1837->1844 1845 422adf-422af2 call 418188 GetActiveWindow 1837->1845 1859 4228e1-4228f8 call 4146a8 1838->1859 1860 4228de 1838->1860 1864 422915 1839->1864 1865 422918-42292c call 423148 1839->1865 1847 4229b3-4229fd call 418188 ShowWindow call 418188 CallWindowProcA call 414c6c 1840->1847 1848 42297d-4229b1 call 418188 SendMessageA call 418188 ShowWindow 1840->1848 1841->1818 1844->1818 1869 422af4-422b04 call 418188 IsIconic 1845->1869 1870 422b15-422b17 1845->1870 1879 422a02-422a1f SendMessageA 1847->1879 1848->1879 1880 422931-422933 1859->1880 1885 4228fa-4228fd 1859->1885 1860->1859 1864->1865 1865->1880 1881 42292e 1865->1881 1869->1870 1891 422b06-422b13 call 418188 call 41ef9c 1869->1891 1875 422b19-422b3c call 418188 SetWindowPos SetActiveWindow 1870->1875 1876 422b3e-422b49 call 418188 ShowWindow 1870->1876 1875->1818 1876->1818 1879->1818 1887 422937-422939 1880->1887 1888 422935 1880->1888 1881->1880 1885->1880 1893 42293b 1887->1893 1894 42293d-422952 1887->1894 1888->1887 1891->1870 1893->1894 1894->1831
                                              APIs
                                              • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 0042299C
                                              • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B66), ref: 004229AC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSendShowWindow
                                              • String ID:
                                              • API String ID: 1631623395-0
                                              • Opcode ID: 3185f68e2960f78681de3eb66a82df137bb422f01df1fa01dc8aff28185cee34
                                              • Instruction ID: 8c826587ba7af474f7b14690d684e7097f8878018e5f7bac2df75c57de2d2bfa
                                              • Opcode Fuzzy Hash: 3185f68e2960f78681de3eb66a82df137bb422f01df1fa01dc8aff28185cee34
                                              • Instruction Fuzzy Hash: 1791A471B00214FFD710EFA9DA86F9E77F4AB15304F5500B6F500AB2A2C7B8AE419B58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00462994 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1620windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0048DA54: GetWindowRect.USER32(00000000), ref: 0048DA6A
                                              • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00462D63
                                                • Part of subcall function 0041D658: GetObjectA.GDI32(?,00000018,00462D7D), ref: 0041D683
                                                • Part of subcall function 004627F0: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046288D
                                                • Part of subcall function 004627F0: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004628B3
                                                • Part of subcall function 004627F0: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046290F
                                                • Part of subcall function 004627F0: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462935
                                                • Part of subcall function 004621AC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00462E18,00000000,00000000,00000000,0000000C,00000000), ref: 004621C4
                                                • Part of subcall function 0048DCB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048DCBA
                                                • Part of subcall function 0048D9A4: 73A1A570.USER32(00000000,?,?,?), ref: 0048D9C6
                                                • Part of subcall function 0048D9A4: SelectObject.GDI32(?,00000000), ref: 0048D9EC
                                                • Part of subcall function 0048D9A4: 73A1A480.USER32(00000000,?,0048DA4A,0048DA43,?,00000000,?,?,?), ref: 0048DA3D
                                                • Part of subcall function 0048DCA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048DCAA
                                              • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 004639DB
                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004639EC
                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00463A04
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadRectSelectSystemUserWindow
                                              • String ID: $(Default)$STOPIMAGE
                                              • API String ID: 798199749-770201673
                                              • Opcode ID: edd87f1fb70ff78689207597ef215f3f1d8daab5004934605c616b6dfe41ea42
                                              • Instruction ID: 0ce2a7c8654b4bda645b85becf187eb8cd9f620879433755a56cf3d7b5830d6a
                                              • Opcode Fuzzy Hash: edd87f1fb70ff78689207597ef215f3f1d8daab5004934605c616b6dfe41ea42
                                              • Instruction Fuzzy Hash: 97F2E4386005609FCB00EF59D9D9F9A73F1BF8A304F1542B6E5049B36AD774AC46CB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00478B6C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?,?,00000000), ref: 00478BCC
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?), ref: 00478C15
                                              • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F), ref: 00478C22
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000,?,?,00479E8F,?), ref: 00478C6E
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00478D3B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000), ref: 00478D17
                                              • FindClose.KERNEL32(000000FF,00478D42,00478D3B,?,00000000,?,00000000,?,?,00000000,?,00000000,00478D68,?,00000000,00000000), ref: 00478D35
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID:
                                              • API String ID: 3541575487-0
                                              • Opcode ID: 6ed92f0fea0ac89c8cdbf20db8b1306b27f1a3291d9e11ea1e7371d37058444b
                                              • Instruction ID: 54e57abadac26bdf6b50859d29d6f630f81932fdc3dee25b4239eb6d38c32597
                                              • Opcode Fuzzy Hash: 6ed92f0fea0ac89c8cdbf20db8b1306b27f1a3291d9e11ea1e7371d37058444b
                                              • Instruction Fuzzy Hash: 9C512171900658AFCB21EF65CC49ADEB7B8EB48315F1084BAA408E7391DA389F45CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F1C5
                                              • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F28A
                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0046F2BE,?,?,00000001,0049307C), ref: 0046F298
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID: unins$unins???.*
                                              • API String ID: 3541575487-1009660736
                                              • Opcode ID: 4656920c8c39f0ce8d8b672e99f1185c7c030a5e2c2d26b5023d7781f6a8c35e
                                              • Instruction ID: 3c9c22acd9639b612fd9d01020641e4b72dcc3c09d6e577180f12476a66c67e0
                                              • Opcode Fuzzy Hash: 4656920c8c39f0ce8d8b672e99f1185c7c030a5e2c2d26b5023d7781f6a8c35e
                                              • Instruction Fuzzy Hash: 2831D474600108AFDB50EB69D891ADEB7BCEF05308F5044F6E848E72A2E7399F458F19
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004511DC Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045123F,?,?,-00000001,00000000), ref: 00451219
                                              • GetLastError.KERNEL32(00000000,?,00000000,0045123F,?,?,-00000001,00000000), ref: 00451221
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileFindFirstLast
                                              • String ID:
                                              • API String ID: 873889042-0
                                              • Opcode ID: a602d2efdf960d6167be496792d274a39b8ae1fe5526e10b942367c2e78b3dad
                                              • Instruction ID: 48b66b5ea5a2bd036d7052275c493811c4e0670e4fb7de4650a4648509248124
                                              • Opcode Fuzzy Hash: a602d2efdf960d6167be496792d274a39b8ae1fe5526e10b942367c2e78b3dad
                                              • Instruction Fuzzy Hash: B0F0F971A04604AB8B10DB6AAC4249EB7ECDB45725B6046BBFC14F3292DA784E048559
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00408508 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: e78cb18e13a677ec314dcfb13bf641d8481e9719d632e97f187bed88d7cfff22
                                              • Instruction ID: fb41a53da0808811ac7d324c7af8f56b416e217676924749333d5f26c846bbbb
                                              • Opcode Fuzzy Hash: e78cb18e13a677ec314dcfb13bf641d8481e9719d632e97f187bed88d7cfff22
                                              • Instruction Fuzzy Hash: 84E0927170022466D711A95A9C86AF6B35C9758314F00427FB948EB3C2EDB89E8046A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423B2C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240F9,?,00000000,00424104), ref: 00423B56
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: NtdllProc_Window
                                              • String ID:
                                              • API String ID: 4255912815-0
                                              • Opcode ID: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
                                              • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                              • Opcode Fuzzy Hash: e1688769fd7bd0d6dab607fe8fc3e2e26ffd360abf5a591b42ec6747995d87bd
                                              • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453AB0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: 5296a1f906bcaa54e59ae334d9b19b6ea28d15cb2d3d13e924c6b19246622dfc
                                              • Instruction ID: 059ce6dee4a85458501d0894a56d11df68a23133cc4b2401fd590ab7d757c589
                                              • Opcode Fuzzy Hash: 5296a1f906bcaa54e59ae334d9b19b6ea28d15cb2d3d13e924c6b19246622dfc
                                              • Instruction Fuzzy Hash: 5AD0C2B120420053C701AE68DC8269B358C8B84316F10483E7CC6DA2C3E67DDF48A75A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004696B4 Relevance: 65.1, APIs: 1, Strings: 36, Instructions: 391registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 390 4696b4-4696e4 391 4696e6-4696ed 390->391 392 4696ef 390->392 393 4696f6-46972e call 403634 call 403738 call 42dce8 391->393 392->393 400 469730-469744 call 403738 call 42dce8 393->400 401 469749-469772 call 403738 call 42dc0c 393->401 400->401 409 469774-46977d call 469490 401->409 410 469782-4697ab call 4695ac 401->410 409->410 414 4697bd-4697c0 call 403400 410->414 415 4697ad-4697bb call 403494 410->415 419 4697c5-469810 call 4695ac call 42c3a4 call 4695f4 call 4695ac 414->419 415->419 428 469826-469847 call 453ab0 call 4695ac 419->428 429 469812-469825 call 46961c 419->429 436 46989d-4698a4 428->436 437 469849-46989c call 4695ac call 472f9c call 4695ac call 472f9c call 4695ac 428->437 429->428 438 4698a6-4698de call 472f9c call 4695ac call 472f9c call 4695ac 436->438 439 4698e4-4698eb 436->439 437->436 472 4698e3 438->472 441 46992c-469930 439->441 442 4698ed-46992b call 4695ac * 3 439->442 446 469932-46993d call 475650 441->446 447 46993f-469948 call 403494 441->447 442->441 459 46994d-469b1a call 403778 call 4695ac call 475650 call 4695f4 call 403494 call 40357c * 2 call 4695ac call 403494 call 40357c * 2 call 4695ac call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 call 4695f4 call 475650 446->459 447->459 534 469b30-469b3e call 46961c 459->534 535 469b1c-469b2e call 4695ac 459->535 472->439 539 469b43 534->539 540 469b44-469b6c call 46961c call 469650 call 4695ac 535->540 539->540 546 469b71-469b79 540->546 547 469bd3-469be9 RegCloseKey 546->547 548 469b7b-469bb1 call 48cea0 546->548 548->547
                                              APIs
                                                • Part of subcall function 004695AC: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,0049307C,?,004697A3,?,00000000,00469BEA,?,_is1), ref: 004695CF
                                              • RegCloseKey.ADVAPI32(?,00469BF1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00469C39,?,?,00000001,0049307C), ref: 00469BE4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseValue
                                              • String ID: " /SILENT$5.2.3$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                              • API String ID: 3132538880-1148470211
                                              • Opcode ID: 3cf2181b2e06e0eb39b887e9430ed1fe4e21cb9949c2e86e22adb134ede67fe6
                                              • Instruction ID: b10ae86822701baf94b0909050c6c73479acdbc000c85b0031fe9b3e7e797c5a
                                              • Opcode Fuzzy Hash: 3cf2181b2e06e0eb39b887e9430ed1fe4e21cb9949c2e86e22adb134ede67fe6
                                              • Instruction Fuzzy Hash: BEE13475A00109ABCB04EF55D98199F73BDEB44304F60847BE4056B395EBB9BE01CB6E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047C39C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1223 47c39c-47c3c1 GetModuleHandleA GetProcAddress 1224 47c3c3-47c3d9 GetNativeSystemInfo GetProcAddress 1223->1224 1225 47c428-47c42d GetSystemInfo 1223->1225 1226 47c432-47c43b 1224->1226 1227 47c3db-47c3e6 GetCurrentProcess 1224->1227 1225->1226 1228 47c43d-47c441 1226->1228 1229 47c44b-47c452 1226->1229 1227->1226 1234 47c3e8-47c3ec 1227->1234 1232 47c454-47c45b 1228->1232 1233 47c443-47c447 1228->1233 1230 47c46d-47c472 1229->1230 1232->1230 1235 47c45d-47c464 1233->1235 1236 47c449-47c466 1233->1236 1234->1226 1237 47c3ee-47c3f5 call 450e98 1234->1237 1235->1230 1236->1230 1237->1226 1241 47c3f7-47c404 GetProcAddress 1237->1241 1241->1226 1242 47c406-47c41d GetModuleHandleA GetProcAddress 1241->1242 1242->1226 1243 47c41f-47c426 1242->1243 1243->1226
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047C3AD
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047C3BA
                                              • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047C3C8
                                              • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047C3D0
                                              • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047C3DC
                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047C3FD
                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047C410
                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047C416
                                              • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047C42D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                              • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                              • API String ID: 2230631259-2623177817
                                              • Opcode ID: 88536f7c12e65bd0d8273b1485407be1152ee2236569315de8ce4967890ede1f
                                              • Instruction ID: 06dcc6403529f5206617775aef830b133aa19bd788f334af9eebe881936bbdd9
                                              • Opcode Fuzzy Hash: 88536f7c12e65bd0d8273b1485407be1152ee2236569315de8ce4967890ede1f
                                              • Instruction Fuzzy Hash: 0511E255044341A8CB20B3B55DE6BFB26488B51B18F68C43F688C762D3D67CCC888AAF
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00464310 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1244 464310-464348 call 475650 1247 46434e-46435e call 472618 1244->1247 1248 46452a-464544 call 403420 1244->1248 1253 464363-4643a8 call 407894 call 403738 call 42dc44 1247->1253 1259 4643ad-4643af 1253->1259 1260 4643b5-4643ca 1259->1260 1261 464520-464524 1259->1261 1262 4643df-4643e6 1260->1262 1263 4643cc-4643da call 42db74 1260->1263 1261->1248 1261->1253 1265 464413-46441a 1262->1265 1266 4643e8-46440a call 42db74 call 42db8c 1262->1266 1263->1262 1267 464473-46447a 1265->1267 1268 46441c-464441 call 42db74 * 2 1265->1268 1266->1265 1283 46440c 1266->1283 1271 4644c0-4644c7 1267->1271 1272 46447c-46448e call 42db74 1267->1272 1291 464443-46444c call 473090 1268->1291 1292 464451-464463 call 42db74 1268->1292 1277 464502-464518 RegCloseKey 1271->1277 1278 4644c9-4644fd call 42db74 * 3 1271->1278 1284 464490-464499 call 473090 1272->1284 1285 46449e-4644b0 call 42db74 1272->1285 1278->1277 1283->1265 1284->1285 1285->1271 1298 4644b2-4644bb call 473090 1285->1298 1291->1292 1292->1267 1301 464465-46446e call 473090 1292->1301 1298->1271 1301->1267
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,0046452A,?,?,00000001,00000000,00000000,00464545,?,00000000,00000000,?), ref: 00464513
                                              Strings
                                              • Inno Setup: Deselected Tasks, xrefs: 004644A1
                                              • %s\%s_is1, xrefs: 0046438D
                                              • Inno Setup: Setup Type, xrefs: 00464422
                                              • Inno Setup: Selected Tasks, xrefs: 0046447F
                                              • Inno Setup: Selected Components, xrefs: 00464432
                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046436F
                                              • Inno Setup: No Icons, xrefs: 004643FB
                                              • Inno Setup: User Info: Organization, xrefs: 004644E2
                                              • Inno Setup: Deselected Components, xrefs: 00464454
                                              • Inno Setup: Icon Group, xrefs: 004643EE
                                              • Inno Setup: User Info: Serial, xrefs: 004644F5
                                              • Inno Setup: App Path, xrefs: 004643D2
                                              • Inno Setup: User Info: Name, xrefs: 004644CF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                              • API String ID: 47109696-1093091907
                                              • Opcode ID: da52ca3c07eec67e3a71c249a625a344edc3886d0bb8355508e894d35cb1a976
                                              • Instruction ID: fc5077364d37a5906c2ffbe53c2f2339136cb7e8b2833831ee8049aef900e6f6
                                              • Opcode Fuzzy Hash: da52ca3c07eec67e3a71c249a625a344edc3886d0bb8355508e894d35cb1a976
                                              • Instruction Fuzzy Hash: 1D51D070A00244ABDF11DB64C552BDEBBF4EF85304F6080ABE941A7391E738AF01CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046DA44 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 554registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1303 46da44-46da77 1304 46e0e0-46e114 call 468c58 call 403400 * 2 call 403420 1303->1304 1305 46da7d-46da81 1303->1305 1307 46da88-46dac5 call 40b3e4 call 472c88 1305->1307 1316 46e0d4-46e0da 1307->1316 1317 46dacb-46db0a call 476edc call 47291c call 475650 * 2 1307->1317 1316->1304 1316->1307 1329 46db10-46db17 1317->1329 1330 46db0c 1317->1330 1331 46db30-46db49 1329->1331 1332 46db19-46db20 1329->1332 1330->1329 1333 46db6f-46db76 1331->1333 1334 46db4b-46db55 call 46d874 1331->1334 1335 46db22-46db27 call 451ac0 1332->1335 1336 46db2c 1332->1336 1338 46db85-46db8c 1333->1338 1339 46db78-46db7f 1333->1339 1334->1333 1345 46db57-46db6a call 403738 call 42dce8 1334->1345 1335->1336 1336->1331 1343 46db8e-46db95 1338->1343 1344 46dbdf-46dbff call 46d898 1338->1344 1339->1338 1342 46dfb1-46dfe7 1339->1342 1342->1331 1349 46dfed-46dff4 1342->1349 1343->1344 1347 46db97-46dbb9 call 403738 call 42dc44 1343->1347 1356 46dc72-46dc79 1344->1356 1357 46dc01-46dc26 call 403738 call 42dc0c 1344->1357 1345->1333 1347->1342 1377 46dbbf-46dbda call 403738 RegDeleteValueA RegCloseKey 1347->1377 1353 46dff6-46e000 call 46d874 1349->1353 1354 46e027-46e02e 1349->1354 1353->1354 1379 46e002-46e022 call 457ce4 1353->1379 1363 46e030-46e03a call 46d874 1354->1363 1364 46e061-46e068 1354->1364 1361 46dcc2 1356->1361 1362 46dc7b-46dc9f call 403738 call 42dc44 1356->1362 1392 46dc2b-46dc2f 1357->1392 1368 46dcc7-46dcc9 1361->1368 1362->1368 1405 46dca1-46dca4 1362->1405 1363->1364 1391 46e03c-46e05c call 457ce4 1363->1391 1373 46e095-46e09c 1364->1373 1374 46e06a-46e090 call 457ce4 1364->1374 1368->1342 1378 46dccf-46dce4 1368->1378 1375 46e09e-46e0c4 call 457ce4 1373->1375 1376 46e0c9-46e0cf call 472948 1373->1376 1374->1373 1375->1376 1376->1316 1377->1342 1387 46dce6-46dcf3 call 403738 RegDeleteValueA 1378->1387 1388 46dcf8-46dcff 1378->1388 1379->1354 1387->1388 1395 46dd05-46dd0c 1388->1395 1396 46df93-46dfa9 RegCloseKey 1388->1396 1391->1364 1399 46dc56-46dc5d 1392->1399 1400 46dc31-46dc35 1392->1400 1403 46dd0e-46dd22 call 403738 call 42db8c 1395->1403 1404 46dd28-46dd34 1395->1404 1399->1368 1401 46dc5f-46dc70 call 469490 1399->1401 1400->1368 1406 46dc3b-46dc54 call 46d898 1400->1406 1401->1368 1403->1396 1403->1404 1410 46dd36 1404->1410 1411 46dd4c-46dd56 1404->1411 1405->1368 1409 46dca6-46dcad 1405->1409 1406->1368 1409->1368 1418 46dcaf-46dcc0 call 469490 1409->1418 1419 46deee-46df27 call 475650 call 406d38 call 403738 RegSetValueExA 1410->1419 1420 46dd3c-46dd3e 1410->1420 1414 46dd5f-46dd64 1411->1414 1415 46dd58-46dd5b 1411->1415 1425 46dd6b-46dd6d 1414->1425 1423 46dd66 1415->1423 1424 46dd5d 1415->1424 1418->1368 1419->1396 1460 46df29-46df30 1419->1460 1421 46dd44-46dd46 1420->1421 1422 46df45-46df77 call 403574 call 403738 * 2 RegSetValueExA 1420->1422 1421->1396 1421->1411 1422->1396 1466 46df79-46df80 1422->1466 1423->1425 1424->1425 1430 46dd73-46dd85 call 40385c 1425->1430 1431 46de0a-46de1c call 40385c 1425->1431 1444 46dd87-46dd9e call 403738 call 42db74 1430->1444 1445 46dda0-46dda3 call 403400 1430->1445 1447 46de37-46de3a call 403400 1431->1447 1448 46de1e-46de35 call 403738 call 42db80 1431->1448 1444->1445 1456 46dda8-46ddaf 1444->1456 1445->1456 1457 46de3f-46de78 call 475670 1447->1457 1448->1447 1448->1457 1463 46dde0-46de05 call 475670 1456->1463 1464 46ddb1-46ddcf call 403738 RegQueryValueExA 1456->1464 1477 46de7a-46de8a call 403574 1457->1477 1478 46de99-46dec5 call 403574 call 403738 * 2 RegSetValueExA 1457->1478 1460->1396 1461 46df32-46df43 call 469490 1460->1461 1461->1396 1463->1478 1464->1463 1481 46ddd1-46ddd5 1464->1481 1466->1396 1473 46df82-46df8e call 469490 1466->1473 1473->1396 1477->1478 1489 46de8c-46de94 call 40357c 1477->1489 1478->1396 1494 46decb-46ded2 1478->1494 1484 46ddd7-46dddb 1481->1484 1485 46dddd 1481->1485 1484->1463 1484->1485 1485->1463 1489->1478 1494->1396 1495 46ded8-46dee9 call 469490 1494->1495 1495->1396
                                              APIs
                                              • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,0046DFBB,?,?,?,?,00000000,0046E115,?,?,00000001), ref: 0046DBCC
                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,0046DFBB,?,?,?,?,00000000,0046E115,?,?), ref: 0046DBD5
                                                • Part of subcall function 0046D898: GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D925
                                              • RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046DFAA,?,?,00000000,0046DFBB,?,?,?,?,00000000,0046E115,?,?), ref: 0046DCF3
                                                • Part of subcall function 0042DC0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC38
                                              • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,0046DFAA,?,?,00000000,0046DFBB,?,?,?,?), ref: 0046DDC8
                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000001,?,00000000,0046DFAA,?,?,00000000,0046DFBB,?,?,?), ref: 0046DEBC
                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,0046DFAA,?,?,00000000,0046DFBB,?,?,?,?), ref: 0046DF1E
                                                • Part of subcall function 0046D898: GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D93B
                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000,00000000,0046DFAA,?,?,00000000,0046DFBB,?,?,?,?), ref: 0046DF6E
                                              • RegCloseKey.ADVAPI32(?,0046DFB1,?,00000000,0046DFBB,?,?,?,?,00000000,0046E115,?,?,00000001,0049307C), ref: 0046DFA4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Value$CloseDeleteErrorLast$CreateQuery
                                              • String ID: Cannot access 64-bit registry keys on this version of Windows$break$olddata${olddata}$|0I
                                              • API String ID: 2797102135-3741232538
                                              • Opcode ID: 772e427d3ffb5c7b37da87091c2f9324c045ab26355c94640f7769ccde6b1363
                                              • Instruction ID: e94ff9ff62352b89d827cbe010cb1ec31ebc1fc567b363989c2fb2b4bcf8395d
                                              • Opcode Fuzzy Hash: 772e427d3ffb5c7b37da87091c2f9324c045ab26355c94640f7769ccde6b1363
                                              • Instruction Fuzzy Hash: 90222974F01248AFDB10DF99D981B9EBBF9AF08304F504066F904AB392D778AE05CB19
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046CE64 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1657 46ce64-46cf52 call 403728 call 403778 call 403684 call 475650 call 403494 * 2 call 40357c call 42c6fc call 403494 call 40357c call 42c6fc call 403494 call 40357c call 42c6fc 1686 46cf54-46cf57 1657->1686 1687 46cf59-46cf5d 1657->1687 1688 46cf62-46cf70 call 46ccb8 1686->1688 1687->1688 1689 46cf5f 1687->1689 1692 46cf72-46cf7d call 403494 1688->1692 1693 46cf7f-46cf85 call 403494 1688->1693 1689->1688 1696 46cf8a-46cfe6 call 455b70 call 468a6c call 42c79c call 469f80 call 406ef0 * 2 call 42cc08 1692->1696 1693->1696 1712 46cffc-46d008 call 406ef0 1696->1712 1713 46cfe8-46cff7 call 403738 WritePrivateProfileStringA 1696->1713 1718 46d00e-46d034 call 4547a4 1712->1718 1719 46d0af-46d0ca call 46cd20 call 403494 1712->1719 1713->1712 1722 46d039-46d03d 1718->1722 1731 46d0ce-46d0d9 1719->1731 1724 46d03f-46d049 call 42cc2c 1722->1724 1725 46d04b-46d04d 1722->1725 1724->1725 1733 46d04f 1724->1733 1729 46d051-46d058 1725->1729 1729->1731 1732 46d05a-46d05e 1729->1732 1734 46d0f1-46d100 call 403738 SHChangeNotify 1731->1734 1735 46d0db-46d0ef call 403738 SHChangeNotify 1731->1735 1732->1731 1736 46d060-46d07a call 42c7f4 call 406a2c 1732->1736 1733->1729 1743 46d105-46d12e call 42c79c call 403738 SHChangeNotify 1734->1743 1735->1743 1736->1731 1747 46d07c-46d0a1 call 4539bc 1736->1747 1753 46d134-46d138 1743->1753 1754 46d232-46d266 call 468c58 call 403400 call 403420 call 403400 1743->1754 1747->1731 1756 46d13e-46d1cb call 457b54 call 42c3a4 call 40357c call 457b54 call 42c3a4 call 40357c call 457b54 1753->1756 1757 46d1cd-46d1d1 1753->1757 1756->1754 1759 46d1f4-46d22d call 457b54 * 2 1757->1759 1760 46d1d3-46d1f2 call 457b54 1757->1760 1759->1754 1760->1754
                                              APIs
                                                • Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720
                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046CFF7
                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046D0EA
                                              • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046D100
                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046D125
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                              • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                              • API String ID: 971782779-3668018701
                                              • Opcode ID: f1617ab6b71b35178ead2c9d1e8d3e2785dbb240c4cc6a8745c954e4cd1abf1d
                                              • Instruction ID: 7241237f7b2753aa4bad096b30eb67052993fe11f1c9b15bd1d8ff4051f223ab
                                              • Opcode Fuzzy Hash: f1617ab6b71b35178ead2c9d1e8d3e2785dbb240c4cc6a8745c954e4cd1abf1d
                                              • Instruction Fuzzy Hash: E5D10174E002499FDB01EF99D885BDDBBF5AF08318F14406AF804B7392D678AE45CB69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042381C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1786 42381c-423826 1787 42394f-423953 1786->1787 1788 42382c-42384e call 41f36c GetClassInfoA 1786->1788 1791 423850-423867 RegisterClassA 1788->1791 1792 42387f-423888 GetSystemMetrics 1788->1792 1791->1792 1795 423869-42387a call 408c5c call 40311c 1791->1795 1793 42388a 1792->1793 1794 42388d-423897 GetSystemMetrics 1792->1794 1793->1794 1796 423899 1794->1796 1797 42389c-4238f8 call 403738 call 406300 call 403400 call 4235f4 SetWindowLongA 1794->1797 1795->1792 1796->1797 1809 423912-423940 GetSystemMenu DeleteMenu * 2 1797->1809 1810 4238fa-42390d call 424120 SendMessageA 1797->1810 1809->1787 1811 423942-42394a DeleteMenu 1809->1811 1810->1809 1811->1787
                                              APIs
                                                • Part of subcall function 0041F36C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED4C,?,00423837,00423BB4,0041ED4C), ref: 0041F38A
                                              • GetClassInfoA.USER32(00400000,00423624), ref: 00423847
                                              • RegisterClassA.USER32(00491630), ref: 0042385F
                                              • GetSystemMetrics.USER32(00000000), ref: 00423881
                                              • GetSystemMetrics.USER32(00000001), ref: 00423890
                                              • SetWindowLongA.USER32(004105F8,000000FC,00423634), ref: 004238EC
                                              • SendMessageA.USER32(004105F8,00000080,00000001,00000000), ref: 0042390D
                                              • GetSystemMenu.USER32(004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4,0041ED4C), ref: 00423918
                                              • DeleteMenu.USER32(00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4,0041ED4C), ref: 00423927
                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423934
                                              • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105F8,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042394A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                              • String ID: $6B
                                              • API String ID: 183575631-3519776487
                                              • Opcode ID: e61c2978343b05594169b0fa67f472075cc06905c91acae9ae6b14f03d1e295b
                                              • Instruction ID: 44122239756f869d7af1fdba3570d6082de878778f6117c7260872992629901f
                                              • Opcode Fuzzy Hash: e61c2978343b05594169b0fa67f472075cc06905c91acae9ae6b14f03d1e295b
                                              • Instruction Fuzzy Hash: 2B31A1B17402107AEB10BF659C82F663698AB14708F10007BFA41EF2E7DABDED04876C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452B60 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2009 452b60-452bb2 call 42dc0c 2012 452c4f-452c8e call 403738 RegQueryValueExA 2009->2012 2013 452bb8-452c4a call 451d2c call 4506ac call 40357c call 406d08 call 42e660 call 4506ac call 40357c call 408bac call 40311c 2009->2013 2018 452c94-452c98 2012->2018 2019 452d2d-452d4a 2012->2019 2013->2012 2022 452ca7-452cb7 call 42db74 2018->2022 2023 452c9a-452c9d 2018->2023 2029 452d51-452d5b 2019->2029 2030 452d4c-452d4e 2019->2030 2022->2019 2040 452cb9-452ccb call 406d38 2022->2040 2026 452ccd-452cd1 2023->2026 2027 452c9f-452ca0 2023->2027 2026->2019 2037 452cd3-452cd7 2026->2037 2032 452d04-452d26 RegQueryValueExA 2027->2032 2033 452ca2 2027->2033 2035 452d60-452d67 2029->2035 2036 452d5d 2029->2036 2030->2029 2032->2019 2038 452d28 call 408b80 2032->2038 2033->2019 2041 452d73-452da4 call 406d08 call 403574 call 403738 RegSetValueExA 2035->2041 2042 452d69-452d6f 2035->2042 2036->2035 2037->2019 2043 452cd9-452cf4 RegQueryValueExA 2037->2043 2038->2019 2040->2019 2052 452dbf-452dfa RegCloseKey call 403420 call 403400 * 3 2041->2052 2047 452da6-452dba RegSetValueExA 2042->2047 2048 452d71 2042->2048 2050 452cf6 call 408b80 2043->2050 2051 452cfb-452d02 2043->2051 2047->2052 2048->2052 2050->2051 2051->2019
                                              APIs
                                                • Part of subcall function 0042DC0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC38
                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452D37,?,00000000,00452DFB), ref: 00452C87
                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452D37,?,00000000,00452DFB), ref: 00452DC3
                                                • Part of subcall function 0042E660: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452B9F
                                              • RegCreateKeyEx, xrefs: 00452BFB
                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452BCF
                                              • , xrefs: 00452BE9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateFormatMessageQueryValue
                                              • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                              • API String ID: 2481121983-1280779767
                                              • Opcode ID: 90f53306fae23df6d368745b68eb80768dd38445430ad86b4d03a6d8be63e8c8
                                              • Instruction ID: 541388b9b65ddcc629600b839954f269b6f8816a0d78520760673cf251dcd2db
                                              • Opcode Fuzzy Hash: 90f53306fae23df6d368745b68eb80768dd38445430ad86b4d03a6d8be63e8c8
                                              • Instruction Fuzzy Hash: A381ED75A00209ABDB01DFD5D941BEEB7B9EF49305F50442BF900F7282D778AA09CB69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004760F0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2077 4760f0-476146 call 42c3a4 call 4035c0 call 475d6c call 450d54 2086 476152-476161 call 450d54 2077->2086 2087 476148-47614d call 451ac0 2077->2087 2091 476163-476169 2086->2091 2092 47617b-476181 2086->2092 2087->2086 2093 47618b-476193 call 403494 2091->2093 2094 47616b-476171 2091->2094 2095 476183-476189 2092->2095 2096 476198-4761c0 call 42e1e0 * 2 2092->2096 2093->2096 2094->2092 2097 476173-476179 2094->2097 2095->2093 2095->2096 2103 4761e7-476201 GetProcAddress 2096->2103 2104 4761c2-4761e2 call 407894 call 451ac0 2096->2104 2097->2092 2097->2093 2106 476203-476208 call 451ac0 2103->2106 2107 47620d-47622a call 403400 * 2 2103->2107 2104->2103 2106->2107
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 004761F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc
                                              • String ID: Failed to get address of SHGetFolderPathA function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                              • API String ID: 190572456-1072092678
                                              • Opcode ID: a2d535c16ed515cbd8098ffcc1ef3c8eebb3befa93ef48f17ab6feb59f006cbe
                                              • Instruction ID: 226347d15c1c5d11692c613386f90c3546301fb27c77df9f9534ec7b1eb9fe62
                                              • Opcode Fuzzy Hash: a2d535c16ed515cbd8098ffcc1ef3c8eebb3befa93ef48f17ab6feb59f006cbe
                                              • Instruction Fuzzy Hash: 68312130A009499FCB50EF95D9819DEB7B6EB45304F91C4B7E808E7252D738AE09CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042ED78 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2115 42ed78-42ed82 2116 42ed84-42ed87 call 402d30 2115->2116 2117 42ed8c-42edc9 call 402b30 GetActiveWindow GetFocus call 41ee4c 2115->2117 2116->2117 2123 42eddb-42ede3 2117->2123 2124 42edcb-42edd5 RegisterClassA 2117->2124 2125 42ee6a-42ee86 SetFocus call 403400 2123->2125 2126 42ede9-42ee1a CreateWindowExA 2123->2126 2124->2123 2126->2125 2128 42ee1c-42ee60 call 424224 call 403738 CreateWindowExA 2126->2128 2128->2125 2134 42ee62-42ee65 ShowWindow 2128->2134 2134->2125
                                              APIs
                                              • GetActiveWindow.USER32 ref: 0042EDA7
                                              • GetFocus.USER32 ref: 0042EDAF
                                              • RegisterClassA.USER32(004917AC), ref: 0042EDD0
                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EEA4,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EE0E
                                              • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EE54
                                              • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EE65
                                              • SetFocus.USER32(00000000,00000000,0042EE87,?,?,?,00000001,00000000,?,004564AE,00000000,00492628), ref: 0042EE6C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                              • String ID: (&I$TWindowDisabler-Window
                                              • API String ID: 3167913817-491212620
                                              • Opcode ID: 510e926be6cddd0211adbfb4469153b5284f3bcdfc9007fb221ede7ccf605718
                                              • Instruction ID: 82027174cfd9f418450fe8ca69ab33f3320fea0b1784bdf35dac21ea3b2746f1
                                              • Opcode Fuzzy Hash: 510e926be6cddd0211adbfb4469153b5284f3bcdfc9007fb221ede7ccf605718
                                              • Instruction Fuzzy Hash: E0218171740710BAE710EB62ED02F1B76A8EB04B04F62453BF604AB6D1D7B86D50C6ED
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2135 401a90-401a9b 2136 401aa1-401ab6 2135->2136 2137 401b6f-401b71 2135->2137 2138 401ac2-401ae1 LocalFree 2136->2138 2139 401ab8-401abd RtlEnterCriticalSection 2136->2139 2140 401af5-401afb 2138->2140 2139->2138 2141 401ae3-401af3 VirtualFree 2140->2141 2142 401afd-401b22 call 401390 * 3 2140->2142 2141->2140 2149 401b24-401b39 LocalFree 2142->2149 2150 401b3b-401b51 2142->2150 2149->2149 2149->2150 2152 401b53-401b58 RtlLeaveCriticalSection 2150->2152 2153 401b5d-401b67 RtlDeleteCriticalSection 2150->2153 2152->2153
                                              APIs
                                              • RtlEnterCriticalSection.KERNEL32(00492420,00000000,00401B68), ref: 00401ABD
                                              • LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
                                              • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
                                              • RtlLeaveCriticalSection.KERNEL32(00492420,00401B6F), ref: 00401B58
                                              • RtlDeleteCriticalSection.KERNEL32(00492420,00401B6F), ref: 00401B62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                              • String ID: @$I$P$I$|$I
                                              • API String ID: 3782394904-2452420409
                                              • Opcode ID: 13d60d6258edcbf522f01d7291c019f1f170a7a552ba6335bbe69aef08fb1927
                                              • Instruction ID: fb38efb60124e33bd0d6d544a4e8ce278d04d8a52801059130394851150c0a80
                                              • Opcode Fuzzy Hash: 13d60d6258edcbf522f01d7291c019f1f170a7a552ba6335bbe69aef08fb1927
                                              • Instruction Fuzzy Hash: C611BF30A017407AEB15AB659E82F263BE8A76170CF44007BF40067AF2D7FC9840C7AE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047A510 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2154 47a510-47a53f call 455970 2157 47a545-47a547 2154->2157 2158 47a60c-47a61b 2154->2158 2159 47a5ab-47a607 call 48cea0 call 42e1d0 2157->2159 2160 47a549-47a589 call 48d038 2157->2160 2164 47a64e-47a668 2158->2164 2165 47a61d-47a61e 2158->2165 2159->2158 2160->2159 2175 47a69a-47a6b0 call 467f30 2164->2175 2176 47a66a-47a698 call 45158c 2164->2176 2168 47a620-47a64c call 451084 2165->2168 2168->2164 2185 47a6b2-47a6b8 FreeLibrary 2175->2185 2186 47a6bd-47a6c4 2175->2186 2176->2175 2185->2186 2188 47a6c6-47a6cc FreeLibrary 2186->2188 2189 47a6d1-47a6d6 call 476344 call 476018 2186->2189 2188->2189 2193 47a6db-47a6e2 2189->2193 2194 47a6e4-47a6eb 2193->2194 2195 47a6fe-47a70a call 454ef4 2193->2195 2194->2195 2196 47a6ed-47a6f7 call 455970 2194->2196 2201 47a73d-47a752 call 403400 2195->2201 2202 47a70c-47a71d call 455970 2195->2202 2196->2195 2207 47a71f-47a736 SendNotifyMessageA 2202->2207 2208 47a738 call 477e04 2202->2208 2207->2201 2208->2201
                                              APIs
                                              • FreeLibrary.KERNEL32(00000000), ref: 0047A6B8
                                              • FreeLibrary.KERNEL32(00000000), ref: 0047A6CC
                                              • SendNotifyMessageA.USER32(0001046E,00000496,00002710,00000000), ref: 0047A731
                                              Strings
                                              • Deinitializing Setup., xrefs: 0047A52E
                                              • DeinitializeSetup, xrefs: 0047A5C9
                                              • GetCustomSetupExitCode, xrefs: 0047A56D
                                              • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047A6ED
                                              • Restarting Windows., xrefs: 0047A70C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeLibrary$MessageNotifySend
                                              • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                              • API String ID: 3817813901-1884538726
                                              • Opcode ID: 565544a3d2f7128e1fbc06875d4ca5fb4c7d3d47f03140b86412e545eabed437
                                              • Instruction ID: f287f9a6f42f295c8f4485c9d1258599c6f04b79e283e83c7e33560143f14427
                                              • Opcode Fuzzy Hash: 565544a3d2f7128e1fbc06875d4ca5fb4c7d3d47f03140b86412e545eabed437
                                              • Instruction Fuzzy Hash: 8C51D034600200AFD315DF65D885B9EBBA4FB9A315F61C4BBE808C73A1CB389D55CB5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045196C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 0045198C
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451992
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 004519A6
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004519AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                              • API String ID: 1646373207-2130885113
                                              • Opcode ID: 3bf36bcfd98ce10bad23e2f9ae0128a2780410d433234e43a73a8982a17feb5d
                                              • Instruction ID: bc30ab95aa3e68d9a300d6e2b8d7baffeb65242bdbb5e2da560ca488e233ca82
                                              • Opcode Fuzzy Hash: 3bf36bcfd98ce10bad23e2f9ae0128a2780410d433234e43a73a8982a17feb5d
                                              • Instruction Fuzzy Hash: AF0184B0241744FEDB12EB729C56B5A3A98D711B19F60487BF840A51A3D7FC4D08CA6D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00475DC4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00475F37,?,?,00000000,00492628,00000000,00000000,?,00490529,00000000,004906D2,?,00000000), ref: 00475E57
                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00475F37,?,?,00000000,00492628,00000000,00000000,?,00490529,00000000,004906D2,?,00000000), ref: 00475E60
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                              • API String ID: 1375471231-1421604804
                                              • Opcode ID: d971e988ddd947d72368aaad927c191851754868bdd5cef345a65f7cfcfe1743
                                              • Instruction ID: 2992479d9a41277d4ba3c51ea03d54e21519c43d7d484cf0d062ff4dd53bb91c
                                              • Opcode Fuzzy Hash: d971e988ddd947d72368aaad927c191851754868bdd5cef345a65f7cfcfe1743
                                              • Instruction Fuzzy Hash: 0E415674A105099BDB00EF91D881ADEB7B9FF44305F50843BE815BB396DB78AE058B58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00430158 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430160
                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043016F
                                              • GetCurrentThreadId.KERNEL32 ref: 00430189
                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 004301AA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                              • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                              • API String ID: 4130936913-2943970505
                                              • Opcode ID: 28029589c3db21dee67d6af112ea14edfd7444fd649c35e836976e13e9a64ada
                                              • Instruction ID: 59c811c4a41a2c0c62e5dc841fd9799240dd828c67306f5793c7ecde0d0b434c
                                              • Opcode Fuzzy Hash: 28029589c3db21dee67d6af112ea14edfd7444fd649c35e836976e13e9a64ada
                                              • Instruction Fuzzy Hash: F0F0A7705483409AD700EB35C902B1A7BE4AB58708F004A3FF458A63E1D77A9900CB1F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004547A4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON
                                              Download Yara Rule
                                              APIs
                                              • 756FE550.OLE32(00491A3C,00000000,00000001,00491774,?,00000000,0045499A), ref: 004547E0
                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                              • 756FE550.OLE32(00491764,00000000,00000001,00491774,?,00000000,0045499A), ref: 00454804
                                              • SysFreeString.OLEAUT32(00000000), ref: 0045495F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: E550String$AllocByteCharFreeMultiWide
                                              • String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
                                              • API String ID: 2757340368-615220198
                                              • Opcode ID: 30c84a6b22ae8ec60ba87615f6782f2ed58e1117184a8e9cdc9aaee44ca2ff94
                                              • Instruction ID: 20b93dc07a47b2b5ead177be154b0c5a355cf91e616f5ebb89302d411650f3f2
                                              • Opcode Fuzzy Hash: 30c84a6b22ae8ec60ba87615f6782f2ed58e1117184a8e9cdc9aaee44ca2ff94
                                              • Instruction Fuzzy Hash: F15120B5A00105AFDB50EFA9C885F9F77F8AF49309F044066B904EB262D778DD88CB19
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453578 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,D:"G,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453794,00453794,?,00453794,00000000), ref: 00453720
                                              • CloseHandle.KERNEL32(?,?,D:"G,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00453794,00453794,?,00453794), ref: 0045372D
                                                • Part of subcall function 004534E4: WaitForInputIdle.USER32(?,00000032), ref: 00453510
                                                • Part of subcall function 004534E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
                                                • Part of subcall function 004534E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
                                                • Part of subcall function 004534E4: CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                              • String ID: .bat$.cmd$COMMAND.COM" /C $D:"G$cmd.exe" /C "
                                              • API String ID: 854858120-4270494884
                                              • Opcode ID: bccf3e7cba150ee1aae3b47e09a506dfff9cf5ab091d589901dc61c2f7b9f919
                                              • Instruction ID: e48de0c09470f56e814a1eaeb461330263aa011ed8558adaef5bf8b5374a4d6d
                                              • Opcode Fuzzy Hash: bccf3e7cba150ee1aae3b47e09a506dfff9cf5ab091d589901dc61c2f7b9f919
                                              • Instruction Fuzzy Hash: AD517874A0034DABCB11EF95C881B9DBBB9AF48746F50403BBC04B7382D7789B198B58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423634 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconA.USER32(00400000,MAINICON), ref: 004236C4
                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 004236F1
                                              • OemToCharA.USER32(?,?), ref: 00423704
                                              • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 00423744
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Char$FileIconLoadLowerModuleName
                                              • String ID: 2$MAINICON
                                              • API String ID: 3935243913-3181700818
                                              • Opcode ID: 224cf75db4ea10a89a7eebe0d84fc4cc31f478398fb3606dfc63747a48c8d72c
                                              • Instruction ID: 65266eba4a5d446380783eb4ad5427bb3c2b6e1eaca800c785880fb46d02af3b
                                              • Opcode Fuzzy Hash: 224cf75db4ea10a89a7eebe0d84fc4cc31f478398fb3606dfc63747a48c8d72c
                                              • Instruction Fuzzy Hash: E53193B0A042559ADB10EF29C8C57C67BE89F14308F4441BAE944DB393D7BED988CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32(00000000), ref: 00418EE5
                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F06
                                              • GetCurrentThreadId.KERNEL32 ref: 00418F21
                                              • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F42
                                                • Part of subcall function 00423070: 73A1A570.USER32(00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230C6
                                                • Part of subcall function 00423070: EnumFontsA.GDI32(00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230D9
                                                • Part of subcall function 00423070: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230E1
                                                • Part of subcall function 00423070: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230EC
                                                • Part of subcall function 00423634: LoadIconA.USER32(00400000,MAINICON), ref: 004236C4
                                                • Part of subcall function 00423634: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 004236F1
                                                • Part of subcall function 00423634: OemToCharA.USER32(?,?), ref: 00423704
                                                • Part of subcall function 00423634: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F8E,00000000,?,?,?,00000001), ref: 00423744
                                                • Part of subcall function 0041F0C0: GetVersion.KERNEL32(?,00418F98,00000000,?,?,?,00000001), ref: 0041F0CE
                                                • Part of subcall function 0041F0C0: SetErrorMode.KERNEL32(00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0EA
                                                • Part of subcall function 0041F0C0: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0F6
                                                • Part of subcall function 0041F0C0: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F104
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F134
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F15D
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F172
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F187
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F19C
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1B1
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1C6
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1DB
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1F0
                                                • Part of subcall function 0041F0C0: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F205
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                              • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                              • API String ID: 3864787166-2767913252
                                              • Opcode ID: ef7e27ba16645ad8f4c699e646a7607366e766e332a0da38ca4bd420b63be1db
                                              • Instruction ID: b182b06b3bcb1b2e8c3ba80a322d5fe38ad1e868bfed4ce1d31fb71d0c0c557e
                                              • Opcode Fuzzy Hash: ef7e27ba16645ad8f4c699e646a7607366e766e332a0da38ca4bd420b63be1db
                                              • Instruction Fuzzy Hash: 051142B06142406AC740FF36998274A76E1EBA4308F40853FF448EB3E1DB7D9945CB6E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004135E4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongA.USER32(?,000000FC,?), ref: 0041360C
                                              • GetWindowLongA.USER32(?,000000F0), ref: 00413617
                                              • GetWindowLongA.USER32(?,000000F4), ref: 00413629
                                              • SetWindowLongA.USER32(?,000000F4,?), ref: 0041363C
                                              • SetPropA.USER32(?,00000000,00000000), ref: 00413653
                                              • SetPropA.USER32(?,00000000,00000000), ref: 0041366A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LongWindow$Prop
                                              • String ID:
                                              • API String ID: 3887896539-0
                                              • Opcode ID: 0a6263d03eac2d2bce2c4b1186c1d291e8e55930424baaf96426919c90c6d239
                                              • Instruction ID: f31fb67a9e11a3f95cb2897c8c98fc4a52a333ae5d38a5fa38f8a355adb326ca
                                              • Opcode Fuzzy Hash: 0a6263d03eac2d2bce2c4b1186c1d291e8e55930424baaf96426919c90c6d239
                                              • Instruction Fuzzy Hash: C911CC75500245BFDB00EF99DC84E9A37E8AB19364F104266F918DB2A1D738D9908B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453BEC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453D83,?,00000000,00453DC3), ref: 00453CC9
                                              Strings
                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453C4C
                                              • PendingFileRenameOperations, xrefs: 00453C68
                                              • PendingFileRenameOperations2, xrefs: 00453C98
                                              • WININIT.INI, xrefs: 00453CF8
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                              • API String ID: 47109696-2199428270
                                              • Opcode ID: 9cb5c1f0a044df6afda0d360ea4bc27dd08283e5185a3e1e925179899d14cb99
                                              • Instruction ID: aa5cd69e504587c061a58de22e540fe2c0eb6883408e267526cdea27caab368f
                                              • Opcode Fuzzy Hash: 9cb5c1f0a044df6afda0d360ea4bc27dd08283e5185a3e1e925179899d14cb99
                                              • Instruction Fuzzy Hash: AF51D730E002489BDB10EF61DC52ADEB7B9EF44745F50857BE804A7292DB3CAF09CA18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004627F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046288D
                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004628B3
                                                • Part of subcall function 00462730: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004627C8
                                                • Part of subcall function 00462730: DestroyCursor.USER32(00000000), ref: 004627DE
                                              • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046290F
                                              • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00462935
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                              • String ID: c:\directory
                                              • API String ID: 2926980410-3984940477
                                              • Opcode ID: 29e0c85cb7bbc84e991fe9b864147cbcc3941f6a1fa61eb28117cfda4f6013bc
                                              • Instruction ID: 427904fd0b382b2f05c77991b1ac4ddebc586400d5837c21677a4a344efa396e
                                              • Opcode Fuzzy Hash: 29e0c85cb7bbc84e991fe9b864147cbcc3941f6a1fa61eb28117cfda4f6013bc
                                              • Instruction Fuzzy Hash: CD418D70700644BFDB10DB55CD8AFDBBBE8AB49304F1040A6F90497291D6B8AE84CA59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DC6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 0042DC78
                                              • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DDFB,00000000,0042DE13,?,?,?,?,00000006,?,00000000,0048F8FB), ref: 0042DC93
                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DC99
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressDeleteHandleModuleProc
                                              • String ID: RegDeleteKeyExA$advapi32.dll
                                              • API String ID: 588496660-1846899949
                                              • Opcode ID: 7a80425bfa703e483b3faf6f338cf9008a09661c63399848f89508ca22aefea6
                                              • Instruction ID: f6d26141eb233d03b94b2ed72026fa1db25b9960d6d40d8c32de7d906beb62d4
                                              • Opcode Fuzzy Hash: 7a80425bfa703e483b3faf6f338cf9008a09661c63399848f89508ca22aefea6
                                              • Instruction Fuzzy Hash: AAE06DF0B41230BAD62067ABBE4AF9326289F64725F544537F145A62D182FC4C41DE5C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047BB48 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetActiveWindow.USER32(?,?,00000000,0047BE5D,?,?,00000001,?), ref: 0047BC59
                                              • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047BCCE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ActiveChangeNotifyWindow
                                              • String ID: $Need to restart Windows? %s
                                              • API String ID: 1160245247-4200181552
                                              • Opcode ID: ed1255ec7530e5d27df6289ed88c297b95d2c2b5d9591ca7c9600edd0e9b0b88
                                              • Instruction ID: f4c1e1fff3503470ea18fdaabc6d14c851de77ee15ab21044676623dc6a244ae
                                              • Opcode Fuzzy Hash: ed1255ec7530e5d27df6289ed88c297b95d2c2b5d9591ca7c9600edd0e9b0b88
                                              • Instruction Fuzzy Hash: 0F9170346042449FCB01EF69D886B9A77F5EF56308F1080BBE8049B366DB78AD45CB99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00469F80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720
                                                • Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC
                                              • GetLastError.KERNEL32(00000000,0046A17D,?,?,00000001,0049307C), ref: 0046A05A
                                              • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046A0D4
                                              • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046A0F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ChangeNotify$CharErrorFullLastNamePathPrev
                                              • String ID: Creating directory: %s
                                              • API String ID: 2168629741-483064649
                                              • Opcode ID: f0ea55da9561c7475a5743fab90f50c64dd7051ef843fcce111b49f539560e2f
                                              • Instruction ID: 39b67aeb1d7855c22aabfe2f82cf891ef9e94af442bcdac43ae26702b455444b
                                              • Opcode Fuzzy Hash: f0ea55da9561c7475a5743fab90f50c64dd7051ef843fcce111b49f539560e2f
                                              • Instruction Fuzzy Hash: 8A512374E00248ABDB01DFA9C982BDEB7F5AF49304F50846AE851B7382D7785E04CF5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045333C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004533EA
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004534B0), ref: 00453454
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressByteCharMultiProcWide
                                              • String ID: SfcIsFileProtected$sfc.dll
                                              • API String ID: 2508298434-591603554
                                              • Opcode ID: 4b50ca8e1327cf77ffaefa782f18a20e389156e08d40e3b6f393e5ded95c096a
                                              • Instruction ID: 1adb4bde248a8b19f2f304064bd770535e454300abe4aaf5ea9dda1ac3de6c9a
                                              • Opcode Fuzzy Hash: 4b50ca8e1327cf77ffaefa782f18a20e389156e08d40e3b6f393e5ded95c096a
                                              • Instruction Fuzzy Hash: C741B470A00218ABEB21DF55DD85B9DB7B8AB0534AF5040BBF808A3292D7785F48DA5C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00450C8C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • 74D41520.VERSION(00000000,?,?,?,0048F996), ref: 00450CAC
                                              • 74D41500.VERSION(00000000,?,00000000,?,00000000,00450D27,?,00000000,?,?,?,0048F996), ref: 00450CD9
                                              • 74D41540.VERSION(?,00450D50,?,?,00000000,?,00000000,?,00000000,00450D27,?,00000000,?,?,?,0048F996), ref: 00450CF3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: D41500D41520D41540
                                              • String ID: aE
                                              • API String ID: 2153611984-88912727
                                              • Opcode ID: 5f4df345e488c05fd5bd4e33c36db4a7a4bcf57642fa48d89191aa24049eff36
                                              • Instruction ID: fa6cca6fee997d329f140acf62b9c68117f89c9724db0c09afd566eb7417e920
                                              • Opcode Fuzzy Hash: 5f4df345e488c05fd5bd4e33c36db4a7a4bcf57642fa48d89191aa24049eff36
                                              • Instruction Fuzzy Hash: 66215379A00649AFDB01DAE98C41DBFB7FCEB49301F55407AFD04E3242D679AE088769
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                              • ExitProcess.KERNEL32 ref: 00404E0D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ExitMessageProcess
                                              • String ID: Error$Runtime error at 00000000
                                              • API String ID: 1220098344-2970929446
                                              • Opcode ID: cb3f50221c7fc4a280dd17ceecd31964af7b7a4f5716c995046d60236483f2a1
                                              • Instruction ID: 54305f10cd77fd258ec0cbb2b3b89b3afa079266c0d37f3845e7031a68d66c88
                                              • Opcode Fuzzy Hash: cb3f50221c7fc4a280dd17ceecd31964af7b7a4f5716c995046d60236483f2a1
                                              • Instruction Fuzzy Hash: 1E21C560A44281AAEB16A775EE817163B9197E5348F048177E700B73F3C6FC8C84C7AE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453F24 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,00453F8F,?,00000001,00000000), ref: 00453F82
                                              Strings
                                              • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453F30
                                              • PendingFileRenameOperations2, xrefs: 00453F63
                                              • PendingFileRenameOperations, xrefs: 00453F54
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                              • API String ID: 47109696-2115312317
                                              • Opcode ID: 21250b3f59e8a1b3ab45e49100b6a533c2958c5d03e63bbb63f4184d55fa8918
                                              • Instruction ID: 2fe5d9dd412f96f0258c427e8e9e7532a7d77a38f3856869fbc3dabfb8f5c388
                                              • Opcode Fuzzy Hash: 21250b3f59e8a1b3ab45e49100b6a533c2958c5d03e63bbb63f4184d55fa8918
                                              • Instruction Fuzzy Hash: 1DF0C233B443087FDB09DA62AC07A1AB3ECD744B56FA0446BF80086582DA79AE04922C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046C624 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0046C7F5,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E), ref: 0046C7D1
                                              • FindClose.KERNEL32(000000FF,0046C7FC,0046C7F5,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E,?), ref: 0046C7EF
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0046C917,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E), ref: 0046C8F3
                                              • FindClose.KERNEL32(000000FF,0046C91E,0046C917,?,00000000,?,00000001,00000000,0046C9C3,?,00000000,?,00000000,?,0046CB7E,?), ref: 0046C911
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileNext
                                              • String ID:
                                              • API String ID: 2066263336-0
                                              • Opcode ID: 0f960cb1112d21006a9c127ae61e0f4d16613c63928aaaa408fce4eab3408d2c
                                              • Instruction ID: 1dd2fae92c3a96226fdad02eb244197cfc035410fb76892232ec07de3388933a
                                              • Opcode Fuzzy Hash: 0f960cb1112d21006a9c127ae61e0f4d16613c63928aaaa408fce4eab3408d2c
                                              • Instruction Fuzzy Hash: 21B12D7490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B3251E7389A45CF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042121C Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(00000000), ref: 00421309
                                              • SetMenu.USER32(00000000,00000000), ref: 00421326
                                              • SetMenu.USER32(00000000,00000000), ref: 0042135B
                                              • SetMenu.USER32(00000000,00000000), ref: 00421377
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu
                                              • String ID:
                                              • API String ID: 3711407533-0
                                              • Opcode ID: 69c3d24cbd3908ab398b23ff4996bcca6d71d6d9efd1b021582025e8ce73b4a6
                                              • Instruction ID: 0f81d55959a1cf47e4f4fbe1fb89748b5e36cc62268cbc8ca2fac5ad34181ecf
                                              • Opcode Fuzzy Hash: 69c3d24cbd3908ab398b23ff4996bcca6d71d6d9efd1b021582025e8ce73b4a6
                                              • Instruction Fuzzy Hash: 1341C37070025557EB20BB3AA88579A76924F65308F4901BFBC44DF3A7CA7DCC4683AC
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416AEA Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(?,?,?,?), ref: 00416B2C
                                              • SetTextColor.GDI32(?,00000000), ref: 00416B46
                                              • SetBkColor.GDI32(?,00000000), ref: 00416B60
                                              • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B88
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Color$CallMessageProcSendTextWindow
                                              • String ID:
                                              • API String ID: 601730667-0
                                              • Opcode ID: 94d5e14a106f4ce483550bedbdeace2163082f32d69035d86e8ad094192f6645
                                              • Instruction ID: b033cece6509217f2327ce801b750aa6be190e92d4bc00e16b2453bc82832c42
                                              • Opcode Fuzzy Hash: 94d5e14a106f4ce483550bedbdeace2163082f32d69035d86e8ad094192f6645
                                              • Instruction Fuzzy Hash: DA112EB2204610AFC710EE6ECDC5E9777ECEF49314715882AB59ADB612D638F8418B29
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423A2C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumWindows.USER32(004239C4), ref: 00423A50
                                              • GetWindow.USER32(?,00000003), ref: 00423A65
                                              • GetWindowLongA.USER32(?,000000EC), ref: 00423A74
                                              • SetWindowPos.USER32(00000000,00424104,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424153,?,?,00423D1B), ref: 00423AAA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$EnumLongWindows
                                              • String ID:
                                              • API String ID: 4191631535-0
                                              • Opcode ID: 2ac3058ad058fb58bc43d272a33111b98432a4fbb6a4c2e0798833925aa94dac
                                              • Instruction ID: 2aa942e0144c2f66fd74dad5558343876cb1daa91c8e5ea9adb7241dccc7aa7f
                                              • Opcode Fuzzy Hash: 2ac3058ad058fb58bc43d272a33111b98432a4fbb6a4c2e0798833925aa94dac
                                              • Instruction Fuzzy Hash: C9112E70704610ABDB10DF68DD85F5A77E4EB08725F11066AF994AB2E2C3789D41CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423070 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230C6
                                              • EnumFontsA.GDI32(00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000,?,?,?,00000001), ref: 004230D9
                                              • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230E1
                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423010,004105F8,00000000,?,?,00000000,?,00418F7B,00000000), ref: 004230EC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A24620A480A570EnumFonts
                                              • String ID:
                                              • API String ID: 2630238358-0
                                              • Opcode ID: 541138733ee3697c01f8c81797123c03923b2bd4d964166bd9626717c6dd975c
                                              • Instruction ID: afad048246e6630919bdfa9f1eb422a1972ed3af21ea5203bed7575143a0f70f
                                              • Opcode Fuzzy Hash: 541138733ee3697c01f8c81797123c03923b2bd4d964166bd9626717c6dd975c
                                              • Instruction Fuzzy Hash: 9D01D2717043002AE700BF7A5C82B9B3A549F05319F44023BF804AF2C2D6BE9905876E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004534E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForInputIdle.USER32(?,00000032), ref: 00453510
                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
                                              • CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                              • String ID:
                                              • API String ID: 4071923889-0
                                              • Opcode ID: cb2ec6e2e327cbe717a960b84219f2604a12aee98f16707f6853b19b6914ee48
                                              • Instruction ID: 976b375f78923eada3d8d1f25cef2af6e5c381faa9b0e8b7c45c7f6a29b52fc4
                                              • Opcode Fuzzy Hash: cb2ec6e2e327cbe717a960b84219f2604a12aee98f16707f6853b19b6914ee48
                                              • Instruction Fuzzy Hash: 48019670A4060C7AEB209BA98C06E6B7AACDB057A1F610167B904D72C2E5789E008A68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00475FC4 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CountSleepTick
                                              • String ID:
                                              • API String ID: 2227064392-0
                                              • Opcode ID: 5becf3b4ede20e9077232847a3f90d8bc995cd670e7de1c8d1af3c9e17ffb5f4
                                              • Instruction ID: ac2bc92c64288a8ae8ad87d3879801b84766de851918f2f303a3950bd66c2a85
                                              • Opcode Fuzzy Hash: 5becf3b4ede20e9077232847a3f90d8bc995cd670e7de1c8d1af3c9e17ffb5f4
                                              • Instruction Fuzzy Hash: E8E02B31309D8045CE2879BE18827FF458AEB85324B35493FF0CED6282CC1C4C05A92E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004598F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044FC44: SetEndOfFile.KERNEL32(?,?,004599C5,00000000,00459B68,?,00000000,00000002,00000002), ref: 0044FC4B
                                              • FlushFileBuffers.KERNEL32(?), ref: 00459B34
                                              Strings
                                              • EndOffset range exceeded, xrefs: 00459A56
                                              • NumRecs range exceeded, xrefs: 00459A1F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$BuffersFlush
                                              • String ID: EndOffset range exceeded$NumRecs range exceeded
                                              • API String ID: 3593489403-659731555
                                              • Opcode ID: a8f40f2496dbdfd80a559d866d0687f7aa712a1bd766686b3741167cef308870
                                              • Instruction ID: 995539901c97ad68f5746cda8c194ef6f3d3db8d93705507f5965892a0295e18
                                              • Opcode Fuzzy Hash: a8f40f2496dbdfd80a559d866d0687f7aa712a1bd766686b3741167cef308870
                                              • Instruction Fuzzy Hash: D2613E34A00258CBDB25DF15C881ADAB3B5EB49305F0081EAED49AB352D778AEC9CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00490B04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00490B12), ref: 0040334B
                                                • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00490B12), ref: 00403356
                                                • Part of subcall function 00409B20: 6F571CD0.COMCTL32(00490B21), ref: 00409B20
                                                • Part of subcall function 004108FC: GetCurrentThreadId.KERNEL32 ref: 0041094A
                                                • Part of subcall function 00418FE8: GetVersion.KERNEL32(00490B35), ref: 00418FE8
                                                • Part of subcall function 0044EE30: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00490B49), ref: 0044EE6B
                                                • Part of subcall function 0044EE30: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EE71
                                                • Part of subcall function 0045196C: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 0045198C
                                                • Part of subcall function 0045196C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451992
                                                • Part of subcall function 0045196C: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451A05,?,?,?,?,00000000,?,00490B53), ref: 004519A6
                                                • Part of subcall function 0045196C: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004519AC
                                                • Part of subcall function 0045FCBC: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00490B67), ref: 0045FCCB
                                                • Part of subcall function 0045FCBC: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045FCD1
                                                • Part of subcall function 004678D8: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004678ED
                                                • Part of subcall function 00472434: GetModuleHandleA.KERNEL32(kernel32.dll,?,00490B71), ref: 0047243A
                                                • Part of subcall function 00472434: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00472447
                                                • Part of subcall function 00472434: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00472457
                                                • Part of subcall function 0048DD14: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048DD2D
                                              • SetErrorMode.KERNEL32(00000001,00000000,00490BB9), ref: 00490B8B
                                                • Part of subcall function 00490914: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00490B95,00000001,00000000,00490BB9), ref: 0049091E
                                                • Part of subcall function 00490914: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00490924
                                                • Part of subcall function 0042447C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0042449B
                                                • Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284
                                              • ShowWindow.USER32(?,00000005,00000000,00490BB9), ref: 00490BFC
                                                • Part of subcall function 0047B260: SetActiveWindow.USER32(?), ref: 0047B304
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorF571FormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
                                              • String ID: Setup
                                              • API String ID: 4284711697-3839654196
                                              • Opcode ID: 3561114a63be54c54d2a43fb7e17f87302581483f476b44515a49fd14d45fc66
                                              • Instruction ID: 93c4262b2fd0981b4a3bf9bbc89b82d5fe8812d296d35f6d6b268422da34e6e8
                                              • Opcode Fuzzy Hash: 3561114a63be54c54d2a43fb7e17f87302581483f476b44515a49fd14d45fc66
                                              • Instruction Fuzzy Hash: CC31C635204204AED605BBB7ED1391E3BA4EB8971CB61447FF404929A3DE7C5C518A7E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DA40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,?,00000000,0042DB61), ref: 0042DA78
                                              • RegQueryValueExA.ADVAPI32(?,ProductType,00000000,?,00000000,00000000,?,ProductType,00000000,?,00000000,?,00000000,0042DB61), ref: 0042DAD0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID: ProductType
                                              • API String ID: 3660427363-120863269
                                              • Opcode ID: 8c6d5992717354f1742f6db3e008b622ea29168f52289f9bc266ec88e5d19502
                                              • Instruction ID: 22425fb9ba400e549f89719797a15a519fe31236383ac1a1c9c2ba634efda0a6
                                              • Opcode Fuzzy Hash: 8c6d5992717354f1742f6db3e008b622ea29168f52289f9bc266ec88e5d19502
                                              • Instruction Fuzzy Hash: 67416934E04128EFDF21DF95D890BEFBBB8EB45304F9185A7E510A7280D778AA44CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004521A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045228F,?,?,00000000,00492628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004521E6
                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045228F,?,?,00000000,00492628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004521EF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID: .tmp
                                              • API String ID: 1375471231-2986845003
                                              • Opcode ID: 95b321a80a7f49f3410ff19ad884a03b5149450dce792f72d1a7e619d8ed1185
                                              • Instruction ID: 1cc7738378c32de01c08681629a8df9cd6432d6ac9a10e78220417a5cd0dd7bd
                                              • Opcode Fuzzy Hash: 95b321a80a7f49f3410ff19ad884a03b5149450dce792f72d1a7e619d8ed1185
                                              • Instruction Fuzzy Hash: 68213579A002089BDB01EFA1C9529DFB7B9EF49305F50457BF801B7342DA7C9E058A65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004537F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 0045388C
                                              • GetLastError.KERNEL32(0000003C,00000000,004538D5,?,?,?), ref: 0045389D
                                                • Part of subcall function 004534E4: WaitForInputIdle.USER32(?,00000032), ref: 00453510
                                                • Part of subcall function 004534E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00453532
                                                • Part of subcall function 004534E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00453541
                                                • Part of subcall function 004534E4: CloseHandle.KERNEL32(?,0045356E,00453567,?,?,?,00000000,?,?,00453741,?,?,?,D:"G,00000000,00000000), ref: 00453561
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                              • String ID: <
                                              • API String ID: 35504260-4251816714
                                              • Opcode ID: c2e03b5e4e67f27838c983cd3523d5033eb2743868d95f269161821d711f8d89
                                              • Instruction ID: a48743936d6917b30e90ea1336603dc98d5f36d007a8bf71f63bee0ab98bf73b
                                              • Opcode Fuzzy Hash: c2e03b5e4e67f27838c983cd3523d5033eb2743868d95f269161821d711f8d89
                                              • Instruction Fuzzy Hash: 95218670A00209AFDB14EF65D88269E7BF8EF04356F50443AF844E7381D7789E49CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004758D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00475B5A,00000000,00475B70,?,?,?,?,00000000), ref: 00475936
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Close
                                              • String ID: RegisteredOrganization$RegisteredOwner
                                              • API String ID: 3535843008-1113070880
                                              • Opcode ID: b3b711482d8e628ec3f61362cfc892467dbb757c2662bd40f62ad5005f9431cc
                                              • Instruction ID: 48b656342ec2bd2b5ab7dbcfa9b326a46bbbd2cb26f9bcc12124a5356ca6e139
                                              • Opcode Fuzzy Hash: b3b711482d8e628ec3f61362cfc892467dbb757c2662bd40f62ad5005f9431cc
                                              • Instruction Fuzzy Hash: 63F0F6B0B04144EBEB00DA72AC9279B3759D742304F60807BA2058F251D6B9AF01D74C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F3F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046F62F), ref: 0046F41D
                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0046F62F), ref: 0046F434
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateErrorFileHandleLast
                                              • String ID: CreateFile
                                              • API String ID: 2528220319-823142352
                                              • Opcode ID: 899fe239746195574542a439d2491a0f3f2a2d764e3d90abb24cfaf40692d0e9
                                              • Instruction ID: 8566c0baceda2c5727a8425b1213297a8e6c3c46ac1f7708f5e95aedaf673be2
                                              • Opcode Fuzzy Hash: 899fe239746195574542a439d2491a0f3f2a2d764e3d90abb24cfaf40692d0e9
                                              • Instruction Fuzzy Hash: EDE065342843047FDA10E669DCC6F0677989B14728F108161F6446F3E2C5B5EC448659
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046961C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,|0I,00000004,00000001,?,00469B43,?,?,00000000,00469BEA,?,_is1,?), ref: 0046962F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Value
                                              • String ID: NoModify$|0I
                                              • API String ID: 3702945584-1260956942
                                              • Opcode ID: 0d9706f44497321b252fea2b85b5cd2d87d273d46e8ee44f3976ba521d4fd78f
                                              • Instruction ID: 2bef48f429356fc4da1bc079aaf13935e8d13ae686911c9cef0d84ca04fc1d48
                                              • Opcode Fuzzy Hash: 0d9706f44497321b252fea2b85b5cd2d87d273d46e8ee44f3976ba521d4fd78f
                                              • Instruction Fuzzy Hash: 59E04FB0604304BFEB04DB95CD4AF6B77ACDB48714F108059BA049B381EAB4EE00C668
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004678D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042E1E0: SetErrorMode.KERNEL32(00008000), ref: 0042E1EA
                                                • Part of subcall function 0042E1E0: LoadLibraryA.KERNEL32(00000000,00000000,0042E234,?,00000000,0042E252,?,00008000), ref: 0042E219
                                              • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004678ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressErrorLibraryLoadModeProc
                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                              • API String ID: 2492108670-2683653824
                                              • Opcode ID: c944a9074854445ab3124fdf5b50c6e0e0c2ff548dc294e090d25f8eecb682ac
                                              • Instruction ID: fa085d398d84bf6bdc376de8b0adffa78d8cd9c0cd14655664e75f653ebd6975
                                              • Opcode Fuzzy Hash: c944a9074854445ab3124fdf5b50c6e0e0c2ff548dc294e090d25f8eecb682ac
                                              • Instruction Fuzzy Hash: 90B092E0B0474092EF0077BA584AB1A1454D78079CB64883BB040AB289EE7C8A18EB9E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047A918 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMenu.USER32(00000000,00000000,00000000,0047AA50), ref: 0047A9E8
                                              • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047A9F9
                                              • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047AA11
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$Append$System
                                              • String ID:
                                              • API String ID: 1489644407-0
                                              • Opcode ID: f080a53e69ae36a7c53ecc201a6def57175b7aa651597f400192a04eb8f0c766
                                              • Instruction ID: 9416a2e69f94d1bacdcd5589100605e7a17a6fee69d6532038c11be2b18ca1fe
                                              • Opcode Fuzzy Hash: f080a53e69ae36a7c53ecc201a6def57175b7aa651597f400192a04eb8f0c766
                                              • Instruction Fuzzy Hash: BB31E5B07043442AE711EB359C82BAE3B945B91308F40843FB940AB2E3C67C9D18879E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044AA68 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,?,00000000,00000000,0044AB69,?,0047B27B,?,?), ref: 0044AADD
                                              • SelectObject.GDI32(?,00000000), ref: 0044AB00
                                              • 73A1A480.USER32(00000000,?,0044AB40,00000000,0044AB39,?,00000000,?,00000000,00000000,0044AB69,?,0047B27B,?,?), ref: 0044AB33
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A480A570ObjectSelect
                                              • String ID:
                                              • API String ID: 1230475511-0
                                              • Opcode ID: 6206e762a1325ba623ac8cb259efe5e16e8ff7365d7f6aa6f873279f897fc210
                                              • Instruction ID: 5ebdf1d2f2544012dfa55b31c85aaba12dd464d1382fd60bb62d336af458de0c
                                              • Opcode Fuzzy Hash: 6206e762a1325ba623ac8cb259efe5e16e8ff7365d7f6aa6f873279f897fc210
                                              • Instruction Fuzzy Hash: 6E21C170E44248AFEB11DFA5C841B9EBBB9EB48304F4180BAF500A7281C77C9950CB2A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044A79C Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A828,?,0047B27B,?,?), ref: 0044A7FA
                                              • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A80D
                                              • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A841
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DrawText$ByteCharMultiWide
                                              • String ID:
                                              • API String ID: 65125430-0
                                              • Opcode ID: 8317c523276f314509038111108d47a2590dbd1258818dab6b6b76e6ad298f5c
                                              • Instruction ID: 547ddd58e113f665f2c4bd30cca118ef6da0f4e8a03e0e68a63751e0d3c3e5d9
                                              • Opcode Fuzzy Hash: 8317c523276f314509038111108d47a2590dbd1258818dab6b6b76e6ad298f5c
                                              • Instruction Fuzzy Hash: 2F1108B27406047FEB00EBAA8C82D6FB7ECDB48724F10813BF504E72C0D5389E018A69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004243A4 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004243BA
                                              • TranslateMessage.USER32(?), ref: 00424437
                                              • DispatchMessageA.USER32(?), ref: 00424441
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Message$DispatchPeekTranslate
                                              • String ID:
                                              • API String ID: 4217535847-0
                                              • Opcode ID: 5ba890f0d626e851ae5eb072c17b98b7617e900c1ccbace483623866fa51125f
                                              • Instruction ID: 29ec6bb2c2fe33ce96073087ef8f049612c87f0656b6e82933878d2f51458537
                                              • Opcode Fuzzy Hash: 5ba890f0d626e851ae5eb072c17b98b7617e900c1ccbace483623866fa51125f
                                              • Instruction Fuzzy Hash: 1F11C43030435056DA20E6A4B94179B73D4CFC1708F85485EF9C957382D7BD9E4487AB
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004165EC Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetPropA.USER32(00000000,00000000), ref: 00416612
                                              • SetPropA.USER32(00000000,00000000), ref: 00416627
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041664E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Prop$Window
                                              • String ID:
                                              • API String ID: 3363284559-0
                                              • Opcode ID: b31ba192d97bc2a8128d85a50ffa45febb98a78fe245b4b5ec301087639eabad
                                              • Instruction ID: 675018db8e1bdf4ebffe2da0d9b09b3c9fe28390eae3e6cfa7bb9a74213a9f8e
                                              • Opcode Fuzzy Hash: b31ba192d97bc2a8128d85a50ffa45febb98a78fe245b4b5ec301087639eabad
                                              • Instruction Fuzzy Hash: 9DF0B271701210BFDB109B599C85FA632DCBB19B15F160176BE08EF286D6B8DD40C7A8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Virtual$AllocFree
                                              • String ID: @$I
                                              • API String ID: 2087232378-1899187264
                                              • Opcode ID: 08da3f0d1e78bfe9c634c9aa4f5f35e672582809eb99289594877bc0e4020af2
                                              • Instruction ID: 725a70dfb87e22c3967cff80d89a5dac4b2b1bb1b28326949d670fe9fc14322f
                                              • Opcode Fuzzy Hash: 08da3f0d1e78bfe9c634c9aa4f5f35e672582809eb99289594877bc0e4020af2
                                              • Instruction Fuzzy Hash: 82F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041EDFC Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 0041EE0C
                                              • IsWindowEnabled.USER32(?), ref: 0041EE16
                                              • EnableWindow.USER32(?,00000000), ref: 0041EE3C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$EnableEnabledVisible
                                              • String ID:
                                              • API String ID: 3234591441-0
                                              • Opcode ID: 26f15855b103a5989d821e845a8b5a76b466f6557515be23c42bc0ec7e566d17
                                              • Instruction ID: 96e98aa39eb8546384e417ef666d490cadeddd778781aa4cd60f09ebcc6840ac
                                              • Opcode Fuzzy Hash: 26f15855b103a5989d821e845a8b5a76b466f6557515be23c42bc0ec7e566d17
                                              • Instruction Fuzzy Hash: 65E0EDB42003016AEB11AB27DCC1B5B769CBB54354F468477AD169B2A3DA3DD8408A78
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004062A0 Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalHandle.KERNEL32 ref: 004062A1
                                              • GlobalUnWire.KERNEL32(00000000), ref: 004062A8
                                              • GlobalFree.KERNEL32(00000000), ref: 004062AD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Global$FreeHandleWire
                                              • String ID:
                                              • API String ID: 318822183-0
                                              • Opcode ID: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                              • Instruction ID: 232b5a29dca1329e6ee8fbf729e049d74cb9239d0bdd557acda0a77be920d3a5
                                              • Opcode Fuzzy Hash: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                              • Instruction Fuzzy Hash: 73A001C4804A04A9D80072B2080BA2F244CD8413283D0496B7440B2183883C8C40593A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047B260 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetActiveWindow.USER32(?), ref: 0047B304
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ActiveWindow
                                              • String ID: InitializeWizard
                                              • API String ID: 2558294473-2356795471
                                              • Opcode ID: 7dcdac06667e54ad75248da9345b0533922542ed88e577c38f7e195ec549533c
                                              • Instruction ID: 4e25cab65ed988d36d771276a92aef87a17e854c81311b79447974de30300cc1
                                              • Opcode Fuzzy Hash: 7dcdac06667e54ad75248da9345b0533922542ed88e577c38f7e195ec549533c
                                              • Instruction Fuzzy Hash: CA11A330204204AFD701EB69FD45B5A77E4E755324F2084BBF40A877A1D7796C41DB5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00476018 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Failed to remove temporary directory: , xrefs: 00476079
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CountTick
                                              • String ID: Failed to remove temporary directory:
                                              • API String ID: 536389180-3544197614
                                              • Opcode ID: 8eaa77d6da94d3eb7a991c9334ea7c1cfd0c78d7d0c6d11cc61aa5cf67c36756
                                              • Instruction ID: 6ffa0d28bc3bfc953a6b8bbcd879379d441b58bb6ad8f3d837193fbc1ee90d1a
                                              • Opcode Fuzzy Hash: 8eaa77d6da94d3eb7a991c9334ea7c1cfd0c78d7d0c6d11cc61aa5cf67c36756
                                              • Instruction Fuzzy Hash: B301F530610B44AADB11EB72CC46BDF77A9DB05709FA1843BF804A7192D6BDAE08890C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004757F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00475A36,00000000,00475B70), ref: 00475835
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00475805
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                              • API String ID: 47109696-1019749484
                                              • Opcode ID: 32ef8136de0120a00000d409f2c8a2fabb2658739af061c3bbedf7e0271f1c3a
                                              • Instruction ID: 6f23ae70e013487785b82a96322c3c90f2bad5c8cb9ef8bfae3d8b83ecadceb2
                                              • Opcode Fuzzy Hash: 32ef8136de0120a00000d409f2c8a2fabb2658739af061c3bbedf7e0271f1c3a
                                              • Instruction Fuzzy Hash: A1F08231B0451467EA04B69A9C42B9EA79D9B84758F21407BF908DF342D9F99E0242AD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004695AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,0049307C,?,004697A3,?,00000000,00469BEA,?,_is1), ref: 004695CF
                                              Strings
                                              • Inno Setup: Setup Version, xrefs: 004695CD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Value
                                              • String ID: Inno Setup: Setup Version
                                              • API String ID: 3702945584-4166306022
                                              • Opcode ID: f5add68329ef97518e4fcb466ca5aa8f04737b31d2f7e60d26670de3c31fcc1c
                                              • Instruction ID: bcb48f81889c44c2f620efda9402a5d0bb1fb61369e9a11a86b2db072df5fa83
                                              • Opcode Fuzzy Hash: f5add68329ef97518e4fcb466ca5aa8f04737b31d2f7e60d26670de3c31fcc1c
                                              • Instruction Fuzzy Hash: 5CE06D713012043FD710EA2A9C85F5BBBDCDF88365F10403AB908DB392D978DD0185A8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DC44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              Strings
                                              • System\CurrentControlSet\Control\Windows, xrefs: 0042DC5E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Open
                                              • String ID: System\CurrentControlSet\Control\Windows
                                              • API String ID: 71445658-1109719901
                                              • Opcode ID: 22e0c054078c54348808a8319995cc634a026ba4b678fe1ea34de8a5361bc097
                                              • Instruction ID: 29d81e93da8360ba13d0a113dd5009aeb6b598c84d67836305bbff2bc9e8969e
                                              • Opcode Fuzzy Hash: 22e0c054078c54348808a8319995cc634a026ba4b678fe1ea34de8a5361bc097
                                              • Instruction Fuzzy Hash: B7D09E72910128BB9B109A89DC41DF7775DDB19760F44401AF904A7141C1B4AC519BE4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452758 Relevance: 3.2, APIs: 2, Instructions: 190fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045298B,?,00000000,004529F5,?,?,-00000001,00000000,?,00476075,00000000,00475FC4,00000000), ref: 00452967
                                              • FindClose.KERNEL32(000000FF,00452992,0045298B,?,00000000,004529F5,?,?,-00000001,00000000,?,00476075,00000000,00475FC4,00000000,00000001), ref: 00452985
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileNext
                                              • String ID:
                                              • API String ID: 2066263336-0
                                              • Opcode ID: a99cf6ff43cb7055f88edba52b7dabbbe93e4ece8c98e32af49a4cb8b5e60e2d
                                              • Instruction ID: a46e81b432fa17c8035645edee6d72e6358aab5d3d8117a0f5ee062976db862c
                                              • Opcode Fuzzy Hash: a99cf6ff43cb7055f88edba52b7dabbbe93e4ece8c98e32af49a4cb8b5e60e2d
                                              • Instruction Fuzzy Hash: 48819074A0024D9FCF11DFA5C941BEFBBB4AF4A305F1480A7D85463392D3789A4ACB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DCE8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDE6,?,?,00000008,00000000,00000000,0042DE13), ref: 0042DD7C
                                              • RegCloseKey.ADVAPI32(?,0042DDED,?,00000000,00000000,00000000,00000000,00000000,0042DDE6,?,?,00000008,00000000,00000000,0042DE13), ref: 0042DDE0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseEnumOpen
                                              • String ID:
                                              • API String ID: 1332880857-0
                                              • Opcode ID: 6a6d37df4780ae56173176aed11abddf1dba0bd452523448435c3bf77f41b0f8
                                              • Instruction ID: aff0e8ce8d067f54f66efdcf097c0108d0334413938de9990ba2ca89854e671e
                                              • Opcode Fuzzy Hash: 6a6d37df4780ae56173176aed11abddf1dba0bd452523448435c3bf77f41b0f8
                                              • Instruction Fuzzy Hash: 50319374F046046EDB11DFA2DD52BBFBBB9EB48304FA0447BA400F7291D6789A01CA29
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00450F64 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(00000000,00000000,?,?,00455ECC,00000000,00455EB4,?,?,?,00000000,00450FDE,?,?,?,00000001), ref: 00450FB8
                                              • GetLastError.KERNEL32(00000000,00000000,?,?,00455ECC,00000000,00455EB4,?,?,?,00000000,00450FDE,?,?,?,00000001), ref: 00450FC0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateErrorLastProcess
                                              • String ID:
                                              • API String ID: 2919029540-0
                                              • Opcode ID: f3603e2291ac4d2bff5630acf20c922798bf03bd121a7c5ca53d5b2f3657e726
                                              • Instruction ID: 90ec035facff387a728fa34ee480b9bdab906da10ba2c5f97b54275381758835
                                              • Opcode Fuzzy Hash: f3603e2291ac4d2bff5630acf20c922798bf03bd121a7c5ca53d5b2f3657e726
                                              • Instruction Fuzzy Hash: 6E115E76604208AF8B50DEADDC41DDFB7ECEB4D310B51456AFD08E3241D674EE158B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040AF70 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF8A
                                              • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0E7,00000000,0040B0FF,?,?,?,00000000), ref: 0040AF9B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Resource$FindFree
                                              • String ID:
                                              • API String ID: 4097029671-0
                                              • Opcode ID: 8c30dec602ece8ae2a8e71100469382659f92ae3bfb2da213009fea87c39b6d5
                                              • Instruction ID: 1221a5199f13f7129315330983e0874b2bf41397b47310acc6f6b643a0b38e17
                                              • Opcode Fuzzy Hash: 8c30dec602ece8ae2a8e71100469382659f92ae3bfb2da213009fea87c39b6d5
                                              • Instruction Fuzzy Hash: FB012FB1300300AFDB00EF69DC82E1A33A9EB493087108077F500BB2D0DA799C11962A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041EE4C Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 0041EE9B
                                              • 73A25940.USER32(00000000,0041EDFC,00000000,00000000,0041EEB8,?,00000000,0041EEEF,?,0042E7E8,?,00000001), ref: 0041EEA1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A25940CurrentThread
                                              • String ID:
                                              • API String ID: 2655091166-0
                                              • Opcode ID: 10cd4d059b02f226dcedeab6d983f116a71722e0e95fe1aa277000ca600bc38b
                                              • Instruction ID: ca42cadf64aab9fc9bda363da699102df16a4657dc233dc8dc005950a55e731a
                                              • Opcode Fuzzy Hash: 10cd4d059b02f226dcedeab6d983f116a71722e0e95fe1aa277000ca600bc38b
                                              • Instruction Fuzzy Hash: 8A015B79A04705AFD705CF66DC11996BBF8E789720B2388B7E804D36A0F6345810DE18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004513FC Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 0045143E
                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00451464), ref: 00451446
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileLastMove
                                              • String ID:
                                              • API String ID: 55378915-0
                                              • Opcode ID: fc062a3957a1edb5bf0d59c77c23fa964479a41f7c559747da197f0b7ccab451
                                              • Instruction ID: 85188aecbac2644b80406732be01adbb240331f4a8ceeac9c47b7ffc740a9c29
                                              • Opcode Fuzzy Hash: fc062a3957a1edb5bf0d59c77c23fa964479a41f7c559747da197f0b7ccab451
                                              • Instruction Fuzzy Hash: 6D01D671B04604AB8B01DB799C425AEB7ECDB49725760457BFC08E3252EA3C4E048959
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID: @$I
                                              • API String ID: 1263568516-1899187264
                                              • Opcode ID: b62b8f1c307d4adcebf6fa1a253ea1af05d3ba4dba9aec1dff74914ddceb4cab
                                              • Instruction ID: 8116451f728c5aa32ea3c360de9e7882c02e29ec9bc76b399c7381bc7e3fefdc
                                              • Opcode Fuzzy Hash: b62b8f1c307d4adcebf6fa1a253ea1af05d3ba4dba9aec1dff74914ddceb4cab
                                              • Instruction Fuzzy Hash: F40170766057109FC3109F29DCC0E2677E8D780378F05413EDA84673A1D37A6C0187D8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00450EEC Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00450F4B), ref: 00450F25
                                              • GetLastError.KERNEL32(00000000,00000000,00000000,00450F4B), ref: 00450F2D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID:
                                              • API String ID: 1375471231-0
                                              • Opcode ID: 082057bd9afaa096a0e4b8126ab3c4003cc3e6ea7bf304598bc7be587df6c026
                                              • Instruction ID: 364ad505462443d826447c2aa905436d5e11e331cb720e50727da1269184da6e
                                              • Opcode Fuzzy Hash: 082057bd9afaa096a0e4b8126ab3c4003cc3e6ea7bf304598bc7be587df6c026
                                              • Instruction Fuzzy Hash: 27F02876A04604AFCB10DF759C4299EB7E8DB09311B6049BBFC08E3242E6794E048598
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00451084 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,00000000,004510E1,?,-00000001,?), ref: 004510BB
                                              • GetLastError.KERNEL32(00000000,00000000,004510E1,?,-00000001,?), ref: 004510C3
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 2018770650-0
                                              • Opcode ID: 1e6d19b18d0b7f1f4b814b2fe5639d31bbd572e79ae8d41c2ab74e80d74ea6ed
                                              • Instruction ID: 5ed2bb2a065b1eb56cf610b2c64d6d851a3618404264b5220afa4eae7dc9580f
                                              • Opcode Fuzzy Hash: 1e6d19b18d0b7f1f4b814b2fe5639d31bbd572e79ae8d41c2ab74e80d74ea6ed
                                              • Instruction Fuzzy Hash: F9F02871A04244AFCF00DFB59C4259EB7E8DB0871176089BBFC04E3692EB384E048558
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045158C Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • RemoveDirectoryA.KERNEL32(00000000,00000000,004515E9,?,-00000001,00000000), ref: 004515C3
                                              • GetLastError.KERNEL32(00000000,00000000,004515E9,?,-00000001,00000000), ref: 004515CB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DirectoryErrorLastRemove
                                              • String ID:
                                              • API String ID: 377330604-0
                                              • Opcode ID: 3de0d6eef76c1e463ac159392944c7fd45740d6beb844e58639b2c615591adf4
                                              • Instruction ID: 4a7b75eba7857019093cf0bd5fd6fc682383d33b89e08eccdc707f1e9448c37c
                                              • Opcode Fuzzy Hash: 3de0d6eef76c1e463ac159392944c7fd45740d6beb844e58639b2c615591adf4
                                              • Instruction Fuzzy Hash: F0F0F475A00608BB8B01DBB5AC4259EB3ECDB4831176049BBFC04E3242F6384E048598
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004231E4 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorA.USER32(00000000,00007F00), ref: 004231F1
                                              • LoadCursorA.USER32(00000000,00000000), ref: 0042321B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CursorLoad
                                              • String ID:
                                              • API String ID: 3238433803-0
                                              • Opcode ID: 97721f6b4bea7dfcfee2643c439e1d77a1de27f79bc3f669c874631e657f12ca
                                              • Instruction ID: 43eb0a081647544f07c75950a444ff3626244229c91a8f980807230630bdce3f
                                              • Opcode Fuzzy Hash: 97721f6b4bea7dfcfee2643c439e1d77a1de27f79bc3f669c874631e657f12ca
                                              • Instruction Fuzzy Hash: 56F05C11740110A6D6105D7E6CC0E2A7268DBC1735B7103BBFB7BD32D2C62E5C01417D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E1E0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00008000), ref: 0042E1EA
                                              • LoadLibraryA.KERNEL32(00000000,00000000,0042E234,?,00000000,0042E252,?,00008000), ref: 0042E219
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLibraryLoadMode
                                              • String ID:
                                              • API String ID: 2987862817-0
                                              • Opcode ID: df3f20b22e32febbdad40190a0324c62e8b0ac07168a33a3d01648edd1efc6b6
                                              • Instruction ID: a5bf76ec7fc0037a961c30f1a8367ec2ab03dc69631e0c622de06244be8b127b
                                              • Opcode Fuzzy Hash: df3f20b22e32febbdad40190a0324c62e8b0ac07168a33a3d01648edd1efc6b6
                                              • Instruction Fuzzy Hash: 6CF08270B14744BEDB019F779C6282BBBECEB4DB1479248B6F800A2691E63C4C10CD39
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416272 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoA.USER32(00400000,?,?), ref: 00416289
                                              • GetClassInfoA.USER32(00000000,?,?), ref: 00416299
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ClassInfo
                                              • String ID:
                                              • API String ID: 3534257612-0
                                              • Opcode ID: 5535f057ae2e6f2d9b2f6af2a72d2880928a0ff3398df03f414ca47145a051f1
                                              • Instruction ID: f9243e9802e4daeaede031adc3e0cdb0576ff82b3e31e385d8269c896501afd6
                                              • Opcode Fuzzy Hash: 5535f057ae2e6f2d9b2f6af2a72d2880928a0ff3398df03f414ca47145a051f1
                                              • Instruction Fuzzy Hash: 81E012B26015106ADB10DF999D81EE327DCDF08310B110163BE04DB146D7A4DD0047A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044FC10 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,00000080,0046A731,?,00000000), ref: 0044FC26
                                              • GetLastError.KERNEL32(?,00000000,?,00000002,?,00000080,0046A731,?,00000000), ref: 0044FC2E
                                                • Part of subcall function 0044F9CC: GetLastError.KERNEL32(0044F7E8,0044FA8E,?,00000000,?,0048FEBC,00000001,00000000,00000002,00000000,0049001D,?,?,00000005,00000000,00490051), ref: 0044F9CF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$FilePointer
                                              • String ID:
                                              • API String ID: 1156039329-0
                                              • Opcode ID: 7c96a5db1a3bbf5f7122b7c230bcc380228b32d8ca3eb191d321d7672d53e95a
                                              • Instruction ID: 0bfc23328500fe2646c690ed3ecabb54a6fbe8d678c9a11fa1a44a4ad9cb7e95
                                              • Opcode Fuzzy Hash: 7c96a5db1a3bbf5f7122b7c230bcc380228b32d8ca3eb191d321d7672d53e95a
                                              • Instruction Fuzzy Hash: 59E012B1304205ABFB10EA7599C1F3B22D8EB44354F00447AB944CF287E674CC0A8B25
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041EF9C Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 0041EFB6
                                              • 73A25940.USER32(00000000,0041EF38,00000000,0042406E,?,00000000,00424104), ref: 0041EFBC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A25940CurrentThread
                                              • String ID:
                                              • API String ID: 2655091166-0
                                              • Opcode ID: a87d5c09129fb5e8e72c64e8d2232d69f3356c6d2f88ba67e28c815336eb5a51
                                              • Instruction ID: 49cc1c4b832f6c01255466c052ada857fa4bf5b082c39c1888a59bd33b0c0cac
                                              • Opcode Fuzzy Hash: a87d5c09129fb5e8e72c64e8d2232d69f3356c6d2f88ba67e28c815336eb5a51
                                              • Instruction Fuzzy Hash: BCE04C71610201BFDF11DF39DD4575637E1E7A0314F1348B7A806D61B1E3785840DA0D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Global$Alloc
                                              • String ID:
                                              • API String ID: 2558781224-0
                                              • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                              • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                              • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                              • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00477198 Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendNotifyMessageA.USER32(0001046E,00000496,00002711,00000000), ref: 00477350
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageNotifySend
                                              • String ID:
                                              • API String ID: 3556456075-0
                                              • Opcode ID: 252e5136d57f140269efebacecac5dd0592624cb6a566e5f719c9ce0fa9de95c
                                              • Instruction ID: 16409b2b564c283e2081e6b17d670531f43b9e979188f2c8fa02a8160c9bfcf5
                                              • Opcode Fuzzy Hash: 252e5136d57f140269efebacecac5dd0592624cb6a566e5f719c9ce0fa9de95c
                                              • Instruction Fuzzy Hash: 8B4186343040009BC710FF66EC8255A77A9AB55309790C5B7B8049F3ABCA78EE06DB9D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040857C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDefaultLCID.KERNEL32(00000000,004086B2), ref: 0040859B
                                                • Part of subcall function 00406D8C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406DA9
                                                • Part of subcall function 00408508: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DefaultInfoLoadLocaleStringSystem
                                              • String ID:
                                              • API String ID: 1658689577-0
                                              • Opcode ID: 80ecc8c9aace017e09db60a449651f58f9edaaa4523f5ba9ad143ce156ad8401
                                              • Instruction ID: 8b9545330178279bc2ddac5e6fa168bd58cc03261140f3a6a95c7e376186b839
                                              • Opcode Fuzzy Hash: 80ecc8c9aace017e09db60a449651f58f9edaaa4523f5ba9ad143ce156ad8401
                                              • Instruction Fuzzy Hash: 86315035E00109ABCB00EF95CC819EEB779FF84314F518577E815BB285E738AE018B98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041FB44 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBE1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoScroll
                                              • String ID:
                                              • API String ID: 629608716-0
                                              • Opcode ID: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                              • Instruction ID: 2699cc02af870d89e6a5ad5e313ee30afbb4c435a81dca5bff53af4edc800ccf
                                              • Opcode Fuzzy Hash: de4704f2c710e71cab7264c2153380fdf922c8bbe904c6d895339fb26e0428f4
                                              • Instruction Fuzzy Hash: E22142B16087456FC340DF39D440696BBE4BB88314F04493EE498C3741D774E996CBD6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00466FE4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041EE4C: GetCurrentThreadId.KERNEL32 ref: 0041EE9B
                                                • Part of subcall function 0041EE4C: 73A25940.USER32(00000000,0041EDFC,00000000,00000000,0041EEB8,?,00000000,0041EEEF,?,0042E7E8,?,00000001), ref: 0041EEA1
                                              • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00467042,?,00000000,?,?,00467247,?,00000000,00467286), ref: 00467026
                                                • Part of subcall function 0041EF00: IsWindow.USER32(?), ref: 0041EF0E
                                                • Part of subcall function 0041EF00: EnableWindow.USER32(?,00000001), ref: 0041EF1D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                              • String ID:
                                              • API String ID: 390483697-0
                                              • Opcode ID: 369f86e8a7e3fc3249e22cf5b4f477e6a4efde8ea112a63605dc209f0644bffd
                                              • Instruction ID: cfd77c3cf2038ba034cdb19c096b63f1e12f26539d14daa02010a8575a632133
                                              • Opcode Fuzzy Hash: 369f86e8a7e3fc3249e22cf5b4f477e6a4efde8ea112a63605dc209f0644bffd
                                              • Instruction Fuzzy Hash: 15F02E70288300FFE3049B62ED1AB2577E8E308718F60083BF40082181E6BD4C40D52D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004164F8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041652D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: a90cc2cdc4384ce14c959999bf908b8a2b5a488b97049405d08f79aee015cd0a
                                              • Instruction ID: a820f4678b9f5f8a39c028f8276f7672b34f9079ce199e45b6728efe25cce622
                                              • Opcode Fuzzy Hash: a90cc2cdc4384ce14c959999bf908b8a2b5a488b97049405d08f79aee015cd0a
                                              • Instruction Fuzzy Hash: D5F019B2200510AFDB84CF9CD9C0F9373ECEB0C210B0481A6FA08CF24AD260EC108BB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041495C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414997
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                              • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                              • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                              • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042CBB0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC
                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A,00000000,004511A1,00000000,004511C2,?,00000000), ref: 0042CBDB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AttributesCharFilePrev
                                              • String ID:
                                              • API String ID: 4082512850-0
                                              • Opcode ID: 22241e4889f104e7f41f6a8233d5b92d6a893f3137f18e20c265477f4e7dcce1
                                              • Instruction ID: bcc2a10ba17e46f4a9e3aa80fd67cbe88bd74874a982435321d161081e45760d
                                              • Opcode Fuzzy Hash: 22241e4889f104e7f41f6a8233d5b92d6a893f3137f18e20c265477f4e7dcce1
                                              • Instruction Fuzzy Hash: 96E09B71304308BFD701EF62EC93E5EBBECDB85714BA14476F400E7641D5B9AE008418
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044FADC Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FB1C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: e365771525bbe6f599be3d6842bf1733d2c6ed5763df5b87705b12eab983d8cf
                                              • Instruction ID: b9ff2f1e843887c32db999b8e56f693fcf835da1e8ac5748e56ca63b18eefbc2
                                              • Opcode Fuzzy Hash: e365771525bbe6f599be3d6842bf1733d2c6ed5763df5b87705b12eab983d8cf
                                              • Instruction Fuzzy Hash: 64E092A53501083ED340EEACAC52FA337CC9319754F048033B988C7351D4619D11CBA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E660 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FormatMessage
                                              • String ID:
                                              • API String ID: 1306739567-0
                                              • Opcode ID: 5cdf8f27468f89c1e221846afb926f353a68fd9131fa2110eec1806da2fbbfdd
                                              • Instruction ID: e1450acef62d714b472a60d6f425ebfa2555b1e5ba62ff61a1a92b84590c1f2f
                                              • Opcode Fuzzy Hash: 5cdf8f27468f89c1e221846afb926f353a68fd9131fa2110eec1806da2fbbfdd
                                              • Instruction Fuzzy Hash: 2EE020723843111AF23550676C47B7F170D4790704F9580263B10DE3D2D9AEDD0F02AD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExA.USER32(00000000,00423624,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 00406329
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                              • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                              • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                              • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DC0C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC38
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 4b7bbc01810c708f4eaeb9f3bdda72a1e52bfbbcd703bba3a005b41c2dde64c7
                                              • Instruction ID: 95aeb9dab0603b99a781f8c682cffbd0ba2012b3d2683d11ab3130478c649cf3
                                              • Opcode Fuzzy Hash: 4b7bbc01810c708f4eaeb9f3bdda72a1e52bfbbcd703bba3a005b41c2dde64c7
                                              • Instruction Fuzzy Hash: C3E07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F408016FA08D7200C2B4EC519BB4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453230 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindClose.KERNEL32(00000000,000000FF,0046AF0D,00000000,0046BC78,?,00000000,0046BCC1,?,00000000,0046BDFA,?,00000000,?,00000000), ref: 00453246
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseFind
                                              • String ID:
                                              • API String ID: 1863332320-0
                                              • Opcode ID: 0d9c890a3991cb5b694035647fd2267bc5d10e57212313f7c1704c27ed86d76d
                                              • Instruction ID: f302fe2a993c29ff2beb40c6401580d32031e9c3f18c83ad647966ccae7ffc8f
                                              • Opcode Fuzzy Hash: 0d9c890a3991cb5b694035647fd2267bc5d10e57212313f7c1704c27ed86d76d
                                              • Instruction Fuzzy Hash: 85E01B70508B008BCB14DF3E848135676D15F89321F04C9AABC58CB3D7DA3C85559A67
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00414624 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(0048DB6E,?,0048DB90,?,?,00000000,0048DB6E,?,?), ref: 00414643
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                              • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                              • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                              • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406AE0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000,00000000,?,0042C585,00000000,0042C5A2,?,?,00000000,?,00000000), ref: 00406B0D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CompareString
                                              • String ID:
                                              • API String ID: 1825529933-0
                                              • Opcode ID: f42634be0faa333b05a4ae354d565eb4a013819038b6e29f1d9658e93d9dcb4d
                                              • Instruction ID: f6665c11947ada4625099ec4a58cd3d7eb013588aad78fe549ce1534c5c33ddb
                                              • Opcode Fuzzy Hash: f42634be0faa333b05a4ae354d565eb4a013819038b6e29f1d9658e93d9dcb4d
                                              • Instruction Fuzzy Hash: DAD092D17416203BD250BA7E1C82F5B48CC8B1861FF00413AB208FB2D2C97C8F0512AE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406EB0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406EC4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: 53bf0c971a6682272cbe113517155efe353acdf78c65c7717e273512bbedbf67
                                              • Instruction ID: 4d76dac8211929e62cce8888c47837621b30d3b0c7e20a3f427cea6db45cb60b
                                              • Opcode Fuzzy Hash: 53bf0c971a6682272cbe113517155efe353acdf78c65c7717e273512bbedbf67
                                              • Instruction Fuzzy Hash: 48D05B763082507AD620965BAC44DA76BDCCBC5770F11063EB558C71C1D6309C01C775
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004235F4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004235A0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 004235B5
                                              • ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F
                                                • Part of subcall function 004235D0: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235EC
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$ShowWindow
                                              • String ID:
                                              • API String ID: 3202724764-0
                                              • Opcode ID: 7c25c5bb0a353a8e37e10cf4638f97e2f3f9aed69f5a03697bdf0d2729dbe22d
                                              • Instruction ID: 2a465d5d678e454343823bde05cb816eafc76b3616d44e2642b2febe52ce8396
                                              • Opcode Fuzzy Hash: 7c25c5bb0a353a8e37e10cf4638f97e2f3f9aed69f5a03697bdf0d2729dbe22d
                                              • Instruction Fuzzy Hash: F8D0A7123422343143203BB73845A8B46BC4DC62A7388043BB548CB303FD1E8F5130BC
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042426C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowTextA.USER32(?,00000000), ref: 00424284
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: TextWindow
                                              • String ID:
                                              • API String ID: 530164218-0
                                              • Opcode ID: 627cc26754df0e5d4ac2449ef7fa78a92304547f29cb65040aa964a78537c4ea
                                              • Instruction ID: 464bc4534e7500a79cd72818e7fe6fdc88b43f9c3cedd93f67ec80ba9b13fbd8
                                              • Opcode Fuzzy Hash: 627cc26754df0e5d4ac2449ef7fa78a92304547f29cb65040aa964a78537c4ea
                                              • Instruction Fuzzy Hash: A8D05BE270113017C741BAED54C4AC577CC4B4825671540B7F904EF257C638CD404398
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042CC50 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesA.KERNEL32(00000000,?,004513D1,00000000,004513EA,?,-00000001,00000000), ref: 0042CC5B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 36a704d27392c584da48404d951af4ee67a016d0087b0b4451a7b59f91f2b214
                                              • Instruction ID: 2bac27eb1d407cf782e128ad06cad9207e8ea826622c3fbf81ad2ed97ccd6d21
                                              • Opcode Fuzzy Hash: 36a704d27392c584da48404d951af4ee67a016d0087b0b4451a7b59f91f2b214
                                              • Instruction Fuzzy Hash: 4BD012E030129015DA1459BE29C979F02888B96735FA41F7BB96CE22E2E23DCC562018
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004621AC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00462E18,00000000,00000000,00000000,0000000C,00000000), ref: 004621C4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                              • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                              • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                              • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042CC08 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesA.KERNEL32(00000000,00000000,0045084B,00000000), ref: 0042CC13
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 2ad41afce022a7edf35b9913b4ba60846e4e43961883ad7ce5a0ddd1fe693583
                                              • Instruction ID: 1275fb06175802a4eec18308edc692cabbb6af922db63e061f4609c964e4cce9
                                              • Opcode Fuzzy Hash: 2ad41afce022a7edf35b9913b4ba60846e4e43961883ad7ce5a0ddd1fe693583
                                              • Instruction Fuzzy Hash: 41C08CE13022001A9A1065FE2CC511F02C8891423A3A42F37F42EE33D2DA3D8C17201A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406E60 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A86C,0040CE18,?,00000000,?), ref: 00406E7D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 00499271b5b01f05d9d83e2d2f7f211c07fae1a2865fa10bd36806d3138a4949
                                              • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                              • Opcode Fuzzy Hash: 00499271b5b01f05d9d83e2d2f7f211c07fae1a2865fa10bd36806d3138a4949
                                              • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041F344 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F358
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                              • Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
                                              • Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                              • Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406EF0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 34c222f4aa39b239facbaef86046878073365967e51e1b05f0a2c0fa4b12be0b
                                              • Instruction ID: f501027f96a9746725af0604134d36a8ca8c314a7ca2a7be08ed73c27bcd633e
                                              • Opcode Fuzzy Hash: 34c222f4aa39b239facbaef86046878073365967e51e1b05f0a2c0fa4b12be0b
                                              • Instruction Fuzzy Hash: 97B012E13D220A2ACE0079FE4CC191700CC462C6163405A3A3406EB1C3D93CC4180414
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407248 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetCurrentDirectoryA.KERNEL32(00000000,?,0048FE4A,00000000,0049001D,?,?,00000005,00000000,00490051,?,?,00000000), ref: 00407253
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory
                                              • String ID:
                                              • API String ID: 1611563598-0
                                              • Opcode ID: 9535ee1be264027bcd2620f9ebef8565d8f2b6e57c19aceceeb3ce428e827e8a
                                              • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                              • Opcode Fuzzy Hash: 9535ee1be264027bcd2620f9ebef8565d8f2b6e57c19aceceeb3ce428e827e8a
                                              • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044F2F4 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(00000000,0044F500,00000000,?,004639BE,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 0044F312
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: c7a475cd488f875e49ece2157d1206e67af3b2205c6f394a6688a0f7d43359a1
                                              • Instruction ID: 6ecd22b7d6a4bd64001c9983af65653951bcb0c24671cf7e7e2e4cdc083c116c
                                              • Opcode Fuzzy Hash: c7a475cd488f875e49ece2157d1206e67af3b2205c6f394a6688a0f7d43359a1
                                              • Instruction Fuzzy Hash: 17D0C9B44122059ADB109F65EA1431232A4F760346F08017BB400D2171CB799485CB0C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044FC44 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEndOfFile.KERNEL32(?,?,004599C5,00000000,00459B68,?,00000000,00000002,00000002), ref: 0044FC4B
                                                • Part of subcall function 0044F9CC: GetLastError.KERNEL32(0044F7E8,0044FA8E,?,00000000,?,0048FEBC,00000001,00000000,00000002,00000000,0049001D,?,?,00000005,00000000,00490051), ref: 0044F9CF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorFileLast
                                              • String ID:
                                              • API String ID: 734332943-0
                                              • Opcode ID: 8565589d8368efb46956d1874a8e26a129873ee61e8d9e49f27d8550732299f7
                                              • Instruction ID: 11690378e1580f57f3c17dd11fe21b7b3ca8148d791c98b53b9e0a2d440cb67b
                                              • Opcode Fuzzy Hash: 8565589d8368efb46956d1874a8e26a129873ee61e8d9e49f27d8550732299f7
                                              • Instruction Fuzzy Hash: 4DC04CA130055197DF00A6AE85C1A0767D86E083083505076B909CF217E668D8044A18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E23B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(?,0042E259), ref: 0042E24C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 0a051d32a78ad3617f7ea1dbaf78ac9652f3e2ca0c092313af1445ab26d6b84d
                                              • Instruction ID: 74ebc363d3dd9adc156b0186d58570fa2bbeeb99e87a8c897359723e7ad10afe
                                              • Opcode Fuzzy Hash: 0a051d32a78ad3617f7ea1dbaf78ac9652f3e2ca0c092313af1445ab26d6b84d
                                              • Instruction Fuzzy Hash: ABB09B7670C6009DB709D6D6755552D63D8D7C47203E145B7F015E2580D53C58004928
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00476344 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(00000000,0047A6D6), ref: 0047635A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 89572602d291b516dbb91569fe541cff3f70df9bb6bcb712ac8eb03508536d17
                                              • Instruction ID: 33d8f5f36b897b4a22f09290cd909843d3577c0e39989f8199a04e4b2ecda284
                                              • Opcode Fuzzy Hash: 89572602d291b516dbb91569fe541cff3f70df9bb6bcb712ac8eb03508536d17
                                              • Instruction Fuzzy Hash: A8C002715507409EC760EF75DD8474536E4B716716F55C5375804DA160EB348A84CF08
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047A908 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0047A910
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: fd921ee12ed53937ef9beeb787a8c4516caee7dc516e45fafbf488b4906553f2
                                              • Instruction ID: 99d67813a2b21335afc3d4281e01727494b67aba3c321737ecd4854f4d206f17
                                              • Opcode Fuzzy Hash: fd921ee12ed53937ef9beeb787a8c4516caee7dc516e45fafbf488b4906553f2
                                              • Instruction Fuzzy Hash: 5EA002343D530570F470A2514D03F5400001744F15EE1405573093D0C304D92428201E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416594 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
                                              • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                              • Opcode Fuzzy Hash: da20a264590b8da76bcc673a24629bda81143ece4f0058ab807c22f450b41b4b
                                              • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045B160 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045B1F0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 40e67bd12d84b901d644a32061550c5eab03b59ca4c5dcb87dd2f004890e4884
                                              • Instruction ID: 4e53742ce62a887a6b6d1ed8658a57c71b670a96a09bd10cc268158586706a5e
                                              • Opcode Fuzzy Hash: 40e67bd12d84b901d644a32061550c5eab03b59ca4c5dcb87dd2f004890e4884
                                              • Instruction Fuzzy Hash: D01175716006049BDB00EF15C88175B77A4EF8435AF04846AFD589B2C7DB38EC09CBEA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041F36C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED4C,?,00423837,00423BB4,0041ED4C), ref: 0041F38A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 12d8c903e1d35d4ed3e61744099085c4d88952c6e60055fc50c96d732ccf1ffc
                                              • Instruction ID: 0cc0efa10282cde451e00f43d434c8f6590961a15256f6519a3dd582a972fe71
                                              • Opcode Fuzzy Hash: 12d8c903e1d35d4ed3e61744099085c4d88952c6e60055fc50c96d732ccf1ffc
                                              • Instruction Fuzzy Hash: 21115E746407059BC710DF19C880B86FBE5EF98750F10C53BE9A88B785D374E945CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00451740 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,004517A9), ref: 0045178B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID:
                                              • API String ID: 1452528299-0
                                              • Opcode ID: 0cb30aea8e3a05673a7cba1544d5d7a5fd50794015932abe3ecd9c104f2fad2b
                                              • Instruction ID: 09dacfa996f3112939fbf8ed8dcb85d913dce43742346e85e53a3a3cb706c9d1
                                              • Opcode Fuzzy Hash: 0cb30aea8e3a05673a7cba1544d5d7a5fd50794015932abe3ecd9c104f2fad2b
                                              • Instruction Fuzzy Hash: 5E01FC396042486F8B11DF699C019AEBBECDB4D32076082B7EC68D3351D7344D159664
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045B108 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,0045B1E6), ref: 0045B11F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FreeVirtual
                                              • String ID:
                                              • API String ID: 1263568516-0
                                              • Opcode ID: 738f9e8baf208e14bafd32a0a90fff7df9624ba6fd4da3bc033a9b1b79592317
                                              • Instruction ID: 6d5ad091bc6b63f34aeb1917c6f1250fd7e3330d7d8b7736af9f6265ced051ec
                                              • Opcode Fuzzy Hash: 738f9e8baf208e14bafd32a0a90fff7df9624ba6fd4da3bc033a9b1b79592317
                                              • Instruction Fuzzy Hash: 5BD0E9B17557045BDF90EE794C81B1677D8BB48741F5044766904DB286E774E8048A58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0044AD34 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044ACE0: GetVersionExA.KERNEL32(00000094), ref: 0044ACFD
                                              • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EE61,00490B49), ref: 0044AD5B
                                              • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AD73
                                              • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AD85
                                              • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AD97
                                              • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044ADA9
                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADBB
                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADCD
                                              • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044ADDF
                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044ADF1
                                              • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AE03
                                              • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AE15
                                              • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AE27
                                              • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AE39
                                              • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AE4B
                                              • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AE5D
                                              • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AE6F
                                              • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AE81
                                              • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AE93
                                              • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044AEA5
                                              • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044AEB7
                                              • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044AEC9
                                              • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044AEDB
                                              • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044AEED
                                              • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044AEFF
                                              • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044AF11
                                              • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044AF23
                                              • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044AF35
                                              • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044AF47
                                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044AF59
                                              • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044AF6B
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044AF7D
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044AF8F
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044AFA1
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044AFB3
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044AFC5
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044AFD7
                                              • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044AFE9
                                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044AFFB
                                              • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B00D
                                              • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B01F
                                              • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B031
                                              • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B043
                                              • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B055
                                              • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B067
                                              • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B079
                                              • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B08B
                                              • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B09D
                                              • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B0AF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$LibraryLoadVersion
                                              • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                              • API String ID: 1968650500-2910565190
                                              • Opcode ID: 8e47860778318749720a18b19026728520ae29cba2d0c5025aa9374497ebba70
                                              • Instruction ID: 5169d35cc0c40435630ad3afe2d7a88fabdc5ea4a28e3ebae144798e7e1bad85
                                              • Opcode Fuzzy Hash: 8e47860778318749720a18b19026728520ae29cba2d0c5025aa9374497ebba70
                                              • Instruction Fuzzy Hash: 1891D6B0A40B50EBEF00EFF59DC6A2636A8EB15B14714457BB444EF295D7B8C804CF99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004566B8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0045671F
                                              • QueryPerformanceCounter.KERNEL32(00000000,00000000,004569B2,?,?,00000000,00000000,?,004570AE,?,00000000,00000000), ref: 00456728
                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00456732
                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,004569B2,?,?,00000000,00000000,?,004570AE,?,00000000,00000000), ref: 0045673B
                                              • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004567B1
                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 004567BF
                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00491A80,00000003,00000000,00000000,00000000,0045696E), ref: 00456807
                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045695D,?,00000000,C0000000,00000000,00491A80,00000003,00000000,00000000,00000000,0045696E), ref: 00456840
                                                • Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB
                                              • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004568E9
                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045691F
                                              • CloseHandle.KERNEL32(000000FF,00456964,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456957
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$h$helper %d 0x%x
                                              • API String ID: 770386003-3739555822
                                              • Opcode ID: 12990583c43677890b3172fac6db0111b3e08eff4e7b9a172314e4e4284cd7a6
                                              • Instruction ID: 11cc02d5b4c65d74a0167c6227b1ef0bb38041da715edce79722e55ed4dc78f9
                                              • Opcode Fuzzy Hash: 12990583c43677890b3172fac6db0111b3e08eff4e7b9a172314e4e4284cd7a6
                                              • Instruction Fuzzy Hash: FD713370A00744AEDB11DB69CC41B9EBBF8EB09305F5181BAF908FB282D7785944CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045A0E8 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172libraryloadermemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.KERNEL32 ref: 0045A102
                                              • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045A122
                                              • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoA), ref: 0045A12F
                                              • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoA), ref: 0045A13C
                                              • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045A14A
                                              • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A31E), ref: 0045A1E9
                                              • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045A31E), ref: 0045A1F2
                                              • LocalFree.KERNEL32(?,0045A2CC), ref: 0045A2BF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$AllocateErrorFreeHandleInitializeLastLocalModuleVersion
                                              • String ID: GetNamedSecurityInfoA$SetEntriesInAclW$SetNamedSecurityInfoA$W$advapi32.dll
                                              • API String ID: 4088882585-3389539026
                                              • Opcode ID: 23972e836f43ceaa603229ab9895b7a465ff4bffcad2d0873925f749a3d20612
                                              • Instruction ID: 53dbb0a0fcd2a75aff2a5c1782a6a4235bf2da2959e2968fa151a2620b62acf5
                                              • Opcode Fuzzy Hash: 23972e836f43ceaa603229ab9895b7a465ff4bffcad2d0873925f749a3d20612
                                              • Instruction Fuzzy Hash: 045182B1900608AFDB10DF99C845BAEB7F8EB08315F10816AF904F7382D2799E55CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00471D70 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteEx.SHELL32(0000003C), ref: 00471DC3
                                              • GetLastError.KERNEL32(-00000010,?), ref: 00471DCC
                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00471E19
                                              • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00471E3D
                                              • CloseHandle.KERNEL32(00000000,00471E6E,00000000,00000000,000000FF,000000FF,00000000,00471E67,?,-00000010,?), ref: 00471E61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                              • API String ID: 171997614-221126205
                                              • Opcode ID: 0340b1e33f74f9816b06a37a5cdb42b4546e337b2196abe928d3c5f099f1283d
                                              • Instruction ID: 5ecb40f87429d7d11547f51ae298583b800dd69eb7e736ddd6194e700b57543d
                                              • Opcode Fuzzy Hash: 0340b1e33f74f9816b06a37a5cdb42b4546e337b2196abe928d3c5f099f1283d
                                              • Instruction Fuzzy Hash: 73216574A40104AADB10EBAD8842BDE76A8DF05358F50843BF908E72A1DB7C99458B5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041832C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 0041833B
                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00418358
                                              • GetWindowRect.USER32(?), ref: 00418374
                                              • GetWindowLongA.USER32(?,000000F0), ref: 00418382
                                              • GetWindowLongA.USER32(?,000000F8), ref: 00418397
                                              • ScreenToClient.USER32(00000000), ref: 004183A0
                                              • ScreenToClient.USER32(00000000,?), ref: 004183AB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$ClientLongScreen$IconicPlacementRect
                                              • String ID: ,
                                              • API String ID: 2266315723-3772416878
                                              • Opcode ID: e846b1d96ad6d403d5ac4900d6db5fa2b4fc685dffe037c5368f6a7b37d89c4b
                                              • Instruction ID: acb8bb2f18b9e5a8d0717189301f77369ef91ad6b472dfe09f3ff812f2607344
                                              • Opcode Fuzzy Hash: e846b1d96ad6d403d5ac4900d6db5fa2b4fc685dffe037c5368f6a7b37d89c4b
                                              • Instruction Fuzzy Hash: 70111971505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453AF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028), ref: 00453B07
                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453B0D
                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453B26
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453B4D
                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453B52
                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00453B63
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 107509674-3733053543
                                              • Opcode ID: 982ff0191f50bbd9cd411f2d5bf63d981ee67892c17860e9fb891ba62e1030d4
                                              • Instruction ID: 7f7469d741d4a2fc9540d00a6168bb4e8b3a9b73c98c3c4e7b422180d550d177
                                              • Opcode Fuzzy Hash: 982ff0191f50bbd9cd411f2d5bf63d981ee67892c17860e9fb891ba62e1030d4
                                              • Instruction Fuzzy Hash: E6F06870684302B5E610AE768D07F6B6188974078AF50092ABD45EA1C3D6BDEA0C4A3E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00490094 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000,004903B0,?,?,00000000,00492628), ref: 004900EB
                                              • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049016E
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,004901AA,?,00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000), ref: 00490186
                                              • FindClose.KERNEL32(000000FF,004901B1,004901AA,?,00000000,?,00000000,004901D2,?,?,00000000,00492628,?,0049035C,00000000,004903B0), ref: 004901A4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirstNext
                                              • String ID: isRS-$isRS-???.tmp
                                              • API String ID: 134685335-3422211394
                                              • Opcode ID: 09ff16532715b99db4a6998c5bb492729a1ab865c720f1ffe18b57c269928369
                                              • Instruction ID: aeb5e1c6dec8106b2d0d5562d2962c543317903ced43ff168440b54f7dc1d23c
                                              • Opcode Fuzzy Hash: 09ff16532715b99db4a6998c5bb492729a1ab865c720f1ffe18b57c269928369
                                              • Instruction Fuzzy Hash: E1318671A006186FDF14EF65CC42ACEBBBDDB49314F5184B7A808B32A1D7389F458E58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00476A70 Relevance: 9.2, APIs: 6, Instructions: 195fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,00476D36,?,00000000,?,00000000,?,00476E7A,00000000,00000000), ref: 00476AD1
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,00476BE1,?,00000000,?,?,00000000,?,00000000,00476D36,?,00000000,?,00000000), ref: 00476BBD
                                              • FindClose.KERNEL32(000000FF,00476BE8,00476BE1,?,00000000,?,?,00000000,?,00000000,00476D36,?,00000000,?,00000000), ref: 00476BDB
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00476D36,?,00000000,?,00000000,?,00476E7A,00000000), ref: 00476C34
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$First$CloseNext
                                              • String ID:
                                              • API String ID: 2001080981-0
                                              • Opcode ID: 40b87f1a6685737baa159b74f92e65737ad1715135c55a15da39ee125fd6b7f2
                                              • Instruction ID: 14931f8a0e3cac93bb735ea196381e3f6523e98b7e5ca17cfb4e14f2e37d7476
                                              • Opcode Fuzzy Hash: 40b87f1a6685737baa159b74f92e65737ad1715135c55a15da39ee125fd6b7f2
                                              • Instruction Fuzzy Hash: 8F716F7090061DAFCF21EFA5CC41ADFBBB9EB49304F5184AAE408A7291D7399A45CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004551F4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455271
                                              • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455298
                                              • SetForegroundWindow.USER32(?), ref: 004552A9
                                              • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00455574,?,00000000,004555B0), ref: 0045555F
                                              Strings
                                              • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004553E9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePostWindow$ForegroundNtdllProc_
                                              • String ID: Cannot evaluate variable because [Code] isn't running yet
                                              • API String ID: 2236967946-3182603685
                                              • Opcode ID: 504720f44a5762c8e8facb0def36ab17b5cf8fc5b6b6c913f36fdb2ae81dc04e
                                              • Instruction ID: 392021ee4ceeb38a924916f9eb287e4a04e01d199228d5f5cdfc091a65a304ea
                                              • Opcode Fuzzy Hash: 504720f44a5762c8e8facb0def36ab17b5cf8fc5b6b6c913f36fdb2ae81dc04e
                                              • Instruction Fuzzy Hash: 2C91F134604604EFD701CF55C961F6ABBF5EB89701F2080BAF80497796D678AE04DF18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454320 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00454454), ref: 00454350
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00454356
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                              • API String ID: 1646373207-3712701948
                                              • Opcode ID: b0b659b2d070814a0368f486c3293326616746fdd3269bbd203ed0c9b07b7e5a
                                              • Instruction ID: 308890e583471f7d729b9dc2fcd7aa40e9e9c611359b8057d7b1245ba4b987a9
                                              • Opcode Fuzzy Hash: b0b659b2d070814a0368f486c3293326616746fdd3269bbd203ed0c9b07b7e5a
                                              • Instruction Fuzzy Hash: E6318871A44259AFCF01DFA5C882AEEB7B8EF49704F508566F800F7252D63C5D49CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00417C78 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 00417CB7
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CD5
                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D0B
                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D32
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Placement$Iconic
                                              • String ID: ,
                                              • API String ID: 568898626-3772416878
                                              • Opcode ID: 1384c885decf350a388a6044328c4ef6f341b8841973c44ec72f33afddd09757
                                              • Instruction ID: 3ed2450f0a7179b47446a38646254312085a05cbd9a13da21c4f815be273b126
                                              • Opcode Fuzzy Hash: 1384c885decf350a388a6044328c4ef6f341b8841973c44ec72f33afddd09757
                                              • Instruction Fuzzy Hash: 26214CB16002089BDF10EF69D8C0ADA77A8AF48314F55856AFD18DF246D638E845CBA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045F3A4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001,00000000,0045F561), ref: 0045F3D5
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F464
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045F516,?,00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F4F6
                                              • FindClose.KERNEL32(000000FF,0045F51D,0045F516,?,00000000,?,00000000,0045F534,?,00000001,00000000,0045F561), ref: 0045F510
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseErrorFirstModeNext
                                              • String ID:
                                              • API String ID: 4011626565-0
                                              • Opcode ID: 305cc1977778de4b63e7068b89b104946028e780bebf85b37a9afee82aba0e33
                                              • Instruction ID: e743b63e75f8199e1de71fb1591aa20c9e7e702e030350ab1363ce7340e32dce
                                              • Opcode Fuzzy Hash: 305cc1977778de4b63e7068b89b104946028e780bebf85b37a9afee82aba0e33
                                              • Instruction Fuzzy Hash: 48416870A00618AFCB11EF65DC45ADEB7B8EB48315F4044BAF804A7392D63C9E4D8E59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045F820 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001,00000000,0045FA07), ref: 0045F895
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F8DB
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045F9B4,?,00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F990
                                              • FindClose.KERNEL32(000000FF,0045F9BB,0045F9B4,?,00000000,?,00000000,0045F9D2,?,00000001,00000000,0045FA07), ref: 0045F9AE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseErrorFirstModeNext
                                              • String ID:
                                              • API String ID: 4011626565-0
                                              • Opcode ID: f1acbeb17d1b649c274c0889d0b636bd6c7d568d95ef17c93ff0e7940010bea6
                                              • Instruction ID: b06fad13edd5318fdfd495eee050f4f7a9e8aa821ad8a724925d5bb9b3bb6141
                                              • Opcode Fuzzy Hash: f1acbeb17d1b649c274c0889d0b636bd6c7d568d95ef17c93ff0e7940010bea6
                                              • Instruction Fuzzy Hash: E1414471A00A18ABCB11EF65CC859DEB7B9EF88315F5044B6FC04E7341D7389E488E59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E6CC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E6EE
                                              • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E719
                                              • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E726
                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E72E
                                              • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004516BB,00000000,004516DC), ref: 0042E734
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                              • String ID:
                                              • API String ID: 1177325624-0
                                              • Opcode ID: 359dbea4c5ad76fc8a2e5f7aefc1d9e87d484020982a0d52558c32e2f28802f9
                                              • Instruction ID: 1e70605f52ae136b2496113c77cf63f65d5ab7d673e450a7d96165da6ee8aff6
                                              • Opcode Fuzzy Hash: 359dbea4c5ad76fc8a2e5f7aefc1d9e87d484020982a0d52558c32e2f28802f9
                                              • Instruction Fuzzy Hash: 85F0CD713917203AF620B17A6C82F7B428C8785B68F10823ABB04FF1C1D9A84C05056D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047C25C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 0047C29A
                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 0047C2B8
                                              • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00492F5C,0047BAE6,0047BB1A,00000000,0047BB3A,?,?,00000001,00492F5C), ref: 0047C2DA
                                              • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00492F5C,0047BAE6,0047BB1A,00000000,0047BB3A,?,?,00000001,00492F5C), ref: 0047C2EE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Show$IconicLong
                                              • String ID:
                                              • API String ID: 2754861897-0
                                              • Opcode ID: a4c9e9c356362a3b4698770b4c5553ec45d2d1930899dfa6bdfed1183fed6d3c
                                              • Instruction ID: fd372386a479fdc92fac3e2ef30eced7ce39e9e6ab59154070fbeb580aa605ee
                                              • Opcode Fuzzy Hash: a4c9e9c356362a3b4698770b4c5553ec45d2d1930899dfa6bdfed1183fed6d3c
                                              • Instruction Fuzzy Hash: E9017970E44245B6D710A7B5DD85FE633D56B15304F1840BFB8099B2A7CBBDCC42961C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045DE20 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,0045DEF4), ref: 0045DE78
                                              • FindNextFileA.KERNEL32(000000FF,?,00000000,0045DED4,?,00000000,?,00000000,0045DEF4), ref: 0045DEB4
                                              • FindClose.KERNEL32(000000FF,0045DEDB,0045DED4,?,00000000,?,00000000,0045DEF4), ref: 0045DECE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID:
                                              • API String ID: 3541575487-0
                                              • Opcode ID: ed12a9da56b9c1ab2415d3ac26c5391a6871791410ebf06465b8bc1c2126addc
                                              • Instruction ID: 32c984a38fc023b26ff7fc855e6f7d071233f0675ee5b85f89907f23cc5ee99f
                                              • Opcode Fuzzy Hash: ed12a9da56b9c1ab2415d3ac26c5391a6871791410ebf06465b8bc1c2126addc
                                              • Instruction Fuzzy Hash: D121DB31D046086EDB31EB65CC42ADEB7BCDF49705F5044B7EC08E6562D63C9D49CA18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00424184 Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 0042418C
                                              • SetActiveWindow.USER32(?,?,?,0046781F), ref: 00424199
                                                • Part of subcall function 004235F4: ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F
                                                • Part of subcall function 00423ABC: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021425AC,004241B2,?,?,?,0046781F), ref: 00423AF7
                                              • SetFocus.USER32(00000000,?,?,?,0046781F), ref: 004241C6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$ActiveFocusIconicShow
                                              • String ID:
                                              • API String ID: 649377781-0
                                              • Opcode ID: abf3d26623ce3f5f1df30a1bb2ccc38e960545179f371c4c6c880d0d7118eb6a
                                              • Instruction ID: 9d7b97b1588b57ef25092538823a17ee25a728ca1780dde3acf0986de5f54100
                                              • Opcode Fuzzy Hash: abf3d26623ce3f5f1df30a1bb2ccc38e960545179f371c4c6c880d0d7118eb6a
                                              • Instruction Fuzzy Hash: 36F03A717001209BCB00AFAAECC5B9632A8AF18304B55017BBC08DF34BCABCDD5187A8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00417C76 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 00417CB7
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417CD5
                                              • GetWindowPlacement.USER32(?,0000002C), ref: 00417D0B
                                              • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D32
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Placement$Iconic
                                              • String ID:
                                              • API String ID: 568898626-0
                                              • Opcode ID: ccf45bac815ac9650c1eda7d7ee920735da51ae8acefeeb5a5ed1e1968a9009b
                                              • Instruction ID: 69af1cea5ab0db390c44c228a9afcc828c7f08346dc1f1cf855d2dc861a92e07
                                              • Opcode Fuzzy Hash: ccf45bac815ac9650c1eda7d7ee920735da51ae8acefeeb5a5ed1e1968a9009b
                                              • Instruction Fuzzy Hash: AF018471204104ABDB20EE69DCC1EEB77A8AF54324F158166FD0CCF246E639EC8187E8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00417540 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CaptureIconic
                                              • String ID:
                                              • API String ID: 2277910766-0
                                              • Opcode ID: 91823dd687394a4ed8ee48a39c45190aee43210de23b0732d742fca1e8511f91
                                              • Instruction ID: f3ef26a9ec4c3639b3254842bc08cf6d9feb289c2be9135b2bbb431e5f50db89
                                              • Opcode Fuzzy Hash: 91823dd687394a4ed8ee48a39c45190aee43210de23b0732d742fca1e8511f91
                                              • Instruction Fuzzy Hash: B6F03171315601ABD720962AC885AAB72B69F84319B14483BE41ACBB55EB78DCC58258
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042413C Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsIconic.USER32(?), ref: 00424143
                                                • Part of subcall function 00423A2C: EnumWindows.USER32(004239C4), ref: 00423A50
                                                • Part of subcall function 00423A2C: GetWindow.USER32(?,00000003), ref: 00423A65
                                                • Part of subcall function 00423A2C: GetWindowLongA.USER32(?,000000EC), ref: 00423A74
                                                • Part of subcall function 00423A2C: SetWindowPos.USER32(00000000,00424104,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,00424153,?,?,00423D1B), ref: 00423AAA
                                              • SetActiveWindow.USER32(?,?,?,00423D1B,00000000,00424104), ref: 00424157
                                                • Part of subcall function 004235F4: ShowWindow.USER32(004105F8,00000009,?,00000000,0041ED4C,004238E2,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423BB4), ref: 0042360F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$ActiveEnumIconicLongShowWindows
                                              • String ID:
                                              • API String ID: 2671590913-0
                                              • Opcode ID: 657f3c15db0d6cf34cada4c58ec239c69b7baa88831cd667e440955cb53f6524
                                              • Instruction ID: d512277381545323e1bd2a4b4845e65b82e595a2bd73893c0d57f68d30832658
                                              • Opcode Fuzzy Hash: 657f3c15db0d6cf34cada4c58ec239c69b7baa88831cd667e440955cb53f6524
                                              • Instruction Fuzzy Hash: B0E01AA1B0010097EB00EF69DCC9B9672A8BF58304F55017ABC0CCF24BD67CC8908724
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00412580 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0041277D), ref: 0041276B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: NtdllProc_Window
                                              • String ID:
                                              • API String ID: 4255912815-0
                                              • Opcode ID: 84af43a7efb99244d046e7d510ceccf456a9c98264e621075b9ccc522f6ffcaf
                                              • Instruction ID: 0d09216766d9d5b385ece6e8cba1e36b912c6a1774b5342391935a21d5851d13
                                              • Opcode Fuzzy Hash: 84af43a7efb99244d046e7d510ceccf456a9c98264e621075b9ccc522f6ffcaf
                                              • Instruction Fuzzy Hash: 7551F431204205DFCB14DB6ADA81A9BF3E5FF98314B20817BE814C3791DBB8AC92C758
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004722D4 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00472422
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: NtdllProc_Window
                                              • String ID:
                                              • API String ID: 4255912815-0
                                              • Opcode ID: a5a8acde2ea139e8bd48252c6c24868853d47a4937822392afe82ac5ea5e748c
                                              • Instruction ID: c3992268c3801ed1beac7631f2e5f9cad90702d4ee9162ede732c10c083e2767
                                              • Opcode Fuzzy Hash: a5a8acde2ea139e8bd48252c6c24868853d47a4937822392afe82ac5ea5e748c
                                              • Instruction Fuzzy Hash: 5F413575604108DFCB10CFA9D7809AAB7F5FB48310B25C996E848DB301D3BCEE41AB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042ED38 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ED54
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: NtdllProc_Window
                                              • String ID:
                                              • API String ID: 4255912815-0
                                              • Opcode ID: 1618573b336cfe43e6365c49c1add1a31867e84e149d2e83090908c597df2fde
                                              • Instruction ID: 530d004986d911579cf02e8422d66cb1dcb863e7172150f09f51376a0a0a5638
                                              • Opcode Fuzzy Hash: 1618573b336cfe43e6365c49c1add1a31867e84e149d2e83090908c597df2fde
                                              • Instruction Fuzzy Hash: 64D0A77121010DAFCB00DE9AE840D6F33ACEB88700BA0C806F518C7201C234EC108BB4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048A9FC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000,00000000,0048AEF1,?,?,?,?,00000000,00000000,00000000), ref: 0048AA3C
                                              • FindWindowA.USER32(00000000,00000000), ref: 0048AA6D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FindSleepWindow
                                              • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                              • API String ID: 3078808852-3310373309
                                              • Opcode ID: 6c535dff48149e348be4f17223c4b33e43e766748f1db67647feb292777d2e31
                                              • Instruction ID: 235d6cf6b0db6f7ade2b2b1cdaf506c84c5948104d9e726c8462171498c33706
                                              • Opcode Fuzzy Hash: 6c535dff48149e348be4f17223c4b33e43e766748f1db67647feb292777d2e31
                                              • Instruction Fuzzy Hash: 52C183A0B402116BE714BF3E8C4252E559A9F95705B12CD3FB406DB78ACEBCDC1A435E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00455F9C Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 237filesynchronizationprocessCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00491A74,00000001,00000000,00000000,004562D1,?,?,?,00000001,?,004564EB,00000000,00456501,?,00000000,00492628), ref: 00455FE9
                                              • CreateFileMappingA.KERNEL32(000000FF,00491A74,00000004,00000000,00002018,00000000), ref: 00456021
                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,004562A7,?,00491A74,00000001,00000000,00000000,004562D1,?,?,?), ref: 00456048
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456155
                                              • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,004562A7,?,00491A74,00000001,00000000,00000000,004562D1), ref: 004560AD
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045616C
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004561A5
                                              • GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004561B7
                                              • UnmapViewOfFile.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456289
                                              • CloseHandle.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456298
                                              • CloseHandle.KERNEL32(00000000,004562AE,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004562A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                              • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$dE
                                              • API String ID: 4012871263-2761909193
                                              • Opcode ID: 3276e082d531b985bb67dd1e10781b6b55d60bef76dd2279fe4a73c9d58b2a34
                                              • Instruction ID: f83b799fad480325abbebf32ce7824c881fe6810fb4ea4fb229400168c5a50eb
                                              • Opcode Fuzzy Hash: 3276e082d531b985bb67dd1e10781b6b55d60bef76dd2279fe4a73c9d58b2a34
                                              • Instruction Fuzzy Hash: E0918070A402149FDF10EBA9C841B9EB7B4EB48305F91856BF814EB393DB789948CF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041F0C0 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.KERNEL32(?,00418F98,00000000,?,?,?,00000001), ref: 0041F0CE
                                              • SetErrorMode.KERNEL32(00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0EA
                                              • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F0F6
                                              • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F98,00000000,?,?,?,00000001), ref: 0041F104
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F134
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F15D
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F172
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F187
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F19C
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F1B1
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F1C6
                                              • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1DB
                                              • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1F0
                                              • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F205
                                              • FreeLibrary.KERNEL32(00000001,?,00418F98,00000000,?,?,?,00000001), ref: 0041F217
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                              • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                              • API String ID: 2323315520-3614243559
                                              • Opcode ID: c44bbbd98e059cecc08069e17c7c9aa6716694089eaec3a8336a368094c932b5
                                              • Instruction ID: 9ff2825c27a268439dd1d1bb46a0bfc7fca62d380631be57860753cffe2250cf
                                              • Opcode Fuzzy Hash: c44bbbd98e059cecc08069e17c7c9aa6716694089eaec3a8336a368094c932b5
                                              • Instruction Fuzzy Hash: C4310DB5600701FBDB00EBF5AC86A763298B768764746093BB109DB1B2E77D484ACB1D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048F140 Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 481COMMON
                                              Download Yara Rule
                                              Strings
                                              • Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 0048F6FD
                                              • UninstallNeedRestart, xrefs: 0048F67E, 0048F6B7
                                              • Uninstall DAT: , xrefs: 0048F242
                                              • DeinitializeUninstall, xrefs: 0048F888
                                              • Setup version: Inno Setup version 5.2.3, xrefs: 0048F215
                                              • Will restart because UninstallNeedRestart returned True., xrefs: 0048F6CE
                                              • utCompiledCode[1] is invalid, xrefs: 0048F3BF
                                              • InitializeUninstall, xrefs: 0048F53E
                                              • Will not restart Windows automatically., xrefs: 0048F7F2
                                              • Uninstall, xrefs: 0048F1C8
                                              • InitializeUninstall returned False; aborting., xrefs: 0048F576
                                              • Original Uninstall EXE: , xrefs: 0048F21F
                                              • Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 0048F3F9
                                              • Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 0048F391
                                              • Removed all? %s, xrefs: 0048F648
                                              • Need to restart Windows? %s, xrefs: 0048F71F
                                              • Uninstall command line: , xrefs: 0048F265
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Long$Show
                                              • String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.2.3$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
                                              • API String ID: 3609083571-2151202259
                                              • Opcode ID: 8b7b11fc5591f3793c7ac97f0232a7a3c7647ad771189aa819d1f765c70bde8f
                                              • Instruction ID: 2b269d8c764b7bac30a443b9f4bc23fd7acbfe7da633e0682c37f6fe37a00802
                                              • Opcode Fuzzy Hash: 8b7b11fc5591f3793c7ac97f0232a7a3c7647ad771189aa819d1f765c70bde8f
                                              • Instruction Fuzzy Hash: 2C12B234A00244AFD711FF65D842B5E7BA1AB5A709F50487BF800AB3A6CB7C9D49CB1D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041C9B4 Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,?,0041A8EC,?), ref: 0041C9E8
                                              • 73A24C40.GDI32(?,00000000,?,0041A8EC,?), ref: 0041C9F4
                                              • 73A26180.GDI32(0041A8EC,?,00000001,00000001,00000000,00000000,0041CC0A,?,?,00000000,?,0041A8EC,?), ref: 0041CA18
                                              • 73A24C00.GDI32(?,0041A8EC,?,00000000,0041CC0A,?,?,00000000,?,0041A8EC,?), ref: 0041CA28
                                              • SelectObject.GDI32(0041CDE4,00000000), ref: 0041CA43
                                              • FillRect.USER32(0041CDE4,?,?), ref: 0041CA7E
                                              • SetTextColor.GDI32(0041CDE4,00000000), ref: 0041CA93
                                              • SetBkColor.GDI32(0041CDE4,00000000), ref: 0041CAAA
                                              • PatBlt.GDI32(0041CDE4,00000000,00000000,0041A8EC,?,00FF0062), ref: 0041CAC0
                                              • 73A24C40.GDI32(?,00000000,0041CBC3,?,0041CDE4,00000000,?,0041A8EC,?,00000000,0041CC0A,?,?,00000000,?,0041A8EC), ref: 0041CAD3
                                              • SelectObject.GDI32(00000000,00000000), ref: 0041CB04
                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3,?,0041CDE4,00000000,?,0041A8EC), ref: 0041CB1C
                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3,?,0041CDE4,00000000,?), ref: 0041CB25
                                              • 73A18830.GDI32(0041CDE4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3), ref: 0041CB34
                                              • 73A122A0.GDI32(0041CDE4,0041CDE4,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CBB2,?,?,00000000,0041CBC3), ref: 0041CB3D
                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041CB56
                                              • SetBkColor.GDI32(00000000,00000000), ref: 0041CB6D
                                              • 73A24D40.GDI32(0041CDE4,00000000,00000000,0041A8EC,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CBB2,?,?,00000000), ref: 0041CB89
                                              • SelectObject.GDI32(00000000,?), ref: 0041CB96
                                              • DeleteDC.GDI32(00000000), ref: 0041CBAC
                                                • Part of subcall function 0041A000: GetSysColor.USER32(?), ref: 0041A00A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                              • String ID:
                                              • API String ID: 1381628555-0
                                              • Opcode ID: c8262b5c9687899cb3da658a9da79215068cbf101d5c2b8ed1964b5729b21c16
                                              • Instruction ID: ff179a34f285c3436bc621bb31859736a2280516ecfda4d40c06e70735cb6950
                                              • Opcode Fuzzy Hash: c8262b5c9687899cb3da658a9da79215068cbf101d5c2b8ed1964b5729b21c16
                                              • Instruction Fuzzy Hash: 8E61DE71A44608ABDF10EBE9DC86FDFB7B8EF48704F10446AF504E7281D67CA9408B69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DEAC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEE6
                                              • GetVersion.KERNEL32(00000000,0042E090,?,00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF03
                                              • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E090,?,00491788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF1C
                                              • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF22
                                              • FreeSid.ADVAPI32(00000000,0042E097,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E08A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                              • String ID: CheckTokenMembership$advapi32.dll
                                              • API String ID: 1717332306-1888249752
                                              • Opcode ID: 90bf7855e1e027ec7cb2be59d17b4e45930f5e0fb8f3cd7f2032e79c600b80b0
                                              • Instruction ID: c9ca30b7fa2e8a9abceabce4e586e827254369ae75abf0d5bc05731ff3bd77e9
                                              • Opcode Fuzzy Hash: 90bf7855e1e027ec7cb2be59d17b4e45930f5e0fb8f3cd7f2032e79c600b80b0
                                              • Instruction Fuzzy Hash: 2B51C571B44625AEDB10EAF69D42F7F7BACDB09704F94087BB600E7282C5BC9805866D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004903C0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000,?,00490A99,00000000,00490AA3,?,00000000), ref: 00490443
                                              • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000,?,00490A99,00000000), ref: 00490456
                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000,00000000), ref: 00490466
                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00490487
                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00490758,?,?,00000000,?,00000000), ref: 00490497
                                                • Part of subcall function 0042D330: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3BE,?,?,00000000,?,?,0048FE54,00000000,0049001D,?,?,00000005), ref: 0042D365
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                              • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                              • API String ID: 2000705611-3672972446
                                              • Opcode ID: 5805ed58a2f07dba9df3d8eb250c7aeec524b303c6f9492730f4e9bc89ddfacd
                                              • Instruction ID: 6666ff25eec7c53b5eb866eda449138b93a1580bdca8663c56f4b5746ffc9271
                                              • Opcode Fuzzy Hash: 5805ed58a2f07dba9df3d8eb250c7aeec524b303c6f9492730f4e9bc89ddfacd
                                              • Instruction Fuzzy Hash: 4E91C430A04244AFDF11EBA5C852BAF7BB4EB49314F5144B7F900AB692C77CAC15CB69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00457FB8 Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,00458252,?,?,?,?,?,00000006,?,00000000,0048F8FB,?,00000000,0048F996), ref: 00458104
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                              • API String ID: 1452528299-1593206319
                                              • Opcode ID: e60eb18ae1536dca2e8af4fda36a2ff980dc9d18a77e2faf45e33f23c0ed069a
                                              • Instruction ID: f32569dbdd6adc11da929e147044c40dcc52494f0e71e5ec630e07cd073e3049
                                              • Opcode Fuzzy Hash: e60eb18ae1536dca2e8af4fda36a2ff980dc9d18a77e2faf45e33f23c0ed069a
                                              • Instruction Fuzzy Hash: 666192307046449BDB00EB6988517AE7BA4AB49715F5184AFFC01EB383CF7C9E49CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B354 Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B36B
                                              • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B375
                                              • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B387
                                              • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39E
                                              • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3AA
                                              • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B403,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3D7
                                              • 73A1A480.USER32(00000000,00000000,0041B40A,00000000,0041B403,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3FD
                                              • SelectObject.GDI32(00000000,?), ref: 0041B418
                                              • SelectObject.GDI32(?,00000000), ref: 0041B427
                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B453
                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B461
                                              • SelectObject.GDI32(?,00000000), ref: 0041B46F
                                              • DeleteDC.GDI32(00000000), ref: 0041B478
                                              • DeleteDC.GDI32(?), ref: 0041B481
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Object$Select$Delete$A26180A480A570Stretch
                                              • String ID:
                                              • API String ID: 359944910-0
                                              • Opcode ID: e92431f9581d06db8cd21544c0e7e04c7f7b808437c697100934415fbb48ef82
                                              • Instruction ID: f97b2a76bc4940b7567ba323b4cd0a089c72401e81ca6e31c969396a69b82abf
                                              • Opcode Fuzzy Hash: e92431f9581d06db8cd21544c0e7e04c7f7b808437c697100934415fbb48ef82
                                              • Instruction Fuzzy Hash: 4941BF71E40609AFDF10DAE9D846FEFB7B8EB08704F104466B614FB281C77869418BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452EAC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,?,00000000,?,00000000,00453145,?,0045841A,00000003,00000000,00000000,0045317C), ref: 00452FC5
                                                • Part of subcall function 0042E660: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004519EF,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E67F
                                              • RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,00000000,?,00000004,00000000,0045308F,?,0045841A,00000000,00000000,?,00000000,?,00000000), ref: 00453049
                                              • RegQueryValueExA.ADVAPI32(0045841A,00000000,00000000,00000000,?,00000004,00000000,0045308F,?,0045841A,00000000,00000000,?,00000000,?,00000000), ref: 00453078
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452EE3
                                              • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452F1C
                                              • , xrefs: 00452F36
                                              • RegOpenKeyEx, xrefs: 00452F48
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: QueryValue$FormatMessageOpen
                                              • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                              • API String ID: 2812809588-1577016196
                                              • Opcode ID: 0e8a8fe90ab65ee8afece0f5023d781a25c66e7800ad316f26bfe38058a3962f
                                              • Instruction ID: 928035bd272ea07f578a002d221a9efba8d97d5daeae889991e526f08aa7b5e3
                                              • Opcode Fuzzy Hash: 0e8a8fe90ab65ee8afece0f5023d781a25c66e7800ad316f26bfe38058a3962f
                                              • Instruction Fuzzy Hash: 70913671E00208ABDB10DFA5D941BDEB7F9EB49746F10446BF900F7282D6789E098B69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00456B34 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(?), ref: 00456B6B
                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456B87
                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456B95
                                              • GetExitCodeProcess.KERNEL32(?), ref: 00456BA6
                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456BED
                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456C09
                                              Strings
                                              • Helper isn't responding; killing it., xrefs: 00456B77
                                              • Helper process exited., xrefs: 00456BB5
                                              • Helper process exited with failure code: 0x%x, xrefs: 00456BD3
                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00456B5D
                                              • Helper process exited, but failed to get exit code., xrefs: 00456BDF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                              • API String ID: 3355656108-1243109208
                                              • Opcode ID: 5b56649a2d40bba37211ef4175ca1734cbb3bde7ff93420d1052a04aac8d11c1
                                              • Instruction ID: 9d7a733ba7e4b400d55abe2d76827c4ec82c7121443a5166b5708a03c4d9d847
                                              • Opcode Fuzzy Hash: 5b56649a2d40bba37211ef4175ca1734cbb3bde7ff93420d1052a04aac8d11c1
                                              • Instruction Fuzzy Hash: 37217C70604B009ADB20E779C446B5BB7D49F08315F81882FB8D9CB293D67CF8488B6A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048EDB4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00452038: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452127
                                                • Part of subcall function 00452038: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452137
                                              • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048EE31
                                              • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0048EF85), ref: 0048EE52
                                              • CreateWindowExA.USER32(00000000,STATIC,0048EF94,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0048EE79
                                              • SetWindowLongA.USER32(?,000000FC,0048E60C), ref: 0048EE8C
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000,STATIC,0048EF94), ref: 0048EEBC
                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 0048EF30
                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000), ref: 0048EF3C
                                                • Part of subcall function 00452388: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045246F
                                              • 73A25CF0.USER32(?,0048EF5F,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0048EF58,?,?,000000FC,0048E60C,00000000,STATIC), ref: 0048EF52
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                              • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                              • API String ID: 170458502-2312673372
                                              • Opcode ID: d286ce31f0742afd55fe71401d241f91e74279016cdde02258f129c258f02059
                                              • Instruction ID: 899c3a807d8ebef90b2c1b053718f2bfa0ca9862065cd7989ddb6901344ff065
                                              • Opcode Fuzzy Hash: d286ce31f0742afd55fe71401d241f91e74279016cdde02258f129c258f02059
                                              • Instruction Fuzzy Hash: 3E415370A44248BFDB00FBA6DD42F9E77B8EB19704F50497AF604F72D1D6799A008B58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045E0C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetActiveWindow.USER32 ref: 0045E0CC
                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045E0E0
                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045E0ED
                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045E0FA
                                              • GetWindowRect.USER32(?,00000000), ref: 0045E146
                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045E184
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                              • API String ID: 2610873146-3407710046
                                              • Opcode ID: 170c59ca9b76ed583b93d1e9080623799a3cea187bf70a9d391bc38250018019
                                              • Instruction ID: ef411939a0946b870fd052df56d83547aac6ed7b4a766e15f820ec3551d64de0
                                              • Opcode Fuzzy Hash: 170c59ca9b76ed583b93d1e9080623799a3cea187bf70a9d391bc38250018019
                                              • Instruction Fuzzy Hash: CE21D475705B04AFD3149669CD81F3F3299DB88B11F08453AFD44DB382DA78DD068AA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042EA60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetActiveWindow.USER32 ref: 0042EA6C
                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA80
                                              • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EA8D
                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EA9A
                                              • GetWindowRect.USER32(?,00000000), ref: 0042EAE6
                                              • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB24
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$AddressProc$ActiveHandleModuleRect
                                              • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                              • API String ID: 2610873146-3407710046
                                              • Opcode ID: c76122e987ccbbf4ad122bf975a6ea2cd69e31ff1eab506a42aecdfe1b08b63b
                                              • Instruction ID: de6f8a07dda85d31b5a5cc2262033447bbfd7554ac1e79db9a4c9fe52e5b2086
                                              • Opcode Fuzzy Hash: c76122e987ccbbf4ad122bf975a6ea2cd69e31ff1eab506a42aecdfe1b08b63b
                                              • Instruction Fuzzy Hash: 2A21C271701614AFD700EA79DCD1F3B3B98DB88710F48452AF945DB382DA78FC008AA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00456D0C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00456EEB,?,00000000,00456F4E,?,?,00000000,00000000), ref: 00456D69
                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00002034,00000014,00000000,?,00000000,00456E80,?,00000000,00000001,00000000,00000000,00000000,00456EEB), ref: 00456DC6
                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00002034,00000014,00000000,?,00000000,00456E80,?,00000000,00000001,00000000,00000000,00000000,00456EEB), ref: 00456DD3
                                              • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00456E1F
                                              • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00456E59,?,-00000020,0000000C,-00002034,00000014,00000000,?,00000000,00456E80,?,00000000), ref: 00456E45
                                              • GetLastError.KERNEL32(?,?,00000000,00000001,00456E59,?,-00000020,0000000C,-00002034,00000014,00000000,?,00000000,00456E80,?,00000000), ref: 00456E4C
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                              • String ID: CreateEvent$TransactNamedPipe
                                              • API String ID: 2182916169-3012584893
                                              • Opcode ID: 48229fdc3ef61929d6ac761d7619ebca0006deda708ad69f0594bdf8de0f3da7
                                              • Instruction ID: 3505877414f257bb21a012f26b9d0d7704acec035ae139655f100219df004d2f
                                              • Opcode Fuzzy Hash: 48229fdc3ef61929d6ac761d7619ebca0006deda708ad69f0594bdf8de0f3da7
                                              • Instruction Fuzzy Hash: 6C41C275A00208AFDB05DF95CD82F9EB7F9FB08714F5140AAF904E7292C6789E44CB68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454B2C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454C91,?,?,00000031,?), ref: 00454B54
                                              • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00454B5A
                                              • LoadTypeLib.OLEAUT32(00000000,?), ref: 00454BA7
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressErrorHandleLastLoadModuleProcType
                                              • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                              • API String ID: 1914119943-2711329623
                                              • Opcode ID: 12a9c4858e22de83489c89b1158ee9c10e057dde659f6e5fdc5b29827f952d42
                                              • Instruction ID: e4400bf96c166b5c8e97fc258379556c86f091726ab19f10260670aaeab998db
                                              • Opcode Fuzzy Hash: 12a9c4858e22de83489c89b1158ee9c10e057dde659f6e5fdc5b29827f952d42
                                              • Instruction Fuzzy Hash: 3831B475600604AFDB12EFAACC01E5BB7B9EBC870971144AAF814DB752DA38D984C628
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E264 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E369,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 0042E28D
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E293
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E369,?,?,00000001,00000000,?,?,00000001), ref: 0042E2E1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressCloseHandleModuleProc
                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                              • API String ID: 4190037839-2401316094
                                              • Opcode ID: d2b98547006c70c7f6ab2a7a46fd7a642073d1849025eece5ac941bf7e5903bf
                                              • Instruction ID: b5527917e10b0fb8c326f7aa8ff769b2caa43ea40ee794feba058f86ebb39bc0
                                              • Opcode Fuzzy Hash: d2b98547006c70c7f6ab2a7a46fd7a642073d1849025eece5ac941bf7e5903bf
                                              • Instruction Fuzzy Hash: 0C215334B00219EBDB00EBA7DC55A9F77A9EB44705FA0447BA900E7291DBBC9A05CB5C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416D28 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RectVisible.GDI32(?,?), ref: 00416DBB
                                              • SaveDC.GDI32(?), ref: 00416DCF
                                              • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DF2
                                              • RestoreDC.GDI32(?,?), ref: 00416E0D
                                              • CreateSolidBrush.GDI32(00000000), ref: 00416E8D
                                              • FrameRect.USER32(?,?,?), ref: 00416EC0
                                              • DeleteObject.GDI32(?), ref: 00416ECA
                                              • CreateSolidBrush.GDI32(00000000), ref: 00416EDA
                                              • FrameRect.USER32(?,?,?), ref: 00416F0D
                                              • DeleteObject.GDI32(?), ref: 00416F17
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                              • String ID:
                                              • API String ID: 375863564-0
                                              • Opcode ID: 9eaa094af12716ba6a712ed9638624616ca55e3879d61aed165e71946b14b20b
                                              • Instruction ID: b1e82343d8b9ba510e891f63597e6edb4555071dc73553b60de04657c1de1759
                                              • Opcode Fuzzy Hash: 9eaa094af12716ba6a712ed9638624616ca55e3879d61aed165e71946b14b20b
                                              • Instruction Fuzzy Hash: 32513C712086445FDB50EF69C8C0B9B77E8AF48314F15466AFD48CB286C778EC81CB99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                              • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                              • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                              • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                              • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                              • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                              • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                              • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                              • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                              • String ID:
                                              • API String ID: 1694776339-0
                                              • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                              • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                              • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                              • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00422190 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMenu.USER32(00000000,00000000), ref: 004221DB
                                              • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221F9
                                              • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422206
                                              • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422213
                                              • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422220
                                              • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042222D
                                              • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042223A
                                              • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422247
                                              • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00422265
                                              • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422281
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$EnableItem$System
                                              • String ID:
                                              • API String ID: 3985193851-0
                                              • Opcode ID: 2ac919316b1e548bcce60f4eb3ccb73fb66cb5d1796470b9090fa35795744f24
                                              • Instruction ID: 142bb334ff85b79c2121110e2d141a600bd35af2d4b4289324417f29a70e323f
                                              • Opcode Fuzzy Hash: 2ac919316b1e548bcce60f4eb3ccb73fb66cb5d1796470b9090fa35795744f24
                                              • Instruction Fuzzy Hash: 802136703457457BE720D725DD8BFAB7AD89B08708F0440A5B6447F2D3C6FDEA4086A8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045CDF0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042CAA4: CharPrevA.USER32(?,00000000,?,00000001,?,?,0042CBD2,00000000,0042CBF8,?,00000001,?,?,00000000,?,0042CC4A), ref: 0042CACC
                                              • SHGetMalloc.SHELL32(?), ref: 0045CE2B
                                              • GetActiveWindow.USER32 ref: 0045CE8F
                                              • CoInitialize.OLE32(00000000), ref: 0045CEA3
                                              • SHBrowseForFolder.SHELL32(?), ref: 0045CEBA
                                              • 756CD120.OLE32(0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CECF
                                              • SetActiveWindow.USER32(?,0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CEE5
                                              • SetActiveWindow.USER32(?,?,0045CEFB,00000000,?,?,?,?,?,00000000,0045CF7F), ref: 0045CEEE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ActiveWindow$BrowseCharD120FolderInitializeMallocPrev
                                              • String ID: A
                                              • API String ID: 2093991911-3554254475
                                              • Opcode ID: a57be843ccaacac0a46b99ad4989412c07f02d64ca0905ed98f03eef16ad0010
                                              • Instruction ID: 44e22db6f723d0e43817c9017cb3acb801a4f8e8d8f4fd9594430335e44c7cfb
                                              • Opcode Fuzzy Hash: a57be843ccaacac0a46b99ad4989412c07f02d64ca0905ed98f03eef16ad0010
                                              • Instruction Fuzzy Hash: 7A310F70E00308AFDB01EFB6D886A9EBBF8EB09304F51447AF914E7252D6785A44CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418BFC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000000E), ref: 00418C18
                                              • GetSystemMetrics.USER32(0000000D), ref: 00418C20
                                              • 6F552980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C26
                                                • Part of subcall function 00409958: 6F54C400.COMCTL32((&I,000000FF,00000000,00418C54,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0040995C
                                              • 6F5BCB00.COMCTL32((&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C76
                                              • 6F5BC740.COMCTL32(00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C81
                                              • 6F5BCB00.COMCTL32((&I,00000001,?,?,00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000), ref: 00418C94
                                              • 6F550860.COMCTL32((&I,00418CB7,?,00000000,?,(&I,00000000,00000000,00000000,00000000,00418CB0,?,00000000,0000000D,00000000,0000000E), ref: 00418CAA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MetricsSystem$C400C740F550860F552980
                                              • String ID: (&I
                                              • API String ID: 1828538299-96580698
                                              • Opcode ID: cb724f8f61eeec6223193507a99a441db1e856c55be7018474d1ece8e95461e9
                                              • Instruction ID: 46645d9a52805bd5c852c20026195d53dd59d6b8e5b8ddd5dae0d8f2325046d5
                                              • Opcode Fuzzy Hash: cb724f8f61eeec6223193507a99a441db1e856c55be7018474d1ece8e95461e9
                                              • Instruction Fuzzy Hash: 8B113671B44604BBDB10EBA5DC82F5EB3B8DB48714F50446EBA04F73D2EAB99D408768
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045A7A8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045A7B1
                                              • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045A7C1
                                              • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045A7D1
                                              • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045A7E1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc
                                              • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                              • API String ID: 190572456-3516654456
                                              • Opcode ID: 3dffc787503262894019984b3336cae492994a29c5f4e8bedd10a62cfa1da0e0
                                              • Instruction ID: 8bdbbd7099bf23791bc9fd54354aee5868bc2dbadb77176a7910e3edbd90d505
                                              • Opcode Fuzzy Hash: 3dffc787503262894019984b3336cae492994a29c5f4e8bedd10a62cfa1da0e0
                                              • Instruction Fuzzy Hash: 8E0125B0500B00EED728EF32AE8872336B5A764345F14C17B9805652BBDBF8045EDA1D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041A884 Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetBkColor.GDI32(?,00000000), ref: 0041A961
                                              • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A99B
                                              • SetBkColor.GDI32(?,?), ref: 0041A9B0
                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9FA
                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA05
                                              • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA15
                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA54
                                              • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5E
                                              • SetBkColor.GDI32(00000000,?), ref: 0041AA6B
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Color$StretchText
                                              • String ID:
                                              • API String ID: 2984075790-0
                                              • Opcode ID: c5f223bee4bb783086f44ddf098ec2f005a4e4987d44d46892a6de9d9b7dd681
                                              • Instruction ID: e254907fa32ae31809fa254cf51b9897988a5b4c94e3051facbc65a4db038bdb
                                              • Opcode Fuzzy Hash: c5f223bee4bb783086f44ddf098ec2f005a4e4987d44d46892a6de9d9b7dd681
                                              • Instruction Fuzzy Hash: 6161E5B5A00105EFCB40EFA9D985E9AB7F8EF08314B11856AF518DB262C734ED41CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00455D18 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB
                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00455ECC,?, /s ",?,regsvr32.exe",?,00455ECC), ref: 00455E3E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseDirectoryHandleSystem
                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                              • API String ID: 2051275411-1862435767
                                              • Opcode ID: df64636c7344d8d92da510f01405a29590f21cdbb3bfff86d78794d1e49a4719
                                              • Instruction ID: 20fae124b9662d37c7335df2d5232179d222b48998ad5ae4538026d20c86275f
                                              • Opcode Fuzzy Hash: df64636c7344d8d92da510f01405a29590f21cdbb3bfff86d78794d1e49a4719
                                              • Instruction Fuzzy Hash: 71413771E007086BDB11EFD5C852BDDB7F9AF48305F50803BA808BB296D7789A09CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044C864 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              • OffsetRect.USER32(?,00000001,00000001), ref: 0044C895
                                              • GetSysColor.USER32(00000014), ref: 0044C89C
                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044C8B4
                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C8DD
                                              • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044C8E7
                                              • GetSysColor.USER32(00000010), ref: 0044C8EE
                                              • SetTextColor.GDI32(00000000,00000000), ref: 0044C906
                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C92F
                                              • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044C95A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Text$Color$Draw$OffsetRect
                                              • String ID:
                                              • API String ID: 1005981011-0
                                              • Opcode ID: 57028361129e52f9431e5318b710a4d40606affc4f959fc4e5e926226b5bbf1d
                                              • Instruction ID: b575c18274847aba3012457626d0aaea5839951ed62bd291699816a0262c3fb5
                                              • Opcode Fuzzy Hash: 57028361129e52f9431e5318b710a4d40606affc4f959fc4e5e926226b5bbf1d
                                              • Instruction Fuzzy Hash: 0321A0B42016047FC710FB6ACD8AE9B7BDCDF19319B04457AB918EB3A3C678DD408669
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047174C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00471674: GetWindowThreadProcessId.USER32(00000000), ref: 0047167C
                                                • Part of subcall function 00471674: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00471773,\/I,00000000), ref: 0047168F
                                                • Part of subcall function 00471674: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00471695
                                              • SendMessageA.USER32(00000000,0000004A,00000000,00471B06), ref: 00471781
                                              • GetTickCount.KERNEL32 ref: 004717C6
                                              • GetTickCount.KERNEL32 ref: 004717D0
                                              • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00471825
                                              Strings
                                              • CallSpawnServer: Unexpected status: %d, xrefs: 0047180E
                                              • \/I, xrefs: 00471753
                                              • CallSpawnServer: Unexpected response: $%x, xrefs: 004717B6
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                              • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d$\/I
                                              • API String ID: 613034392-4045567746
                                              • Opcode ID: 0bdae429eff8d1580745a98c8e118b2776b597856db30de61ff8ebb473ee6832
                                              • Instruction ID: f11b9d24a016228fd55770aab2269764d20f87266426001b19c3ff40abdb7d86
                                              • Opcode Fuzzy Hash: 0bdae429eff8d1580745a98c8e118b2776b597856db30de61ff8ebb473ee6832
                                              • Instruction Fuzzy Hash: E0317F78F002159BDB10EBBD88867EEB6A59F04704F50843AB548EB3A2D67C9D01879E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048E658 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044FC44: SetEndOfFile.KERNEL32(?,?,004599C5,00000000,00459B68,?,00000000,00000002,00000002), ref: 0044FC4B
                                                • Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB
                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0048E6E9
                                              • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 0048E6FD
                                              • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0048E717
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E723
                                              • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E729
                                              • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 0048E73C
                                              Strings
                                              • Deleting Uninstall data files., xrefs: 0048E65F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                              • String ID: Deleting Uninstall data files.
                                              • API String ID: 1570157960-2568741658
                                              • Opcode ID: 9d067bf5239d494c11ca6ea2ee92c558df55eaca7c9a40dc827b20b8e50aa70c
                                              • Instruction ID: 7eb9b81ebef4b9935662b2bd99c088e093be0b50f7952a605171971ca98b3156
                                              • Opcode Fuzzy Hash: 9d067bf5239d494c11ca6ea2ee92c558df55eaca7c9a40dc827b20b8e50aa70c
                                              • Instruction Fuzzy Hash: 5B216F74744204BEE721FBBADC86B2B3698E759319F50053BF9119A1A2DA789D009B1C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046A7E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046A8E1,?,?,?,?,00000000), ref: 0046A84B
                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046A8E1), ref: 0046A862
                                              • AddFontResourceA.GDI32(00000000), ref: 0046A87F
                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046A893
                                              Strings
                                              • Failed to set value in Fonts registry key., xrefs: 0046A854
                                              • AddFontResource, xrefs: 0046A89D
                                              • Failed to open Fonts registry key., xrefs: 0046A869
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                              • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                              • API String ID: 955540645-649663873
                                              • Opcode ID: 11df6b7a543e1574400f6d60ac64e9c409163a70e4fa8ab2c46bb6d50d2485e1
                                              • Instruction ID: 1afd192ee4ee27fe0430144d256ae41832f88f75df52154e79e2d4afe470c12e
                                              • Opcode Fuzzy Hash: 11df6b7a543e1574400f6d60ac64e9c409163a70e4fa8ab2c46bb6d50d2485e1
                                              • Instruction Fuzzy Hash: 2D2191707406047AE710BB668C42B6E679CDB45704F604437B900FB2C2E67CDE169A6F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045E500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004163B8: GetClassInfoA.USER32(00400000,?,?), ref: 00416427
                                                • Part of subcall function 004163B8: UnregisterClassA.USER32(?,00400000), ref: 00416453
                                                • Part of subcall function 004163B8: RegisterClassA.USER32(?), ref: 00416476
                                              • GetVersion.KERNEL32 ref: 0045E530
                                              • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045E56E
                                              • SHGetFileInfo.SHELL32(0045E60C,00000000,?,00000160,00004011), ref: 0045E58B
                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0045E5A9
                                              • SetCursor.USER32(00000000,00000000,00007F02,0045E60C,00000000,?,00000160,00004011), ref: 0045E5AF
                                              • SetCursor.USER32(?,0045E5EF,00007F02,0045E60C,00000000,?,00000160,00004011), ref: 0045E5E2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                              • String ID: Explorer
                                              • API String ID: 2594429197-512347832
                                              • Opcode ID: 04dae18e0789727a76a8890a65ab041c4f98a0ef290a8ca75c183f3cffa742e1
                                              • Instruction ID: e5db7c9749215eeb2d02e5ed912e0b3fe28138e3e2d2d7ddb3fe69776e4d8daf
                                              • Opcode Fuzzy Hash: 04dae18e0789727a76a8890a65ab041c4f98a0ef290a8ca75c183f3cffa742e1
                                              • Instruction Fuzzy Hash: 80213D717803087AEB14BBB69C47B9A36889B05709F4100BFBE05EA1C3EDBC8D05866C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004019CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlInitializeCriticalSection.KERNEL32(00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                              • RtlEnterCriticalSection.KERNEL32(00492420,00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                              • LocalAlloc.KERNEL32(00000000,00000FF8,00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                              • RtlLeaveCriticalSection.KERNEL32(00492420,00401A89,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                              • String ID: @$I$P$I$|$I
                                              • API String ID: 730355536-2452420409
                                              • Opcode ID: 45966a33f2cca9af6227f06f99b0f7a08db919fa22154029dacd4e349c8f896d
                                              • Instruction ID: 60313ebd75f34371d34e31ab956689d8a0b747d94a089b2a958688c132db86d3
                                              • Opcode Fuzzy Hash: 45966a33f2cca9af6227f06f99b0f7a08db919fa22154029dacd4e349c8f896d
                                              • Instruction Fuzzy Hash: AA01C0706452407EFB1AAB6A9A06B263ED8E795748F11803BF440A6AF1C6FC4840CB6D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045775C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,004578DE,?,00000000,?,00000000,?,00000006,?,00000000,0048F8FB,?,00000000,0048F996), ref: 00457822
                                                • Part of subcall function 00452A2C: FindClose.KERNEL32(000000FF,00452B22), ref: 00452B11
                                              Strings
                                              • Failed to delete directory (%d)., xrefs: 004578B8
                                              • Failed to delete directory (%d). Will retry later., xrefs: 0045783B
                                              • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004577FC
                                              • Deleting directory: %s, xrefs: 004577AB
                                              • Failed to strip read-only attribute., xrefs: 004577F0
                                              • Stripped read-only attribute., xrefs: 004577E4
                                              • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00457897
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseErrorFindLast
                                              • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                              • API String ID: 754982922-1448842058
                                              • Opcode ID: c942cc8746309d6c4fde1d13e5877ff426f738c54e561dd9b6452c2f2059cbe1
                                              • Instruction ID: 7ed85959ced61155a0d0e848b4d98e2feb505fad3b81ad5ee62f34683386d719
                                              • Opcode Fuzzy Hash: c942cc8746309d6c4fde1d13e5877ff426f738c54e561dd9b6452c2f2059cbe1
                                              • Instruction Fuzzy Hash: 1941F830A182089BDB00EB69A8053AF76E59F49316F54857BAC01DB393D77C9E0CC75E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00422DF8 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCapture.USER32 ref: 00422E4C
                                              • GetCapture.USER32 ref: 00422E5B
                                              • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E61
                                              • ReleaseCapture.USER32 ref: 00422E66
                                              • GetActiveWindow.USER32 ref: 00422E75
                                              • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EF4
                                              • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F58
                                              • GetActiveWindow.USER32 ref: 00422F67
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CaptureMessageSend$ActiveWindow$Release
                                              • String ID:
                                              • API String ID: 862346643-0
                                              • Opcode ID: fab0767262203ab9b8eef4ea09c7b9bd12ecfbe98aad2e612e19eb807ad95d19
                                              • Instruction ID: 0cb4f9409eeca59ffb975aedecb23b840502150724600c34407ecb599f309318
                                              • Opcode Fuzzy Hash: fab0767262203ab9b8eef4ea09c7b9bd12ecfbe98aad2e612e19eb807ad95d19
                                              • Instruction Fuzzy Hash: BA416270B00254BFDB10EB69DA42B9EB7F1EB44304F5540BAF444AB292D7B89E40DB1C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00429428 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000), ref: 00429432
                                              • GetTextMetricsA.GDI32(00000000), ref: 0042943B
                                                • Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F
                                              • SelectObject.GDI32(00000000,00000000), ref: 0042944A
                                              • GetTextMetricsA.GDI32(00000000,?), ref: 00429457
                                              • SelectObject.GDI32(00000000,00000000), ref: 0042945E
                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00429466
                                              • GetSystemMetrics.USER32(00000006), ref: 0042948B
                                              • GetSystemMetrics.USER32(00000006), ref: 004294A5
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                              • String ID:
                                              • API String ID: 361401722-0
                                              • Opcode ID: 9834c26a9960500f6a9ecfd8d753213a1de3cd4ea19aff41d6da438e204e4863
                                              • Instruction ID: 1059aa7a6e273236e125af25209637a8817c3066b806c9f95c2c1fc45335f5e0
                                              • Opcode Fuzzy Hash: 9834c26a9960500f6a9ecfd8d753213a1de3cd4ea19aff41d6da438e204e4863
                                              • Instruction Fuzzy Hash: 830100917087503BF710B27A9CC2F6B5588DB8435CF80003FFA469A3C3DA6C8C41826A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041DDCC Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,?,00419001,00490B35), ref: 0041DDCF
                                              • 73A24620.GDI32(00000000,0000005A,00000000,?,00419001,00490B35), ref: 0041DDD9
                                              • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419001,00490B35), ref: 0041DDE6
                                              • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDF5
                                              • GetStockObject.GDI32(00000007), ref: 0041DE03
                                              • GetStockObject.GDI32(00000005), ref: 0041DE0F
                                              • GetStockObject.GDI32(0000000D), ref: 0041DE1B
                                              • LoadIconA.USER32(00000000,00007F00), ref: 0041DE2C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ObjectStock$A24620A480A570IconLoad
                                              • String ID:
                                              • API String ID: 3573811560-0
                                              • Opcode ID: 9c1e6b037cfcf526f883390b7a6738af9fd81bafc879f9cac69ea1757f065c58
                                              • Instruction ID: 4ac4bd4aadafbff56ec06caa1a3c2c499f9ae773c567f2f7cd71ce954fcb2d20
                                              • Opcode Fuzzy Hash: 9c1e6b037cfcf526f883390b7a6738af9fd81bafc879f9cac69ea1757f065c58
                                              • Instruction Fuzzy Hash: F81142706453416AE740FF795E92BA63694EB24748F00803BF604EF6D2D7BD1C449B5E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045E910 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorA.USER32(00000000,00007F02), ref: 0045EA14
                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045EAA9), ref: 0045EA1A
                                              • SetCursor.USER32(?,0045EA91,00007F02,00000000,0045EAA9), ref: 0045EA84
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Cursor$Load
                                              • String ID: $ $Internal error: Item already expanding
                                              • API String ID: 1675784387-1948079669
                                              • Opcode ID: 062bc24e025f87a5132b01d4a23ebbd0a7af6c8b69919735a7d8bfb9171ae665
                                              • Instruction ID: dca47056957fcd899ad7342011e10480afea1a1a27e56c2873f80f5661136381
                                              • Opcode Fuzzy Hash: 062bc24e025f87a5132b01d4a23ebbd0a7af6c8b69919735a7d8bfb9171ae665
                                              • Instruction Fuzzy Hash: 35B1BF30A042449FDB25DF2AC585B9ABBF0BF04305F5484AAEC459B793D738EE49CB45
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452388 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045246F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: PrivateProfileStringWrite
                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                              • API String ID: 390214022-3304407042
                                              • Opcode ID: 1c1ce0ddb9ef394067630f10c4084cb2c2b088ee831540a62cb7d367d0a82b32
                                              • Instruction ID: b02a2244c8ac043b1712f4d5d459e41a201eed142cab655ca7120e0de3a2e1df
                                              • Opcode Fuzzy Hash: 1c1ce0ddb9ef394067630f10c4084cb2c2b088ee831540a62cb7d367d0a82b32
                                              • Instruction Fuzzy Hash: BA91F330A001099BDB11EFA5D982BDEB7F5AF49305F50847BE90077392D7B8AE09CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004086C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDefaultLCID.KERNEL32(00000000,00408908,?,?,?,?,00000000,00000000,00000000,?,0040990F,00000000,00409922), ref: 004086DA
                                                • Part of subcall function 00408508: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004924C0,00000001,?,004085D3,?,00000000,004086B2), ref: 00408526
                                                • Part of subcall function 00408554: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408756,?,?,?,00000000,00408908), ref: 00408567
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: InfoLocale$DefaultSystem
                                              • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                              • API String ID: 1044490935-665933166
                                              • Opcode ID: ff036df80b210b54e2fa160841ffd8a7ad68a192e85da69035cbbac9a23d53b8
                                              • Instruction ID: 056ecf6f2f1527b7684b606c263ef1e3982ac19046fe7e290d3a86a54856ae2c
                                              • Opcode Fuzzy Hash: ff036df80b210b54e2fa160841ffd8a7ad68a192e85da69035cbbac9a23d53b8
                                              • Instruction Fuzzy Hash: 21512C74B001086BDB01FBA6DE91A9E7BA9DB84304F50D47FA181BB3C6CA3CDA05875D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041169C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.KERNEL32(00000000,004118A1), ref: 00411734
                                              • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117F2
                                                • Part of subcall function 00411A54: CreatePopupMenu.USER32 ref: 00411A6E
                                              • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0041187E
                                                • Part of subcall function 00411A54: CreateMenu.USER32 ref: 00411A78
                                              • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411865
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$Insert$Create$ItemPopupVersion
                                              • String ID: ,$?
                                              • API String ID: 2359071979-2308483597
                                              • Opcode ID: baa12968a9006a52d5e4ef876005b49ebe402715d6320ec9eb47ca094d0fc02d
                                              • Instruction ID: 726e600f223273bd08914059578a8101eea6a2d33d3ff692803082349b8399f4
                                              • Opcode Fuzzy Hash: baa12968a9006a52d5e4ef876005b49ebe402715d6320ec9eb47ca094d0fc02d
                                              • Instruction Fuzzy Hash: 02511574A041419BDB10EF6ADC815DA7BF9AF09304B1185BBFA04E73B2D738D941CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041BE0B Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BED0
                                              • GetObjectA.GDI32(?,00000018,?), ref: 0041BEDF
                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF30
                                              • GetBitmapBits.GDI32(?,?,?), ref: 0041BF3E
                                              • DeleteObject.GDI32(?), ref: 0041BF47
                                              • DeleteObject.GDI32(?), ref: 0041BF50
                                              • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF6D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Object$BitmapBitsDelete$CreateIcon
                                              • String ID:
                                              • API String ID: 1030595962-0
                                              • Opcode ID: 1e4853d75d21bc1926ba7cf5224c89ea8ebb7500f7ae85efd10c66dcd062618b
                                              • Instruction ID: f0e05dfe27ce23013596edce2c43a20e6d26497d7b74886029f11bde31f0b820
                                              • Opcode Fuzzy Hash: 1e4853d75d21bc1926ba7cf5224c89ea8ebb7500f7ae85efd10c66dcd062618b
                                              • Instruction Fuzzy Hash: 2A511675E002099FCB14DFA9C8819EEB7F9EF49310B11842AF514E7391D738AD81CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041CE80 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEA6
                                              • 73A24620.GDI32(00000000,00000026), ref: 0041CEC5
                                              • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF2B
                                              • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF3A
                                              • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFA4
                                              • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFE2
                                              • 73A18830.GDI32(?,?,00000001,0041D014,00000000,00000026), ref: 0041D007
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Stretch$A18830$A122A24620BitsMode
                                              • String ID:
                                              • API String ID: 430401518-0
                                              • Opcode ID: aa7efd9841db0397c835a8e493930d486de59a27429b2987e03207e86632ff54
                                              • Instruction ID: 716ae2cbf74db7cca6ca85613245d2cbdededc4b908a0ab63d95ef833b57d340
                                              • Opcode Fuzzy Hash: aa7efd9841db0397c835a8e493930d486de59a27429b2987e03207e86632ff54
                                              • Instruction Fuzzy Hash: 4C511EB0600604AFDB14DFA9C985F9BBBE8EF08304F14455AB545D7792C778ED81CB68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454F3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000000,?,?), ref: 00454F8E
                                                • Part of subcall function 00424224: GetWindowTextA.USER32(?,?,00000100), ref: 00424244
                                                • Part of subcall function 0041EE4C: GetCurrentThreadId.KERNEL32 ref: 0041EE9B
                                                • Part of subcall function 0041EE4C: 73A25940.USER32(00000000,0041EDFC,00000000,00000000,0041EEB8,?,00000000,0041EEEF,?,0042E7E8,?,00000001), ref: 0041EEA1
                                                • Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00454FF5
                                              • TranslateMessage.USER32(?), ref: 00455013
                                              • DispatchMessageA.USER32(?), ref: 0045501C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                              • String ID: [Paused]
                                              • API String ID: 3047529653-4230553315
                                              • Opcode ID: 141f149095fb27d577fc31764a328687d2f30d229be375c220db36f4bd74699d
                                              • Instruction ID: 741a01f18879a345a5b07686917d8e40ce5d5c24a876243dd54feaf600687e8f
                                              • Opcode Fuzzy Hash: 141f149095fb27d577fc31764a328687d2f30d229be375c220db36f4bd74699d
                                              • Instruction Fuzzy Hash: 3231E331908644AECB11DBB5DC51BEE7BB8EB49704F50447BE800E32D2D67C9909CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00466210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursor.USER32(00000000,0046634F), ref: 004662CC
                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004662DA
                                              • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046634F), ref: 004662E0
                                              • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046634F), ref: 004662EA
                                              • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046634F), ref: 004662F0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Cursor$LoadSleep
                                              • String ID: CheckPassword
                                              • API String ID: 4023313301-1302249611
                                              • Opcode ID: ef49ceb1e6b76059b89289d51870adcf94d3e00f2c6c0016733c7528b345117c
                                              • Instruction ID: e12dea2b5957d6b50ca2ed371003984113864468440f1a681d17ee3b0f813ced
                                              • Opcode Fuzzy Hash: ef49ceb1e6b76059b89289d51870adcf94d3e00f2c6c0016733c7528b345117c
                                              • Instruction Fuzzy Hash: 2931A774644204AFD701EF69C88AF9E7BE1AF45304F5680B6F904AB3E2D7789E40CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041C0F0 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041BFF0: GetObjectA.GDI32(?,00000018), ref: 0041BFFD
                                              • GetFocus.USER32 ref: 0041C110
                                              • 73A1A570.USER32(?), ref: 0041C11C
                                              • 73A18830.GDI32(?,?,00000000,00000000,0041C19B,?,?), ref: 0041C13D
                                              • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C19B,?,?), ref: 0041C149
                                              • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C160
                                              • 73A18830.GDI32(?,00000000,00000000,0041C1A2,?,?), ref: 0041C188
                                              • 73A1A480.USER32(?,?,0041C1A2,?,?), ref: 0041C195
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A18830$A122A480A570BitsFocusObject
                                              • String ID:
                                              • API String ID: 2231653193-0
                                              • Opcode ID: 4b5817af3930a7da88de8c776c2c87f1b057dc8e6189491f9691f509f6f43723
                                              • Instruction ID: e1839615c60f4afd83c90c330261c8dd65eba5fe4d32295df669e4ba5c229ee2
                                              • Opcode Fuzzy Hash: 4b5817af3930a7da88de8c776c2c87f1b057dc8e6189491f9691f509f6f43723
                                              • Instruction Fuzzy Hash: 24116D71A44608BBDB10DBE9CC85FAFB7FCEF48700F54446AB518E7281D63898008B28
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047C58C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047C644), ref: 0047C629
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                              • API String ID: 47109696-2530820420
                                              • Opcode ID: 216c442831188f385001bfb6125c95756f0f6973d9343121dce614720b27fbcb
                                              • Instruction ID: ba25b35c1adc0b75f4f324f6cb59f82a98d74cc289aeabc78b4d1a44d03816b4
                                              • Opcode Fuzzy Hash: 216c442831188f385001bfb6125c95756f0f6973d9343121dce614720b27fbcb
                                              • Instruction Fuzzy Hash: 84118E30B04204AADB10DB659AC2B9A7BA89B56308F61D0BFA408A7285DB789A018758
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B40A Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SelectObject.GDI32(00000000,?), ref: 0041B418
                                              • SelectObject.GDI32(?,00000000), ref: 0041B427
                                              • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B453
                                              • SelectObject.GDI32(00000000,00000000), ref: 0041B461
                                              • SelectObject.GDI32(?,00000000), ref: 0041B46F
                                              • DeleteDC.GDI32(00000000), ref: 0041B478
                                              • DeleteDC.GDI32(?), ref: 0041B481
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$Delete$Stretch
                                              • String ID:
                                              • API String ID: 1458357782-0
                                              • Opcode ID: d8fcd08cd1e6b3b068bfae977a68b3e89a280d1eb5928260e7975f8e8b8626d0
                                              • Instruction ID: 04c6450d5990685007640eea88a29337d1268334102612a79928454e9dde4d04
                                              • Opcode Fuzzy Hash: d8fcd08cd1e6b3b068bfae977a68b3e89a280d1eb5928260e7975f8e8b8626d0
                                              • Instruction Fuzzy Hash: 3F114CB2E00555ABDF10DAD9D885FEFB3BCEF08704F048556B614FB241C678A9418B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048D690 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,?,?,00000000), ref: 0048D6A1
                                                • Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F
                                              • SelectObject.GDI32(00000000,00000000), ref: 0048D6C3
                                              • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048DC19), ref: 0048D6D7
                                              • GetTextMetricsA.GDI32(00000000,?), ref: 0048D6F9
                                              • 73A1A480.USER32(00000000,00000000,0048D723,0048D71C,?,00000000,?,?,00000000), ref: 0048D716
                                              Strings
                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048D6CE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                              • API String ID: 1435929781-222967699
                                              • Opcode ID: 2b902195bd78e3a85a14461ba25cf2a461328febbf25ed1a984847a0c9924e98
                                              • Instruction ID: 56f2b7a4074af1b55b95a42d0c90d732b29dffae751eaa68173dd8b8b984e531
                                              • Opcode Fuzzy Hash: 2b902195bd78e3a85a14461ba25cf2a461328febbf25ed1a984847a0c9924e98
                                              • Instruction Fuzzy Hash: E5012575A05608AFDB01EEA5CC41F5FB7ECDB49704F51447AB504E72C1D678AD008B68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042333C Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32 ref: 00423357
                                              • WindowFromPoint.USER32(?,?), ref: 00423364
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00423372
                                              • GetCurrentThreadId.KERNEL32 ref: 00423379
                                              • SendMessageA.USER32(00000000,00000084,?,?), ref: 00423392
                                              • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004233A9
                                              • SetCursor.USER32(00000000), ref: 004233BB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                              • String ID:
                                              • API String ID: 1770779139-0
                                              • Opcode ID: 7a1fa5eb43588ed905b36272748367152b50e279982f14557b7e119d831a34ac
                                              • Instruction ID: 0b857e85cec8b006a236e34f0c55496e129225b07c91d7ef35ca05f8a9fb34e8
                                              • Opcode Fuzzy Hash: 7a1fa5eb43588ed905b36272748367152b50e279982f14557b7e119d831a34ac
                                              • Instruction Fuzzy Hash: 5801D42230431026D620BB795C86F2F62A9DFC5B25F50453FBA09AB283DE3D8D1063AD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048D4B4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048D4C4
                                              • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048D4D1
                                              • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048D4DE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule
                                              • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                              • API String ID: 667068680-2254406584
                                              • Opcode ID: 6786598ab4ed6b29e551e4434715b5d92cf041e967db77cd6a5fdf9f42b76a8d
                                              • Instruction ID: 67b51c375aa01bca0c5088982691f1e3d037f3b871651ee40e205a1bc027e1e2
                                              • Opcode Fuzzy Hash: 6786598ab4ed6b29e551e4434715b5d92cf041e967db77cd6a5fdf9f42b76a8d
                                              • Instruction Fuzzy Hash: 19F0C292E42B1476DA1035BA0C82E7F628CCB8A768F140837BD45A72C2E9688D0543AD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045A67C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045A685
                                              • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045A695
                                              • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045A6A5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc
                                              • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                              • API String ID: 190572456-508647305
                                              • Opcode ID: b50286813e04f81c7a6efa6a560a2cc7dac75f01e1440ccd7e3cdc890a972b89
                                              • Instruction ID: 4e0395d972810c9416c3368882ebdde2c5e01ffaaeaf982be760f48a4fca4704
                                              • Opcode Fuzzy Hash: b50286813e04f81c7a6efa6a560a2cc7dac75f01e1440ccd7e3cdc890a972b89
                                              • Instruction Fuzzy Hash: 3DF062B1532700FBDB08DF729EC422736B5B364396F18C13BA804551AAD7BC0458EA0D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045AB7C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045AB85
                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045AB95
                                              • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045ABA5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc
                                              • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                              • API String ID: 190572456-212574377
                                              • Opcode ID: 06ad267ddbe9a67695a24deefdef499722044127c2f74fee0a459ad65b6435b0
                                              • Instruction ID: 78c3aec0c34357df070bc40c46de1e5cd03a4b776be7e77430bdb5cc110f23ad
                                              • Opcode Fuzzy Hash: 06ad267ddbe9a67695a24deefdef499722044127c2f74fee0a459ad65b6435b0
                                              • Instruction Fuzzy Hash: 66F06DB0500742EADB14DF32AE44B3237A6A368306F04913BA909552AAD7FC145EEE5E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044BEB8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E775), ref: 0044BEC7
                                              • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044BED8
                                              • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044BEE8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad
                                              • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                              • API String ID: 2238633743-1050967733
                                              • Opcode ID: abacc1ed5ed1df711e1e8ee03ae90b21d03a72e98de670892c8574e2f0669abe
                                              • Instruction ID: 119d9ded96c8020385292050e9bd4a1b60054d62b4ab52501d4127c2865211ec
                                              • Opcode Fuzzy Hash: abacc1ed5ed1df711e1e8ee03ae90b21d03a72e98de670892c8574e2f0669abe
                                              • Instruction Fuzzy Hash: 62F0FE70545745AAEB10ABE49E86B223294E320709F10157BA005B52E1C7FDC48CCE5D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E744 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048DD4A,QueryCancelAutoPlay,00490B7B), ref: 0042E75A
                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E760
                                              • InterlockedExchange.KERNEL32(00492660,00000001), ref: 0042E771
                                              • ChangeWindowMessageFilter.USER32(0000C1C3,00000001), ref: 0042E782
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                              • API String ID: 1365377179-2498399450
                                              • Opcode ID: eab0b65c3067cf7eebd20b0fa5e3b11d0b4fe551875263116f1b4c2d8dfe968a
                                              • Instruction ID: 232ca1bda8f30e1dbeb1e37a17564225c323fdce3e6d3ccf23913f9b659c3ecd
                                              • Opcode Fuzzy Hash: eab0b65c3067cf7eebd20b0fa5e3b11d0b4fe551875263116f1b4c2d8dfe968a
                                              • Instruction Fuzzy Hash: 50E0ECB1742310BAEA247BB26E8AF5A2594A774715F900037F000655E6C6FD0D44D91D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00472434 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,?,00490B71), ref: 0047243A
                                              • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00472447
                                              • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00472457
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleModule
                                              • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                              • API String ID: 667068680-222143506
                                              • Opcode ID: 0f9ecaba7a057c0ff261be8817688d558130c40e5a9a1257119e418d6d35d74a
                                              • Instruction ID: 2634119a36086f07b4582bff0c6698110bc0db6046ba951e872dfe9231fcc97c
                                              • Opcode Fuzzy Hash: 0f9ecaba7a057c0ff261be8817688d558130c40e5a9a1257119e418d6d35d74a
                                              • Instruction Fuzzy Hash: 7AC0C9E0641700AEAA08B7B11E8397A2168D520B29B10813B704869187D6FC08045A2C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B614 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFocus.USER32 ref: 0041B6ED
                                              • 73A1A570.USER32(?), ref: 0041B6F9
                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041B7C4,?,?), ref: 0041B72E
                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B7C4,?,?), ref: 0041B73A
                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7A2,?,00000000,0041B7C4,?,?), ref: 0041B768
                                              • 73A18830.GDI32(00000000,00000000,00000000,0041B7A9,?,?,00000000,00000000,0041B7A2,?,00000000,0041B7C4,?,?), ref: 0041B79C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A18830$A122A26310A570Focus
                                              • String ID:
                                              • API String ID: 3906783838-0
                                              • Opcode ID: 2189f248925abbd8b3ed1d854bd6b727da44b470d0452cebfb9837d533ec30a6
                                              • Instruction ID: 8a3990a2e5d6fcee7426173f9b26f44009bdffde0bb17d68edab7397fe7bbe52
                                              • Opcode Fuzzy Hash: 2189f248925abbd8b3ed1d854bd6b727da44b470d0452cebfb9837d533ec30a6
                                              • Instruction Fuzzy Hash: 8C513D70A00608AFCF11DFA9C895AEEBBF4EF49704F10446AF510A7390D7789D81CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B8E4 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFocus.USER32 ref: 0041B9BF
                                              • 73A1A570.USER32(?), ref: 0041B9CB
                                              • 73A18830.GDI32(00000000,?,00000000,00000000,0041BA91,?,?), ref: 0041BA05
                                              • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA91,?,?), ref: 0041BA11
                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA6F,?,00000000,0041BA91,?,?), ref: 0041BA35
                                              • 73A18830.GDI32(00000000,00000000,00000000,0041BA76,?,?,00000000,00000000,0041BA6F,?,00000000,0041BA91,?,?), ref: 0041BA69
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A18830$A122A26310A570Focus
                                              • String ID:
                                              • API String ID: 3906783838-0
                                              • Opcode ID: d8a2f350e31498a5aae0f9e9012618de704534965e1e336577d5547a4b9cf6c8
                                              • Instruction ID: 5f2264137962bc3366777cb0a2f232ffee2f3444c58f5864d32a49a15d3a62ac
                                              • Opcode Fuzzy Hash: d8a2f350e31498a5aae0f9e9012618de704534965e1e336577d5547a4b9cf6c8
                                              • Instruction Fuzzy Hash: FF512A75A002089FCB11DFA9C891AAEBBF9EF48700F118066F904EB751D7389D40CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B4B0 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFocus.USER32 ref: 0041B526
                                              • 73A1A570.USER32(?,00000000,0041B600,?,?,?,?), ref: 0041B532
                                              • 73A24620.GDI32(?,00000068,00000000,0041B5D4,?,?,00000000,0041B600,?,?,?,?), ref: 0041B54E
                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B5D4,?,?,00000000,0041B600,?,?,?,?), ref: 0041B56B
                                              • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B5D4,?,?,00000000,0041B600), ref: 0041B582
                                              • 73A1A480.USER32(?,?,0041B5DB,?,?), ref: 0041B5CE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: E680$A24620A480A570Focus
                                              • String ID:
                                              • API String ID: 3709697839-0
                                              • Opcode ID: 01c1ab1f7a911bde34d09cc2a342371f0a4accf8ff51a2ca553a34b6587143a8
                                              • Instruction ID: 7d01233871e956700e45bbdad6d64e5c71f2ea9c135790645ddd3605e450c40d
                                              • Opcode Fuzzy Hash: 01c1ab1f7a911bde34d09cc2a342371f0a4accf8ff51a2ca553a34b6587143a8
                                              • Instruction Fuzzy Hash: 75410831A04258AFCB10DFA9C885EAFBBB5EF49704F1484AAF540E7341D3389D10CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004571F4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000030,00000FFF,00000000,00457320,?,?,00000000,00000000), ref: 0045725B
                                                • Part of subcall function 00456B34: CloseHandle.KERNEL32(?), ref: 00456B6B
                                                • Part of subcall function 00456B34: WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456B95
                                                • Part of subcall function 00456B34: GetExitCodeProcess.KERNEL32(?), ref: 00456BA6
                                                • Part of subcall function 00456B34: CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456BED
                                                • Part of subcall function 00456B34: Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456C09
                                                • Part of subcall function 00456B34: TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456B87
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseHandleProcess$ByteCharCodeExitFullMultiNameObjectPathSingleSleepTerminateWaitWide
                                              • String ID: HelperRegisterTypeLibrary: StatusCode invalid$ITypeLib::GetLibAttr$LoadTypeLib$RegisterTypeLib$UnRegisterTypeLib
                                              • API String ID: 3965036325-83444288
                                              • Opcode ID: 48a304393f9a5fdad174ccbc4c24f8d38665409cf09cad508aa9efef9afbbf6f
                                              • Instruction ID: f74eade9246c561d7eda77dee430a1fc41308778ed490b298c47d2a514b049d7
                                              • Opcode Fuzzy Hash: 48a304393f9a5fdad174ccbc4c24f8d38665409cf09cad508aa9efef9afbbf6f
                                              • Instruction Fuzzy Hash: 1A318F30708604EBD711EB7A9882A5EB7E8EB44316F50847BBC45D7393DB38AE09D61D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045A540 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetLastError.KERNEL32(00000057,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5AB
                                              • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045A678,?,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                              • API String ID: 1452528299-1580325520
                                              • Opcode ID: 068a73805bbc91043a3266f77ff4c4ee40905737be1478f272e1aee34357c8d5
                                              • Instruction ID: 2c7cc5846e01bfe9336b3e21a4f35d5db95fca715acc3ac4ded287c5e5725028
                                              • Opcode Fuzzy Hash: 068a73805bbc91043a3266f77ff4c4ee40905737be1478f272e1aee34357c8d5
                                              • Instruction Fuzzy Hash: 3611A53560420CFBDB11DAA5C941F9E7AACDB84306F644137BD0166283E67C5F1E992F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041BD34 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BD7D
                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BD87
                                              • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD91
                                              • 73A24620.GDI32(00000000,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDB8
                                              • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC5
                                              • 73A1A480.USER32(00000000,00000000,0041BE0B,0000000E,00000000,0041BE04,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDFE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A24620MetricsSystem$A480A570
                                              • String ID:
                                              • API String ID: 4042297458-0
                                              • Opcode ID: c0f607c4832dab40e87e7b844f37412e582122e43c2ccad9e229f5b09a45b98f
                                              • Instruction ID: ff93124ca59b6ac00208e06d0df3eb10c0faf638cbb47b26d2833e339793a6eb
                                              • Opcode Fuzzy Hash: c0f607c4832dab40e87e7b844f37412e582122e43c2ccad9e229f5b09a45b98f
                                              • Instruction Fuzzy Hash: 54213C74E00649AFEB04EFA9C942BEEB7B4EB48714F10802AF514B7780D7785940CFA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00477494 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongA.USER32(?,000000EC), ref: 004774A2
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00467815), ref: 004774C8
                                              • GetWindowLongA.USER32(?,000000EC), ref: 004774D8
                                              • SetWindowLongA.USER32(?,000000EC,00000000), ref: 004774F9
                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047750D
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00477529
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$Long$Show
                                              • String ID:
                                              • API String ID: 3609083571-0
                                              • Opcode ID: c41eeb88aa2c4be8c20c0d4bdc52dfa49bc3e122ae2c45cc5b3722405c0ca91b
                                              • Instruction ID: d82ed46f6b466fc3f8bc0bdcacefb2f605830931c017ceeb26b2ec5954116533
                                              • Opcode Fuzzy Hash: c41eeb88aa2c4be8c20c0d4bdc52dfa49bc3e122ae2c45cc5b3722405c0ca91b
                                              • Instruction Fuzzy Hash: 46015EB5655310BBD700DBA8CE41F263798AB0D334F090266B558DF7E3C279DC008BA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B218 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0041A688: CreateBrushIndirect.GDI32 ref: 0041A6F3
                                              • UnrealizeObject.GDI32(00000000), ref: 0041B224
                                              • SelectObject.GDI32(?,00000000), ref: 0041B236
                                              • SetBkColor.GDI32(?,00000000), ref: 0041B259
                                              • SetBkMode.GDI32(?,00000002), ref: 0041B264
                                              • SetBkColor.GDI32(?,00000000), ref: 0041B27F
                                              • SetBkMode.GDI32(?,00000001), ref: 0041B28A
                                                • Part of subcall function 0041A000: GetSysColor.USER32(?), ref: 0041A00A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                              • String ID:
                                              • API String ID: 3527656728-0
                                              • Opcode ID: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
                                              • Instruction ID: 991835cd13d00b1ecf70cab2c5668301369c46a92689b2ced77f157eaba3f874
                                              • Opcode Fuzzy Hash: f29873dfcf61593aa75cb2549b6a9cf3e48997b8b5295c1044d98b88f295631e
                                              • Instruction Fuzzy Hash: F1F0BFB1151500ABCF00FFAAD9CBE4B27A89F043097148057B944DF197C538D8504B3A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00473910 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 210registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,jPG,?,00000000,00000000,00000001,00000000,00473BAD,?,00000000), ref: 00473B71
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Close
                                              • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$jPG$yNG
                                              • API String ID: 3535843008-3932832818
                                              • Opcode ID: fe45ef2342a58487a09325f3d72e231b2f56a556e2c95cc83f03531c0fc218de
                                              • Instruction ID: b7c2468eb7ac37771866f0ed0bbac7860b45a2d6c62ae04d18380af0e8b21fb7
                                              • Opcode Fuzzy Hash: fe45ef2342a58487a09325f3d72e231b2f56a556e2c95cc83f03531c0fc218de
                                              • Instruction Fuzzy Hash: D6816474E00148AFCB10DFA5C442ADEBBF9AF48315F5085AAE454B7391D738AF05CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047087C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 004708D2
                                              • 73A259E0.USER32(00000000,000000FC,00470830,00000000,00470A62,?,00000000,00470A87), ref: 004708F9
                                              • GetACP.KERNEL32(00000000,00470A62,?,00000000,00470A87), ref: 00470936
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047097C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A259ClassInfoMessageSend
                                              • String ID: COMBOBOX
                                              • API String ID: 3217714596-1136563877
                                              • Opcode ID: 4db748e39614629576759290719755d4f62f5ff744c25c03a842ef39f5d171c9
                                              • Instruction ID: ada8455a1527fb003519a52fc9fb8cd1e3de5cb64bb436e33c8ec601d2d438b3
                                              • Opcode Fuzzy Hash: 4db748e39614629576759290719755d4f62f5ff744c25c03a842ef39f5d171c9
                                              • Instruction Fuzzy Hash: 63514D74A01205EFDB10DF69D885A9EB7B5EB49304F1481BAE808DB762C778AD41CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048FDEC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284
                                              • ShowWindow.USER32(?,00000005,00000000,00490051,?,?,00000000), ref: 0048FE22
                                                • Part of subcall function 0042D7A8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7BB
                                                • Part of subcall function 00407248: SetCurrentDirectoryA.KERNEL32(00000000,?,0048FE4A,00000000,0049001D,?,?,00000005,00000000,00490051,?,?,00000000), ref: 00407253
                                                • Part of subcall function 0042D330: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3BE,?,?,00000000,?,?,0048FE54,00000000,0049001D,?,?,00000005), ref: 0042D365
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                              • String ID: .dat$.msg$IMsg$Uninstall
                                              • API String ID: 3312786188-1660910688
                                              • Opcode ID: 784f23c22bc4089779bce205d7ff3f28a2137267b823b7c18b58de954d51b763
                                              • Instruction ID: 7c6a2e238760992e5c67a20dbafbe681e3287029f6f793f122bf29b0ac37eaf5
                                              • Opcode Fuzzy Hash: 784f23c22bc4089779bce205d7ff3f28a2137267b823b7c18b58de954d51b763
                                              • Instruction Fuzzy Hash: 33316134A002049FCB11FF65DC52A5E7BB5EB89308F50847BF900A7751CB39AD05DB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00455C4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455C7C
                                              • GetExitCodeProcess.KERNEL32(?,00490736), ref: 00455C9D
                                              • CloseHandle.KERNEL32(?,00455CD0,?,?,dE,00000000,00000000), ref: 00455CC3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                              • API String ID: 2573145106-3235461205
                                              • Opcode ID: bb15eb2d202201f45358253f8be246735ac0c7ca0382cf4378f9f11bf6c10fb6
                                              • Instruction ID: e42cd4710a2bc55cfeee88e204bbff949c6156d41efd27b396eab6340a6db490
                                              • Opcode Fuzzy Hash: bb15eb2d202201f45358253f8be246735ac0c7ca0382cf4378f9f11bf6c10fb6
                                              • Instruction Fuzzy Hash: 2001DB30644B04AFDB12DB99CD51F3A73A8EB45714F604477F910E73D3D679AD048658
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00471674 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0047167C
                                              • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00471773,\/I,00000000), ref: 0047168F
                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00471695
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProcProcessThreadWindow
                                              • String ID: AllowSetForegroundWindow$user32.dll
                                              • API String ID: 1782028327-3855017861
                                              • Opcode ID: aea0b27367123c46f2d2ab027466b49d23c9b655d45f9b28428bbd603b637824
                                              • Instruction ID: a3f3d1e0e2b6813b030e7eba76e2e5281102dca64866dc994b1bbab78c7268d3
                                              • Opcode Fuzzy Hash: aea0b27367123c46f2d2ab027466b49d23c9b655d45f9b28428bbd603b637824
                                              • Instruction Fuzzy Hash: ACD05EA0A017016BDE20B2B98D46D9B229C8D9471571C842B3404E21A6CA7CE800593C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416BD4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                              Download Yara Rule
                                              APIs
                                              • BeginPaint.USER32(00000000,?), ref: 00416BFA
                                              • SaveDC.GDI32(?), ref: 00416C2B
                                              • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CED), ref: 00416C8C
                                              • RestoreDC.GDI32(?,?), ref: 00416CB3
                                              • EndPaint.USER32(00000000,?,00416CF4,00000000,00416CED), ref: 00416CE7
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Paint$BeginClipExcludeRectRestoreSave
                                              • String ID:
                                              • API String ID: 3808407030-0
                                              • Opcode ID: 05b91c705dead32c22d601d06aaaaefc09bf00903a581cfd1e69d9044e53cd27
                                              • Instruction ID: 511e07c03593910ab38166e7e8fb99fbe2c7a584a9aae09983b44cf3f48c28fc
                                              • Opcode Fuzzy Hash: 05b91c705dead32c22d601d06aaaaefc09bf00903a581cfd1e69d9044e53cd27
                                              • Instruction Fuzzy Hash: E3414F70A04204AFCB14DFA9C985FAEB7F8EF48304F1640AAE84497362D778ED41CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004147A8 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1db4e5bd5f3073e3ba55cd164d497178988a2e4975f87a427fd18fb625363a14
                                              • Instruction ID: 16203bcbef39f9c243701adad7e95064df465d958f07c31b5226583d855f1c1b
                                              • Opcode Fuzzy Hash: 1db4e5bd5f3073e3ba55cd164d497178988a2e4975f87a427fd18fb625363a14
                                              • Instruction Fuzzy Hash: 26311F746047409FC320EB69C985BABB7E8AF89714F04891EF9D5C7791C678EC818B19
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00429774 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297B0
                                              • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297DF
                                              • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297FB
                                              • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429826
                                              • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429844
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 4dd9bf55c7c84a0b3396b3554a59a90620238bc04d6e8efcc95ab0f776c5b98c
                                              • Instruction ID: 5d1141d17212aa5e1ef3752c12f2028c23e494b9df8dcdef2cd4cdfe20676ed7
                                              • Opcode Fuzzy Hash: 4dd9bf55c7c84a0b3396b3554a59a90620238bc04d6e8efcc95ab0f776c5b98c
                                              • Instruction Fuzzy Hash: 3D21A1707507047AD710AB67DC82F9B76ACEB42B04F95443E7502BB2D2DA79DD428258
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041BB60 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000000B), ref: 0041BB72
                                              • GetSystemMetrics.USER32(0000000C), ref: 0041BB7C
                                              • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBBA
                                              • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD25,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC01
                                              • DeleteObject.GDI32(00000000), ref: 0041BC42
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MetricsSystem$A26310A570DeleteObject
                                              • String ID:
                                              • API String ID: 4277397052-0
                                              • Opcode ID: 9adb9e8c89caf01d0a638f348740fc7edbd2731d44c2c24643151140fb28a82b
                                              • Instruction ID: 7d0d535dbebdf4f070bae8ba3fc8fcac1153e0bddf000454aa628fb6ab968105
                                              • Opcode Fuzzy Hash: 9adb9e8c89caf01d0a638f348740fc7edbd2731d44c2c24643151140fb28a82b
                                              • Instruction Fuzzy Hash: 0D317174E00209EFDB04DFA5C941AAEF7F5EB48700F10846AF514AB385D7389E80DB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046D898 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0045A540: SetLastError.KERNEL32(00000057,00000000,0045A60C,?,?,?,?,00000000), ref: 0045A5AB
                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D925
                                              • GetLastError.KERNEL32(00000000,00000000,00000000,0046D96C,?,?,00000001,0049307C), ref: 0046D93B
                                              Strings
                                              • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046D92F
                                              • Setting permissions on registry key: %s\%s, xrefs: 0046D8EA
                                              • Failed to set permissions on registry key (%d)., xrefs: 0046D94C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                              • API String ID: 1452528299-4018462623
                                              • Opcode ID: 18f77fade0994c6fc899b5d9ef85e329e14ba50152d782af13df1c5d82336a90
                                              • Instruction ID: 2fb07483fd0a7251048a58d7dedf702ee348f7c8dbf283d8b9408d2b96eb0a9e
                                              • Opcode Fuzzy Hash: 18f77fade0994c6fc899b5d9ef85e329e14ba50152d782af13df1c5d82336a90
                                              • Instruction Fuzzy Hash: CB21A4B0F046445FCB00DBA9C8826AEBAE4DB49314F50417BA414E7392E6785D09CBAE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                              • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                              • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocString
                                              • String ID:
                                              • API String ID: 262959230-0
                                              • Opcode ID: ec9330e6fa7a8659c1beb9ec543e50d139d4e0e8a78981a79d0ac640ed5c34b8
                                              • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                              • Opcode Fuzzy Hash: ec9330e6fa7a8659c1beb9ec543e50d139d4e0e8a78981a79d0ac640ed5c34b8
                                              • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00414388 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A18830.GDI32(00000000,00000000,00000000), ref: 004143C1
                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 004143C9
                                              • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143DD
                                              • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143E3
                                              • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143EE
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A122A18830$A480
                                              • String ID:
                                              • API String ID: 3325508737-0
                                              • Opcode ID: a82122af31a8aec246995b2a86ca6dd819a62577bbe41f01694e2b233259fffd
                                              • Instruction ID: 075c4eaa6eababf39ef1bcc04ba03af1ed36323413641ea814e4f99408aec64f
                                              • Opcode Fuzzy Hash: a82122af31a8aec246995b2a86ca6dd819a62577bbe41f01694e2b233259fffd
                                              • Instruction Fuzzy Hash: E501DF3131C3806AD200B63E8C85A9F6BED8FCA314F05546EF498DB382CA7ACC018766
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00401548 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,P$I,?,?,?,004018B4), ref: 00401566
                                              • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,P$I,?,?,?,004018B4), ref: 0040158B
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,P$I,?,?,?,004018B4), ref: 004015B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Virtual$Alloc$Free
                                              • String ID: @$I$P$I
                                              • API String ID: 3668210933-2914900308
                                              • Opcode ID: fce1606467af8550c5b018af38dd943930b60dea47268f49170f1643513630e1
                                              • Instruction ID: 87006be24bad80dd1cc56b86a6ffae3645cf31722f94d2f4d5d5d4de76e86b34
                                              • Opcode Fuzzy Hash: fce1606467af8550c5b018af38dd943930b60dea47268f49170f1643513630e1
                                              • Instruction Fuzzy Hash: 48F0C2B1640320BAEB315A294C85F133AD8DBC5794F1040B6BE09FF3DAD6B8980082AC
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406F44 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FA3
                                              • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040701D
                                              • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407075
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Enum$NameOpenResourceUniversal
                                              • String ID: Z
                                              • API String ID: 3604996873-1505515367
                                              • Opcode ID: b45eb0edb20795645dcbd4fc4cc9de1517ba2fb8e3a3a1bdfe5558624a41bfc2
                                              • Instruction ID: bd8e5ae94ca74df4e9131491a9bde93b7ed2ce1d7e59c57d2d509c2ab305fdf4
                                              • Opcode Fuzzy Hash: b45eb0edb20795645dcbd4fc4cc9de1517ba2fb8e3a3a1bdfe5558624a41bfc2
                                              • Instruction Fuzzy Hash: C3516370E04248AFDB11DF65C981A9FB7B9EF09304F1041BAE500BB3D1D778AE458B5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044C69C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetRectEmpty.USER32(?), ref: 0044C72A
                                              • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C755
                                              • DrawTextA.USER32(00000000,00000000), ref: 0044C7EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DrawText$EmptyRect
                                              • String ID:
                                              • API String ID: 182455014-2867612384
                                              • Opcode ID: f37fe9e577420607298c9583aacd29a253469b4ecb6affd38da19aac1ff88878
                                              • Instruction ID: 4bcae54fe600c87244e68b3e4b857699d32a5b02b35774ead0fedabfa34a998c
                                              • Opcode Fuzzy Hash: f37fe9e577420607298c9583aacd29a253469b4ecb6affd38da19aac1ff88878
                                              • Instruction Fuzzy Hash: 14514C70A00249AFDB51DFA5C885BDEBBF4EF49304F18807AE845EB252D738A945CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E8AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A1A570.USER32(00000000,00000000,0042E9FF,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8D6
                                                • Part of subcall function 0041A190: CreateFontIndirectA.GDI32(?), ref: 0041A24F
                                              • SelectObject.GDI32(?,00000000), ref: 0042E8F9
                                              • 73A1A480.USER32(00000000,?,0042E9E4,00000000,0042E9DD,?,00000000,00000000,0042E9FF,?,?,?,?,00000000,00000000,00000000), ref: 0042E9D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: A480A570CreateFontIndirectObjectSelect
                                              • String ID: ...\
                                              • API String ID: 2998766281-983595016
                                              • Opcode ID: 0abe42e3825d138716532803585986b19ef8b1cd23e6fed3d9a5b7748e7d04e5
                                              • Instruction ID: 807027aef349940e21883cde7310681b589974d129d52fe5cab9b03fce9682ec
                                              • Opcode Fuzzy Hash: 0abe42e3825d138716532803585986b19ef8b1cd23e6fed3d9a5b7748e7d04e5
                                              • Instruction Fuzzy Hash: E43163B0B00228AFDF11EB9AD841BAEB7F8EF49304F90447BF400A7291D7785D41CA59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452038 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452127
                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,0048EF85,_iu,?,00000000,00452172), ref: 00452137
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateFileHandle
                                              • String ID: .tmp$_iu
                                              • API String ID: 3498533004-10593223
                                              • Opcode ID: 0894f70411399b6df61818a4294c0682d641e21b840aa065192c93b8d6131aa8
                                              • Instruction ID: 8b1672352a1cca793e1e6cdfbdd22016e493eddba5fdcbb921eb9ed9b7b44ad0
                                              • Opcode Fuzzy Hash: 0894f70411399b6df61818a4294c0682d641e21b840aa065192c93b8d6131aa8
                                              • Instruction Fuzzy Hash: 0A31B470A00219ABCB11EBA5C982B9FBBB5AF55305F60452BF900B73C2D6785F05C769
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048B200 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegCloseKey.ADVAPI32(?,0048B2FE,?,?,00000001,00000000,00000000,0048B319), ref: 0048B2E7
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048B25A
                                              • Inno Setup CodeFile: , xrefs: 0048B2AA
                                              • %s\%s_is1, xrefs: 0048B278
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpen
                                              • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                              • API String ID: 47109696-1837835967
                                              • Opcode ID: 14285ca2f0b5050eeb10927837999f101f9ee02a017fb9b220db0c994c14a3e0
                                              • Instruction ID: 0bbfca5d8e67a63f19b98566c4155a9780f55c0bd593ce93c1bd7f852685ee81
                                              • Opcode Fuzzy Hash: 14285ca2f0b5050eeb10927837999f101f9ee02a017fb9b220db0c994c14a3e0
                                              • Instruction Fuzzy Hash: 6C319970A042485FDB11EF96CC5169EBBF8EB48304F904477E814E7391D7789D058B98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004163B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoA.USER32(00400000,?,?), ref: 00416427
                                              • UnregisterClassA.USER32(?,00400000), ref: 00416453
                                              • RegisterClassA.USER32(?), ref: 00416476
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Class$InfoRegisterUnregister
                                              • String ID: @
                                              • API String ID: 3749476976-2766056989
                                              • Opcode ID: bfeaeda0ee0337dfd78e69ac20e182e97b06a1f547d0838000e3992627cfcbef
                                              • Instruction ID: 74af36b6803d41f6853cd3ce3d24e6ffc0c269dd3492e9de927f187c4c73ed65
                                              • Opcode Fuzzy Hash: bfeaeda0ee0337dfd78e69ac20e182e97b06a1f547d0838000e3992627cfcbef
                                              • Instruction Fuzzy Hash: AA315C702042409BDB10EF69C981B9A77E5AB88308F04457FFA45DB392DB39D985CB6A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044F630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 0044F694
                                              • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F6D6
                                              • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F707
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$ExecuteShell
                                              • String ID: open
                                              • API String ID: 2179883421-2758837156
                                              • Opcode ID: 5d65bdf1a68a50360177b59e1b17de20557ee183efcfcb1c09acd8af14c107c4
                                              • Instruction ID: 27722ccdd30e14b9079027b813231ec9417c8d596d109131258b3d0fa24c6570
                                              • Opcode Fuzzy Hash: 5d65bdf1a68a50360177b59e1b17de20557ee183efcfcb1c09acd8af14c107c4
                                              • Instruction Fuzzy Hash: 1C215070E40204BFEB10DFA9DC82B9EBBB8EF44714F11857AB501A7292D67C9A458A48
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00490200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesA.KERNEL32(00000000,00490ACD,00000000,004902F6,?,?,00000000,00492628), ref: 00490270
                                              • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00490ACD,00000000,004902F6,?,?,00000000,00492628), ref: 00490299
                                              • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004902B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$Attributes$Move
                                              • String ID: isRS-%.3u.tmp
                                              • API String ID: 3839737484-3657609586
                                              • Opcode ID: 8d501dbe8754779fbbc4551a6ef16c6ba155ba939730555f28b22adbbd9d1952
                                              • Instruction ID: 84ec0ba2a7a86931400e9934c1aa84bf5b308f9588d1f16149e0ac51d8a7354a
                                              • Opcode Fuzzy Hash: 8d501dbe8754779fbbc4551a6ef16c6ba155ba939730555f28b22adbbd9d1952
                                              • Instruction Fuzzy Hash: CE216271E01219AFCF11EFA9C885AAFBBB8EF44314F10457BB814B72D1D6389E018A59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454A08 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042C6FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C720
                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454A5C
                                              • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454A89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                              • String ID: LoadTypeLib$RegisterTypeLib
                                              • API String ID: 1312246647-2435364021
                                              • Opcode ID: 61cb2b2391c203defd257abac4021e1b6939228e1dc124a340144f06dba41211
                                              • Instruction ID: 783231ea94435fc0087f34711460946af1774244c06649ca950b936fb7940314
                                              • Opcode Fuzzy Hash: 61cb2b2391c203defd257abac4021e1b6939228e1dc124a340144f06dba41211
                                              • Instruction Fuzzy Hash: 8911A230B40604AFDB51DBA6DD51A5EB7B9DB89309B104476B800D7652DA389D44C618
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00471F00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042426C: SetWindowTextA.USER32(?,00000000), ref: 00424284
                                              • GetFocus.USER32 ref: 00471F6B
                                              • GetKeyState.USER32(0000007A), ref: 00471F7D
                                              • WaitMessage.USER32(?,00000000,00471FA4,?,00000000,00471FCB,?,?,00000001,00000000,?,?,?,?,004791FF,00000000), ref: 00471F87
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: FocusMessageStateTextWaitWindow
                                              • String ID: Wnd=$%x
                                              • API String ID: 1381870634-2927251529
                                              • Opcode ID: 904e366136cff3dcaea322836a94cc964bf7325938357fb60853c8530aeb4b31
                                              • Instruction ID: c5684f2cadfa6479c06ce6299043275e4b927561dd953dc9e3c22c30dc13880d
                                              • Opcode Fuzzy Hash: 904e366136cff3dcaea322836a94cc964bf7325938357fb60853c8530aeb4b31
                                              • Instruction Fuzzy Hash: 51115434A04144AFC701EFA9DC51A9E77B8EB49714B5184B7F408E3661D73C6E00CA69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042EB68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetActiveWindow.USER32 ref: 0042EB9F
                                              • MessageBoxA.USER32(?,00000000,00000000,00000001), ref: 0042EBCB
                                              • SetActiveWindow.USER32(?,0042EBF9,00000000,0042EC47,?,?,00000000,?), ref: 0042EBEC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ActiveWindow$Message
                                              • String ID: t}G
                                              • API String ID: 2113736151-3734030870
                                              • Opcode ID: 29a5b97e5e16aea11bd18ac248af5cdc38bd738e31227901ecfe22b68a917f0a
                                              • Instruction ID: 93637352c78226270701b452ebd95810c2fea060df2177fc870e4549b641cd3b
                                              • Opcode Fuzzy Hash: 29a5b97e5e16aea11bd18ac248af5cdc38bd738e31227901ecfe22b68a917f0a
                                              • Instruction Fuzzy Hash: 1B010030A00218AFD701EBB6DC02D5BBBACEB09714B42487AB400D3261D6789C10CA68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00468DA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FileTimeToLocalFileTime.KERNEL32(?), ref: 00468DAC
                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00468DBB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Time$File$LocalSystem
                                              • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                              • API String ID: 1748579591-1013271723
                                              • Opcode ID: 7e5271fab70280bf4b606e1d52b7b41780ffbf2908240b8135230958cc2b66a9
                                              • Instruction ID: af565f08344929a1575728fac9f51d9e1992ec61425725bc294c4af9dfcd658b
                                              • Opcode Fuzzy Hash: 7e5271fab70280bf4b606e1d52b7b41780ffbf2908240b8135230958cc2b66a9
                                              • Instruction Fuzzy Hash: 4D11F8A140C3919ED340DF6AC44432FBBE4AB89704F44496EF9D8D6381E77AC948DB67
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004525CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004525DB
                                                • Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB
                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 00452600
                                                • Part of subcall function 00451C18: GetLastError.KERNEL32(00000000,00452689,00000005,00000000,004526BE,?,?,00000000,00492628,00000004,00000000,00000000,00000000,?,00490395,00000000), ref: 00451C1B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$AttributesDeleteErrorLastMove
                                              • String ID: DeleteFile$MoveFile
                                              • API String ID: 3024442154-139070271
                                              • Opcode ID: 83ba370e3e64a4e704fc70349a51a9e3dceb6ba2ad42e3b2449a01ecd04fdfa4
                                              • Instruction ID: 4e1aed58776595ab6c7b67b54cba174f3ed66ee01ab59955a5ec3a7bb6030dfd
                                              • Opcode Fuzzy Hash: 83ba370e3e64a4e704fc70349a51a9e3dceb6ba2ad42e3b2449a01ecd04fdfa4
                                              • Instruction Fuzzy Hash: 5AF086706441045BEB01FBA5DA5266F63ECEB4930AFA0443BB800B76C3DA7C9D094939
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047C4E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047C525
                                              • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047C548
                                              Strings
                                              • CSDVersion, xrefs: 0047C51C
                                              • System\CurrentControlSet\Control\Windows, xrefs: 0047C4F2
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                              • API String ID: 3677997916-1910633163
                                              • Opcode ID: e04dfb2b9847ddfcf9a9ca7ecd86f653cf2c277505588b4f76afeeccde5dd87f
                                              • Instruction ID: 2b22ae4652a4094afc35098fa0d5140fa3c6298d341fdca8ef5f3daa64d39871
                                              • Opcode Fuzzy Hash: e04dfb2b9847ddfcf9a9ca7ecd86f653cf2c277505588b4f76afeeccde5dd87f
                                              • Instruction Fuzzy Hash: 9EF03175A40218B6DF10DBD58C85BDFB3BCAB04704F20856BE518E7280E779EB04CB99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042D7D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004522D6,00000000,00452379,?,?,00000000,00000000,00000000,00000000,00000000,?,00452645,00000000), ref: 0042D7EE
                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                              • API String ID: 1646373207-4063490227
                                              • Opcode ID: 8f34210d132ffad2d78c7e395ddc2585d5b3368dd4f076d4c173a15340c37754
                                              • Instruction ID: 72f845c82f3cbe693efe641176354b007bcea55f3b4776dcd007fff52ee4f80f
                                              • Opcode Fuzzy Hash: 8f34210d132ffad2d78c7e395ddc2585d5b3368dd4f076d4c173a15340c37754
                                              • Instruction Fuzzy Hash: CEE04F61F40B9012D71079BA6C87B6B158D8B88724F94843B39A4E62C3DEBCD9441A9E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044EE30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00490B49), ref: 0044EE6B
                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EE71
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: NotifyWinEvent$user32.dll
                                              • API String ID: 1646373207-597752486
                                              • Opcode ID: 83da1b54e2e08ddaedeaff43434809e0da95789e88c77915d5179acc8f46ea33
                                              • Instruction ID: 3299c0b031c0e1fe2281b99bd24a528ff0331131e662fdb77b0e16fc83453d47
                                              • Opcode Fuzzy Hash: 83da1b54e2e08ddaedeaff43434809e0da95789e88c77915d5179acc8f46ea33
                                              • Instruction Fuzzy Hash: B0E012E0E42741AAEB01BBF79A46B0A3AD1B73471DF1004BBF10467192CBBC0458CB1E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00490914 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00490B95,00000001,00000000,00490BB9), ref: 0049091E
                                              • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00490924
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                              • API String ID: 1646373207-834958232
                                              • Opcode ID: 4b48ddbf2ae65069f6fda05345d4f43ab7ae7b2b768fb27b4b75cf04a15282ea
                                              • Instruction ID: 838b278ec98e31f4c73fd57d7bfbee2b42f08c5e91e18395c18da76804b5d864
                                              • Opcode Fuzzy Hash: 4b48ddbf2ae65069f6fda05345d4f43ab7ae7b2b768fb27b4b75cf04a15282ea
                                              • Instruction Fuzzy Hash: EEB092C064170168EC1033F60D12B1F0C084881724B1400373810B10C3CD6CD800582D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045FCBC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0044AD34: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EE61,00490B49), ref: 0044AD5B
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AD73
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AD85
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AD97
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044ADA9
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADBB
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044ADCD
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044ADDF
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044ADF1
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AE03
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AE15
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AE27
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AE39
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AE4B
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AE5D
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AE6F
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AE81
                                                • Part of subcall function 0044AD34: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044AE93
                                              • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00490B67), ref: 0045FCCB
                                              • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 0045FCD1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad
                                              • String ID: SHPathPrepareForWriteA$shell32.dll
                                              • API String ID: 2238633743-2683653824
                                              • Opcode ID: 674b9a410425b3b73cfc06970759500dafabbd6af8f586181f23aa40a50daa10
                                              • Instruction ID: 337f9dc4bf1040498e6f486c22bc5dde57220a7dd07e65f04bb4b60c7b67ef44
                                              • Opcode Fuzzy Hash: 674b9a410425b3b73cfc06970759500dafabbd6af8f586181f23aa40a50daa10
                                              • Instruction Fuzzy Hash: 83B092D0A81785B88E01B7B2998391A2514A650B0F720047B7C04B94C7CEBC008D6A6F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00413CA0 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00413CEE
                                              • GetDesktopWindow.USER32 ref: 00413DA6
                                                • Part of subcall function 00418E68: 6F5BC6F0.COMCTL32(?,00000000,00413F6B,00000000,0041407B,?,?,00492628), ref: 00418E84
                                                • Part of subcall function 00418E68: ShowCursor.USER32(00000001,?,00000000,00413F6B,00000000,0041407B,?,?,00492628), ref: 00418EA1
                                              • SetCursor.USER32(00000000,?,?,?,?,00413A9B,00000000,00413AAE), ref: 00413DE4
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CursorDesktopWindow$Show
                                              • String ID:
                                              • API String ID: 2074268717-0
                                              • Opcode ID: c0a5a9a3f23ddf0fdb38005436cf92fc6adf24d58530c29053f60a471aec8e15
                                              • Instruction ID: c44ea819ba4037f48297b9dda5801cfcbd8121a3a152854b6b02c08412c937c2
                                              • Opcode Fuzzy Hash: c0a5a9a3f23ddf0fdb38005436cf92fc6adf24d58530c29053f60a471aec8e15
                                              • Instruction Fuzzy Hash: 90414C75600110BFCB10EF29FAD9B9637E5AB64325F16807BE404CB365DAB8EC81DB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004089F4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A15
                                              • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A84
                                              • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B1F
                                              • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B5E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LoadString$FileMessageModuleName
                                              • String ID:
                                              • API String ID: 704749118-0
                                              • Opcode ID: e08be93b19a1cddc4bd5487b5509b10aac953965d6ff4287a83413ce4527f0a1
                                              • Instruction ID: 4e3ae3d55980ca36df37c0f6f31f55762440d7de19fd646938f5a693a080efc6
                                              • Opcode Fuzzy Hash: e08be93b19a1cddc4bd5487b5509b10aac953965d6ff4287a83413ce4527f0a1
                                              • Instruction Fuzzy Hash: 0F3143706083849AD330EB65C945F9B77E89B86704F40483FB6C8E72D1DB795908876B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044DFB0 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044DFF9
                                                • Part of subcall function 0044C62C: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C65E
                                              • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E07D
                                                • Part of subcall function 0042BB5C: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB70
                                              • IsRectEmpty.USER32(?), ref: 0044E03F
                                              • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E062
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                              • String ID:
                                              • API String ID: 855768636-0
                                              • Opcode ID: a016e4b893d0b61d6fc16ea788ceac071314e27b0018c062adb4e940fa0ff4d7
                                              • Instruction ID: 7aee670bcfb8eb3b6de293677f7b28f2d941b2dfee79f0c9038e744660d2ac79
                                              • Opcode Fuzzy Hash: a016e4b893d0b61d6fc16ea788ceac071314e27b0018c062adb4e940fa0ff4d7
                                              • Instruction Fuzzy Hash: BD11907174031027E610BA3E9C86B5F76899B88748F05493FB545EB383DDBDDC094399
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048DAAC Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                              Download Yara Rule
                                              APIs
                                              • OffsetRect.USER32(?,?,00000000), ref: 0048DB10
                                              • OffsetRect.USER32(?,00000000,?), ref: 0048DB2B
                                              • OffsetRect.USER32(?,?,00000000), ref: 0048DB45
                                              • OffsetRect.USER32(?,00000000,?), ref: 0048DB60
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: OffsetRect
                                              • String ID:
                                              • API String ID: 177026234-0
                                              • Opcode ID: fc16b123eb7b5af0d1f41d7d74d95bc65ca2d2300f8b1348e127f489464c5e53
                                              • Instruction ID: 20aeee4d2b07ae62cc9dc5e78f47db44159e8b2d0969b42eb6e8c3539826bbe7
                                              • Opcode Fuzzy Hash: fc16b123eb7b5af0d1f41d7d74d95bc65ca2d2300f8b1348e127f489464c5e53
                                              • Instruction Fuzzy Hash: DA218EB6B04201ABD700DE69CD85E5BB7EEEBD4304F14CA2AF544C7389D634F84487A6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004171C3 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32 ref: 00417208
                                              • SetCursor.USER32(00000000), ref: 0041724B
                                              • GetLastActivePopup.USER32(?), ref: 00417275
                                              • GetForegroundWindow.USER32(?), ref: 0041727C
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Cursor$ActiveForegroundLastPopupWindow
                                              • String ID:
                                              • API String ID: 1959210111-0
                                              • Opcode ID: 31a9e7ed65d1c6a10f15c6d0b6e52d74fbafc79933164b7f4b16210c0427c26c
                                              • Instruction ID: c6d496dfd2e179b176722755b72bbf9acc304802cb498c635dadf3855441ee16
                                              • Opcode Fuzzy Hash: 31a9e7ed65d1c6a10f15c6d0b6e52d74fbafc79933164b7f4b16210c0427c26c
                                              • Instruction Fuzzy Hash: AF21B0302042108ACB10EB6AD9446D733B1AB58724B5649BFF8449B392D77CCCC2CB89
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048D764 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048D779
                                              • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048D78D
                                              • MulDiv.KERNEL32(F77DE7E8,00000008,?), ref: 0048D7A1
                                              • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048D7BF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c7c6c338261a481ad8b7901dc756b9c3c7a5dc3a5f053bd0898b94715f12a61
                                              • Instruction ID: 600d8a0932f196341a5d2119bb187cb8608b3b3d374fe33bc178acc1610e68b6
                                              • Opcode Fuzzy Hash: 1c7c6c338261a481ad8b7901dc756b9c3c7a5dc3a5f053bd0898b94715f12a61
                                              • Instruction Fuzzy Hash: 7D113376A04204AFCB40EFA9D8C4D9B77ECEF4D370B14456AF918DB286D634ED408BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041F428 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassInfoA.USER32(00400000,0041F418,?), ref: 0041F449
                                              • UnregisterClassA.USER32(0041F418,00400000), ref: 0041F472
                                              • RegisterClassA.USER32(00491598), ref: 0041F47C
                                              • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F4B7
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                              • String ID:
                                              • API String ID: 4025006896-0
                                              • Opcode ID: 11962ad163dd351f2607c64d53b9a7b5b397274376691247f719d1917af597d1
                                              • Instruction ID: 0e76fd6e7c714867a95bae8c9fe2d4343c59fb837708c2c10e589f0ce1237785
                                              • Opcode Fuzzy Hash: 11962ad163dd351f2607c64d53b9a7b5b397274376691247f719d1917af597d1
                                              • Instruction Fuzzy Hash: 380192712401057BCB10EBA8DD81E9B3798A759324B11423BBA16E72E2C6359D198BAC
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040D1A8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D1BF
                                              • LoadResource.KERNEL32(00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?,?,00475D88,0000000A,REGDLL_EXE), ref: 0040D1D9
                                              • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?,?,00475D88), ref: 0040D1F3
                                              • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A960,00400000,00000001,00000000,?,0040D11C,00000000,?,00000000,?), ref: 0040D1FD
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Resource$FindLoadLockSizeof
                                              • String ID:
                                              • API String ID: 3473537107-0
                                              • Opcode ID: 06d5a2224ff0889236480c5d79a412c4b439f6556495b070d29e0fa02e81d982
                                              • Instruction ID: bdc6fd998ef4e88b0830a639bb7e725ca803f690ad01cf79ba3c1cf188caca31
                                              • Opcode Fuzzy Hash: 06d5a2224ff0889236480c5d79a412c4b439f6556495b070d29e0fa02e81d982
                                              • Instruction Fuzzy Hash: 9FF0FBB2A056046F9744EE9EA881D6B76DCDE88364320016FF908EB246DA38DD118B78
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046A298 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,00000000), ref: 0046A2E9
                                              Strings
                                              • Unsetting NTFS compression on directory: %s, xrefs: 0046A2CF
                                              • Failed to set NTFS compression state (%d)., xrefs: 0046A2FA
                                              • Setting NTFS compression on directory: %s, xrefs: 0046A2B7
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                              • API String ID: 1452528299-1392080489
                                              • Opcode ID: 4d3942e9cc61f02bf791f275095a639e0222dadc5439085e038e50f3473c57ee
                                              • Instruction ID: fae52b56698cbef2ef65a100aaaf1ff6f22f0878e20b839bb13b77e1b18f05a4
                                              • Opcode Fuzzy Hash: 4d3942e9cc61f02bf791f275095a639e0222dadc5439085e038e50f3473c57ee
                                              • Instruction Fuzzy Hash: 62018430D18648A6CB0097ED50512DDBBE49F09304F4481EBA855EB382EB791A184F9B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004542B0 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042DC44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047C503,?,00000001,?,?,0047C503,?,00000001,00000000), ref: 0042DC60
                                              • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,?,?,00000000,00458EC3,?,?,?,?,?,00000000,00458ED6), ref: 004542EC
                                              • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,00000000,00458EC3,?,?,?,?,?,00000000), ref: 004542F5
                                              • RemoveFontResourceA.GDI32(00000000), ref: 00454302
                                              • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00454316
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                              • String ID:
                                              • API String ID: 4283692357-0
                                              • Opcode ID: 2877f501dee16d655d75d116cfb29e793393d1176e080bde7ec29140c7e78512
                                              • Instruction ID: 6bcd884f58daa4cf242193067a8401f82c1379502e7cf10432dee752efbb2f93
                                              • Opcode Fuzzy Hash: 2877f501dee16d655d75d116cfb29e793393d1176e080bde7ec29140c7e78512
                                              • Instruction Fuzzy Hash: 9CF05EB574535136EA10B6B65C87F5B228C8F94749F10883BBA00EF2D3D97CDC05962D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046AB88 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000), ref: 0046ABD9
                                              Strings
                                              • Setting NTFS compression on file: %s, xrefs: 0046ABA7
                                              • Failed to set NTFS compression state (%d)., xrefs: 0046ABEA
                                              • Unsetting NTFS compression on file: %s, xrefs: 0046ABBF
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                              • API String ID: 1452528299-3038984924
                                              • Opcode ID: 1e8bcf552af8bc3392dbf0996a1f185d8ced690d2f94648fef7693de0000dbcf
                                              • Instruction ID: e77f6018277675d8139a31bc4823810fa5650a54dc532de9f13faf9e2e869009
                                              • Opcode Fuzzy Hash: 1e8bcf552af8bc3392dbf0996a1f185d8ced690d2f94648fef7693de0000dbcf
                                              • Instruction Fuzzy Hash: 4F016230E186486ACB04D7AD90512EEBBE49F09304F4481EFA455E7382EA791A188F9B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00471CE4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008,?,?,?,?,?,00490C38), ref: 00471CED
                                              • OpenProcessToken.ADVAPI32(00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 00471CF3
                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000,0047A008), ref: 00471D15
                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00479787,?,?,00000001,00000000,00000002,00000000), ref: 00471D26
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                              • String ID:
                                              • API String ID: 215268677-0
                                              • Opcode ID: b8dd8522978c37078a23bae837822d7669e7a9385b1b3912b8ae2519caf80a33
                                              • Instruction ID: c12eef84649cb6e2f6a6854870b7cf4ad062ba222e75244fe963afc4875e72bb
                                              • Opcode Fuzzy Hash: b8dd8522978c37078a23bae837822d7669e7a9385b1b3912b8ae2519caf80a33
                                              • Instruction Fuzzy Hash: 2DF037616443056BD610E6B5CD81E5B77DCEB44354F04493A7E98C71D1D678DC089B26
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004241E8 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastActivePopup.USER32(?), ref: 004241F4
                                              • IsWindowVisible.USER32(?), ref: 00424205
                                              • IsWindowEnabled.USER32(?), ref: 0042420F
                                              • SetForegroundWindow.USER32(?), ref: 00424219
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                              • String ID:
                                              • API String ID: 2280970139-0
                                              • Opcode ID: d9228b7f269806e4fe8e97f345a82837c2af6ea24a9e24666224f8ff684892d2
                                              • Instruction ID: e71b939943bb08068cd538cfbf2adeec964b373e7692791c6f26669312c8020f
                                              • Opcode Fuzzy Hash: d9228b7f269806e4fe8e97f345a82837c2af6ea24a9e24666224f8ff684892d2
                                              • Instruction Fuzzy Hash: 23E08CA178253593AE22B6A72D81A9B018CCD453C434A01A7BC08FB283DBACCC0082BC
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalHandle.KERNEL32 ref: 00406287
                                              • GlobalUnWire.KERNEL32(00000000), ref: 0040628E
                                              • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                              • GlobalFix.KERNEL32(00000000), ref: 00406299
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Global$AllocHandleWire
                                              • String ID:
                                              • API String ID: 2210401237-0
                                              • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                              • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                              • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                              • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00465C24 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00465E11
                                              • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00465E17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Menu$EnableItemSystem
                                              • String ID: CurPageChanged
                                              • API String ID: 3692539535-2490978513
                                              • Opcode ID: 4c78da4d24218412021c3909a6acb726144e1dbd0d30da321cddcfbbb7aea40b
                                              • Instruction ID: ab7830cd034902a018f3633d5f7e813821d05f3ecf729ff0a8a04420c7cd6334
                                              • Opcode Fuzzy Hash: 4c78da4d24218412021c3909a6acb726144e1dbd0d30da321cddcfbbb7aea40b
                                              • Instruction Fuzzy Hash: 7CA10734604604EFC741DB69D989EAA73F5EF89304F2541F6F8049B362EB38AE41DB49
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00467704 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              • Failed to proceed to next wizard page; showing wizard., xrefs: 00467804
                                              • Failed to proceed to next wizard page; aborting., xrefs: 004677F0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                              • API String ID: 0-1974262853
                                              • Opcode ID: ca7d52e32b1f50b24c16d12faf74625e74990e5f2a97b77bfd751917ec34c771
                                              • Instruction ID: 54b8d4b4028f273aede26eca5f3620dfaa6aeb886877892ecf599f8e019bb906
                                              • Opcode Fuzzy Hash: ca7d52e32b1f50b24c16d12faf74625e74990e5f2a97b77bfd751917ec34c771
                                              • Instruction Fuzzy Hash: BF31E034A08204EFDB01EB65C985E9D77F5EB49718F6140BBF80497352EB78AE00CA59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEnterCriticalSection.KERNEL32(00492420,00000000,)), ref: 004025C7
                                              • RtlLeaveCriticalSection.KERNEL32(00492420,0040263D), ref: 00402630
                                                • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00492420,00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00492420,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00492420,00401A89,00000000,00401A82,?,?,0040222E,02145EF0,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                              • String ID: )
                                              • API String ID: 2227675388-1084416617
                                              • Opcode ID: 4485ac256982a062d4fa7b498a16ced20a2b64ccb8ee85a4042039cc97c61c73
                                              • Instruction ID: 5ca06efdeebc3fba4ee02943ae555fbbec684c5e6e5b72b014691e2301117c59
                                              • Opcode Fuzzy Hash: 4485ac256982a062d4fa7b498a16ced20a2b64ccb8ee85a4042039cc97c61c73
                                              • Instruction Fuzzy Hash: 9B1101317052047FEB25AB7A9F1A62B6AD4D795758B24087FF404F32D2D9FD8C02826C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048EC92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0048ECCB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Window
                                              • String ID: /INITPROCWND=$%x $@
                                              • API String ID: 2353593579-4169826103
                                              • Opcode ID: 9fceb97f9dee9116b4f9cd4460141dcdd6850024def755ee183cc3526b898cc5
                                              • Instruction ID: f0e425cee1880468264a3bcbee4eb035e6200ab2a1fbac31d2564d6a1bb1e37f
                                              • Opcode Fuzzy Hash: 9fceb97f9dee9116b4f9cd4460141dcdd6850024def755ee183cc3526b898cc5
                                              • Instruction Fuzzy Hash: 9B11D371A042499FDB01EBA5D841BEE7BF8EB49314F50487BE404E7292D77CA909CB9C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00446AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                              • SysFreeString.OLEAUT32(?), ref: 00446BA2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: String$AllocByteCharFreeMultiWide
                                              • String ID: NIL Interface Exception$Unknown Method
                                              • API String ID: 3952431833-1023667238
                                              • Opcode ID: 6cfdb488caeb7d7681ac0af27f1ef08cc2626e2ae4e3480024423c9f119b8ea1
                                              • Instruction ID: 34182cf724be706de40d5a6da2d3ea217801cbd4a50a487fa4911f02854a4a1d
                                              • Opcode Fuzzy Hash: 6cfdb488caeb7d7681ac0af27f1ef08cc2626e2ae4e3480024423c9f119b8ea1
                                              • Instruction Fuzzy Hash: F211B9706003489FDB10DFA5CC52AAEBBBCEB49704F52407AF500E7681D679AD04C76A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048E504 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048E5CC,?,0048E5C0,00000000,0048E5A7), ref: 0048E572
                                              • CloseHandle.KERNEL32(0048E60C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0048E5CC,?,0048E5C0,00000000), ref: 0048E589
                                                • Part of subcall function 0048E45C: GetLastError.KERNEL32(00000000,0048E4F4,?,?,?,?), ref: 0048E480
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CloseCreateErrorHandleLastProcess
                                              • String ID: D
                                              • API String ID: 3798668922-2746444292
                                              • Opcode ID: ae870745a4cac2ffd9d929a47141e3125d0b46157059bed4d3fb6d2d61e0bba6
                                              • Instruction ID: 6a615ac2cff9bf009bed2b39286a60f6aa18dfcc8d35b7c44523146efba21c0d
                                              • Opcode Fuzzy Hash: ae870745a4cac2ffd9d929a47141e3125d0b46157059bed4d3fb6d2d61e0bba6
                                              • Instruction Fuzzy Hash: 060165B1604248BFDB04EBD2CC52E9F7BECDF08718F51043AB504E7291E6785E05C658
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042DB8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBA0
                                              • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBE0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Value$EnumQuery
                                              • String ID: Inno Setup: No Icons
                                              • API String ID: 1576479698-2016326496
                                              • Opcode ID: e9fb7db7dcf6cda393c86093116ee764db1e6ac8556277773d8aad4419d6b52b
                                              • Instruction ID: 963321e0e52aed92ccfb8a2f54d21a93e2c319f999d6bed2d0c39c2fe313cf58
                                              • Opcode Fuzzy Hash: e9fb7db7dcf6cda393c86093116ee764db1e6ac8556277773d8aad4419d6b52b
                                              • Instruction Fuzzy Hash: 7201F731B4536069F73085166D11B7BA9889B41B64F65003BF940EA3C0D2D9AC04E36E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454DEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00454E01
                                              • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00454E93
                                              Strings
                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00454E2D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                              • API String ID: 3850602802-809544686
                                              • Opcode ID: a1adc5262f18ccc09dab35f6281ca63863273ffb2e92d3f90e9b3158a6a75f82
                                              • Instruction ID: c0f4a4cb65a707f69109a7cbf24843c611ca21f6354bed41214754854ac40189
                                              • Opcode Fuzzy Hash: a1adc5262f18ccc09dab35f6281ca63863273ffb2e92d3f90e9b3158a6a75f82
                                              • Instruction Fuzzy Hash: 2F11C8716443506BD300EB699C82B5F7BA89B95308F04847FFA81DF3D2C3B95844D76A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F8A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00406EF0: DeleteFileA.KERNEL32(00000000,00492628,004906E1,00000000,00490736,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EFB
                                              • MoveFileA.KERNEL32(00000000,00000000), ref: 0046F906
                                                • Part of subcall function 0046F758: GetLastError.KERNEL32(00000000,0046F844,?,?,?,00493060,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0046F8CB,00000001), ref: 0046F779
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: File$DeleteErrorLastMove
                                              • String ID: DeleteFile$MoveFile
                                              • API String ID: 3195829115-139070271
                                              • Opcode ID: b0be4341a0637d195a70b7a110039d5830df33d111ea9a508efd80c07e6ee36d
                                              • Instruction ID: f1cebc0cb96c5cf1ed8be3b38952e05ad97f7cd0b069703ba66f8283a9432f3b
                                              • Opcode Fuzzy Hash: b0be4341a0637d195a70b7a110039d5830df33d111ea9a508efd80c07e6ee36d
                                              • Instruction Fuzzy Hash: 35F062A12051446BDE10BB69B54275B23889F0239DB1041BBBCC06B387EB3D9C0E87AF
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048F902 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00453AF8: GetCurrentProcess.KERNEL32(00000028), ref: 00453B07
                                                • Part of subcall function 00453AF8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453B0D
                                              • SetForegroundWindow.USER32(?), ref: 0048F934
                                              Strings
                                              • Restarting Windows., xrefs: 0048F911
                                              • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0048F95F
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                              • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                              • API String ID: 3179053593-4147564754
                                              • Opcode ID: af8013956ed1e441d462507a332d2bb0e9ba5b4fab94b57e1f2de3ed3b9a88cc
                                              • Instruction ID: 6d3c2020791d7036b49287d64f904da8ce72110519df1e124044460b8ab960db
                                              • Opcode Fuzzy Hash: af8013956ed1e441d462507a332d2bb0e9ba5b4fab94b57e1f2de3ed3b9a88cc
                                              • Instruction Fuzzy Hash: 1001F2B0204240BBE701FB75E942B9C27D89748309F50847BF440AB2D3CABCAD4C8B2D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453B88 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2230480278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000001.00000002.2230461979.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230545381.0000000000491000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000001.00000002.2230566581.00000000004A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ErrorLastSleep
                                              • String ID:
                                              • API String ID: 1458359878-0
                                              • Opcode ID: 0e65400a26063f5c73d90118d277bf29c197f76212c6d3f5b3bf3a51048ad55f
                                              • Instruction ID: 70cd491ee1c602b8227b57ee529d2398dd08f77e1846977ffbd05afa78f388ef
                                              • Opcode Fuzzy Hash: 0e65400a26063f5c73d90118d277bf29c197f76212c6d3f5b3bf3a51048ad55f
                                              • Instruction Fuzzy Hash: 2CF0B432B04514679F20BD9F9985A6F628CDA943E7720016FFD05DF303C43AEE4956A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:5.4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:193
                                              execution_graph 16645 43f050 __vbaChkstk 16646 43f0a5 __vbaOnError __vbaObjSetAddref 16645->16646 16650 4b3170 7 API calls 16646->16650 16648 43f0de __vbaFreeObj 16649 43f0ff 16648->16649 16651 4b32aa __vbaChkstk 16650->16651 16652 4b3249 __vbaChkstk 16650->16652 16654 4b5dc0 38 API calls 16651->16654 16662 4b5dc0 6 API calls 16652->16662 16656 4b3309 __vbaLateMemCallLd __vbaVarTstNe __vbaFreeVar 16654->16656 16657 4b336c 32 API calls 16656->16657 16658 4b38a5 __vbaObjSetAddref 16656->16658 16659 4b5dc0 38 API calls 16657->16659 16660 4b39ab __vbaFreeObj __vbaFreeStr 16658->16660 16661 4b37cb __vbaFreeStrList __vbaFreeVarList 16659->16661 16660->16648 16661->16658 16663 4b5e69 13 API calls 16662->16663 16673 41522c 16663->16673 16674 415235 16673->16674 16871 477000 __vbaChkstk 16872 477055 __vbaAryConstruct2 __vbaOnError __vbaCastObj __vbaObjSet 16871->16872 16921 4b3f80 __vbaChkstk __vbaOnError 16872->16921 16875 4770d4 __vbaAryDestruct 16876 4770f8 16929 495d60 16876->16929 16922 4770b6 __vbaFreeObj 16921->16922 16923 4b3ff5 16921->16923 16922->16875 16922->16876 16967 4b4230 __vbaChkstk __vbaOnError 16923->16967 16930 495d9b 16929->16930 16931 495da3 _adj_fdivr_m64 16929->16931 16932 495db4 #681 __vbaI4Var __vbaFreeVarList 16930->16932 16931->16932 16933 495e2d 16932->16933 16937 495e64 16932->16937 16934 495e36 16933->16934 16933->16937 16935 477108 16934->16935 16987 494500 __vbaOnError 16934->16987 16942 496500 __vbaChkstk __vbaOnError 16935->16942 16936 495eab _adj_fdiv_m64 16936->16937 16937->16935 16937->16936 16939 495ed2 _adj_fdiv_m32i 16937->16939 16940 495eda __vbaFpI4 16937->16940 16939->16940 16941 494500 420 API calls 16940->16941 16941->16937 17361 41447c 16942->17361 16973 4b43e0 6 API calls 16967->16973 16985 4150a0 16973->16985 16986 4150a9 16985->16986 16991 494660 __vbaOnError 16987->16991 16990 49463f 16990->16934 16992 4946c8 16991->16992 16998 494714 16991->16998 16993 4946cd __vbaSetSystemError 16992->16993 16994 4946f2 16993->16994 16995 494701 __vbaSetSystemError 16994->16995 16995->16998 16996 494972 16997 494a50 16996->16997 16999 494996 __vbaAryLock __vbaAryLock __vbaAryLock 16996->16999 17000 494ae8 __vbaAryLock 16997->17000 17003 494a5d 16997->17003 16998->16996 17001 4947c1 16998->17001 17008 4947fd 16998->17008 17018 4947b5 16998->17018 17178 415f24 16999->17178 17182 415e88 17000->17182 17004 4947d9 17001->17004 17005 4947e1 _adj_fdiv_m64 17001->17005 17010 494a6c __vbaAryLock __vbaAryLock 17003->17010 17023 494b35 17003->17023 17011 4947f2 __vbaR8FixI4 17004->17011 17005->17011 17006 4948e7 __vbaAryLock __vbaAryLock 17176 414118 17006->17176 17014 49482a 17008->17014 17015 49482e _adj_fdiv_r 17008->17015 17180 415ed4 17010->17180 17011->17018 17021 49486b _adj_fdiv_m64 17014->17021 17022 494863 17014->17022 17015->17014 17016 494cb1 17025 494cfa 17016->17025 17038 494cc4 __vbaSetSystemError 17016->17038 17018->16996 17018->17006 17027 49487c __vbaFPFix 17021->17027 17022->17027 17023->17016 17184 48f120 __vbaChkstk __vbaOnError 17023->17184 17029 494f4c 17025->17029 17030 494d0c 17025->17030 17035 4948ac 17027->17035 17036 4948b4 _adj_fdiv_m64 17027->17036 17033 494fd9 17029->17033 17034 494f59 17029->17034 17037 494d71 17030->17037 17041 494d17 17030->17041 17032 494b61 17032->17016 17039 494b6e 9 API calls 17032->17039 17052 494fef __vbaHresultCheckObj 17033->17052 17053 495007 __vbaAryLock 17033->17053 17050 494f6f __vbaHresultCheckObj 17034->17050 17051 494f87 __vbaAryLock 17034->17051 17040 4948c5 __vbaFpI4 17035->17040 17036->17040 17042 494d8a 17037->17042 17043 494d7a __vbaNew2 17037->17043 17044 494cde 17038->17044 17250 4b0750 17039->17250 17040->17018 17046 494d30 17041->17046 17047 494d20 __vbaNew2 17041->17047 17055 494dab __vbaHresultCheckObj 17042->17055 17056 494d69 __vbaAryLock 17042->17056 17043->17042 17048 494ce9 __vbaSetSystemError 17044->17048 17046->17056 17063 494d51 __vbaHresultCheckObj 17046->17063 17047->17046 17048->17025 17049 494c58 __vbaAryLock 17263 4161b0 17049->17263 17050->17051 17058 415048 17051->17058 17052->17053 17054 415048 17053->17054 17059 495052 __vbaSetSystemError 17054->17059 17055->17056 17265 415048 17056->17265 17062 494fd1 __vbaSetSystemError 17058->17062 17064 495058 __vbaAryUnlock 17059->17064 17062->17064 17063->17056 17066 49505a 17064->17066 17084 495120 17066->17084 17073 495088 17074 49509d __vbaFreeObj 17073->17074 17075 49508e __vbaHresultCheckObj 17073->17075 17076 4950cb __vbaExitProc 17074->17076 17077 4950bc 17074->17077 17075->17074 17082 49455b __vbaExitProc 17076->17082 17267 495bd0 __vbaStrCopy __vbaStrCopy 17077->17267 17082->16990 17085 49505f 17084->17085 17086 4951ed 17084->17086 17148 496580 17085->17148 17087 495205 17086->17087 17088 4951f5 __vbaNew2 17086->17088 17089 49521b __vbaHresultCheckObj 17087->17089 17090 49522e 17087->17090 17088->17087 17089->17090 17091 495249 __vbaHresultCheckObj 17090->17091 17092 495254 17090->17092 17091->17092 17093 495269 __vbaHresultCheckObj 17092->17093 17094 495274 __vbaStrCmp __vbaFreeStr __vbaFreeObjList 17092->17094 17093->17094 17094->17085 17095 4952b1 __vbaAryLock __vbaAryLock 17094->17095 17269 41611c 17095->17269 17149 49665c 17148->17149 17150 495068 #685 __vbaObjSet 17148->17150 17151 496661 __vbaSetSystemError 17149->17151 17150->17073 17152 49667b 17151->17152 17153 496686 __vbaSetSystemError 17152->17153 17154 496698 17153->17154 17155 4966b3 17153->17155 17156 49669d __vbaSetSystemError 17154->17156 17155->17150 17157 4966d7 __vbaSetSystemError 17155->17157 17156->17155 17157->17150 17158 4966f2 #546 __vbaVarDup 17157->17158 17159 496792 17158->17159 17160 496797 _adj_fdiv_m64 17158->17160 17161 4967a2 __vbaVarDup 17159->17161 17160->17161 17162 4967b9 17161->17162 17163 4967c1 _adj_fdiv_m64 17161->17163 17164 4967d2 __vbaFPInt __vbaVarDup __vbaFpI4 17162->17164 17163->17164 17165 49682a 17164->17165 17166 496832 _adj_fdiv_m64 17164->17166 17167 496843 __vbaFPInt __vbaVarDup __vbaFpI4 17165->17167 17166->17167 17168 496899 17167->17168 17169 4968a1 _adj_fdiv_m64 17167->17169 17170 4968b2 __vbaFPInt __vbaVarDup __vbaFpI4 17168->17170 17169->17170 17171 496908 17170->17171 17172 496910 _adj_fdiv_m64 17170->17172 17173 496921 44 API calls 17171->17173 17172->17173 17271 414620 17173->17271 17177 414121 17176->17177 17179 415f2d 17178->17179 17181 415edd 17180->17181 17183 415e91 17182->17183 17185 48f188 __vbaLenBstr 17184->17185 17186 48feff __vbaFreeObjList __vbaFreeStr __vbaFreeStr 17184->17186 17188 48fa68 17185->17188 17189 48f1a3 17185->17189 17186->17032 17190 48fa7e __vbaVarAdd __vbaVarMove __vbaFreeVar 17188->17190 17191 48fec6 #685 __vbaObjSet 17188->17191 17189->17188 17192 48f1b2 7 API calls 17189->17192 17193 48fafd 17190->17193 17194 48fae1 __vbaNew2 17190->17194 17199 48fef6 __vbaFreeObj 17191->17199 17195 48f2ba #558 17192->17195 17196 48f29f __vbaStrCopy 17192->17196 17200 48fb07 __vbaObjSetAddref 17193->17200 17194->17200 17198 414620 17195->17198 17197 48f72f 17196->17197 17201 48f773 17197->17201 17202 48f757 __vbaNew2 17197->17202 17203 48f2dd __vbaSetSystemError #681 __vbaVarMove __vbaFreeVarList 17198->17203 17199->17186 17206 48fb51 17200->17206 17204 48f77d __vbaObjSetAddref 17201->17204 17202->17204 17205 414620 17203->17205 17211 48f7c9 17204->17211 17207 48f36d __vbaSetSystemError __vbaStrVarVal #581 17205->17207 17208 48fb88 17206->17208 17209 48fb62 __vbaHresultCheckObj 17206->17209 17212 48f3d8 _adj_fdiv_m64 17207->17212 17213 48f3d0 17207->17213 17210 48fb92 __vbaChkstk __vbaLateIdSt __vbaFreeObj 17208->17210 17209->17210 17217 48fc0c 17210->17217 17214 48f7da __vbaHresultCheckObj 17211->17214 17215 48f800 17211->17215 17216 48f3e9 __vbaFPInt __vbaFreeStr 17212->17216 17213->17216 17218 48f80a __vbaChkstk __vbaLateIdSt __vbaFreeObj 17214->17218 17215->17218 17219 48f731 __vbaStrCopy 17216->17219 17220 48f422 6 API calls 17216->17220 17221 48fc1d __vbaHresultCheckObj 17217->17221 17222 48fc43 17217->17222 17225 48f884 17218->17225 17219->17197 17223 48f4f8 11 API calls 17220->17223 17224 48fc4d __vbaChkstk __vbaLateIdSt __vbaFreeObj 17221->17224 17222->17224 17229 48f6ed __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 17223->17229 17230 48f615 13 API calls 17223->17230 17231 48fcc5 17224->17231 17227 48f8bb 17225->17227 17228 48f895 __vbaHresultCheckObj 17225->17228 17232 48f8c5 __vbaChkstk __vbaLateIdSt __vbaFreeObj 17227->17232 17228->17232 17229->17197 17230->17197 17233 48fcfc 17231->17233 17234 48fcd6 __vbaHresultCheckObj 17231->17234 17236 48f93d 17232->17236 17235 48fd06 __vbaChkstk __vbaLateIdSt __vbaFreeObj __vbaStrCmp 17233->17235 17234->17235 17239 48fd6e 12 API calls 17235->17239 17240 48feb0 __vbaObjSetAddref 17235->17240 17237 48f94e __vbaHresultCheckObj 17236->17237 17238 48f974 17236->17238 17241 48f97e __vbaChkstk __vbaLateIdSt __vbaFreeObj __vbaStrCmp 17237->17241 17238->17241 17242 4b0750 12 API calls 17239->17242 17240->17191 17243 48f9e1 __vbaStrCopy __vbaVarMod __vbaI4Var 17241->17243 17244 48fa52 __vbaObjSetAddref 17241->17244 17245 48fe95 17242->17245 17246 4b0750 12 API calls 17243->17246 17244->17188 17247 48ff90 66 API calls 17245->17247 17248 48fa3a 17246->17248 17247->17240 17273 48ff90 __vbaChkstk __vbaStrCopy __vbaStrCopy __vbaOnError 17248->17273 17251 4b0789 __vbaFPInt __vbaFpI4 17250->17251 17252 4b07bc 17250->17252 17251->17049 17253 4b07c1 __vbaFPInt __vbaFpI4 17252->17253 17254 4b07f4 17252->17254 17253->17049 17255 4b0829 17254->17255 17256 4b07fc __vbaFPInt __vbaFpI4 17254->17256 17257 4b086a 17255->17257 17258 4b0831 __vbaFPInt __vbaFpI4 17255->17258 17256->17049 17259 4b089f 17257->17259 17260 4b0872 __vbaFPInt __vbaFpI4 17257->17260 17258->17049 17261 4b08da 17259->17261 17262 4b08a7 __vbaFPInt __vbaFpI4 17259->17262 17260->17049 17261->17049 17262->17049 17264 4161b9 17263->17264 17266 415051 17265->17266 17268 495d2e __vbaFreeStr __vbaFreeStr __vbaFreeStr 17267->17268 17268->17076 17270 416125 17269->17270 17272 414629 17271->17272 17274 490028 __vbaObjSet 17273->17274 17275 49000c __vbaNew2 17273->17275 17277 490086 17274->17277 17275->17274 17278 4900bd 17277->17278 17279 490097 __vbaHresultCheckObj 17277->17279 17280 4900c7 __vbaChkstk __vbaLateIdSt __vbaFreeObj 17278->17280 17279->17280 17281 49012c 17280->17281 17282 49013d __vbaHresultCheckObj 17281->17282 17283 490163 17281->17283 17284 49016d __vbaChkstk __vbaLateIdSt __vbaFreeObj 17282->17284 17283->17284 17285 4901d3 17284->17285 17286 49020a 17285->17286 17287 4901e4 __vbaHresultCheckObj 17285->17287 17288 490214 __vbaChkstk __vbaLateIdSt __vbaFreeObj 17286->17288 17287->17288 17289 49026a 17288->17289 17290 49027b __vbaHresultCheckObj 17289->17290 17291 4902a1 17289->17291 17290->17291 17292 4902da __vbaHresultCheckObj 17291->17292 17293 490300 17291->17293 17292->17293 17294 490359 17293->17294 17295 490336 __vbaHresultCheckObj 17293->17295 17296 490391 __vbaHresultCheckObj 17294->17296 17297 4903b4 17294->17297 17295->17294 17296->17297 17298 49041c 17297->17298 17299 4903f6 __vbaHresultCheckObj 17297->17299 17300 490479 17298->17300 17301 490453 __vbaHresultCheckObj 17298->17301 17299->17298 17302 4904bb __vbaHresultCheckObj 17300->17302 17303 4904e1 17300->17303 17301->17300 17302->17303 17304 490518 __vbaHresultCheckObj 17303->17304 17305 49053e 17303->17305 17304->17305 17306 490558 __vbaNew2 17305->17306 17307 490574 __vbaObjSet 17305->17307 17306->17307 17309 4905c4 17307->17309 17310 4905fb 17309->17310 17311 4905d5 __vbaHresultCheckObj 17309->17311 17312 490605 __vbaFpI4 __vbaFreeObj 17310->17312 17311->17312 17313 49064c 17312->17313 17314 49065d __vbaHresultCheckObj 17313->17314 17315 490680 17313->17315 17314->17315 17316 4906bb __vbaHresultCheckObj 17315->17316 17317 4906de 17315->17317 17316->17317 17318 49071c __vbaHresultCheckObj 17317->17318 17319 490742 17317->17319 17318->17319 17320 4907aa 17319->17320 17321 490784 __vbaHresultCheckObj 17319->17321 17322 4907e0 __vbaObjSet 17320->17322 17323 4907c4 __vbaNew2 17320->17323 17321->17320 17325 490829 17322->17325 17323->17322 17326 49083a __vbaHresultCheckObj 17325->17326 17327 490860 17325->17327 17328 49086a __vbaFreeObj 17326->17328 17327->17328 17329 49089f __vbaObjSet 17328->17329 17330 490883 __vbaNew2 17328->17330 17332 4908f8 17329->17332 17333 4908dc __vbaNew2 17329->17333 17330->17329 17334 490902 __vbaChkstk __vbaChkstk __vbaChkstk __vbaChkstk __vbaChkstk 17332->17334 17333->17334 17335 490a3c 17334->17335 17336 490a4d __vbaHresultCheckObj 17335->17336 17337 490a70 17335->17337 17338 490a7a __vbaObjSet 17336->17338 17337->17338 17339 490aae 17338->17339 17340 490abf __vbaHresultCheckObj 17339->17340 17341 490ae2 17339->17341 17342 490aec __vbaFreeObjList 17340->17342 17341->17342 17343 490b2b __vbaObjSet __vbaObjSet __vbaPrintObj __vbaFreeObjList 17342->17343 17344 490b0f __vbaNew2 17342->17344 17346 490bc3 17343->17346 17344->17343 17347 490bfa 17346->17347 17348 490bd4 __vbaHresultCheckObj 17346->17348 17349 490c04 __vbaFpI4 17347->17349 17348->17349 17350 490c3b 17349->17350 17353 490c7e __vbaHresultCheckObj 17350->17353 17354 490ca4 17350->17354 17360 490d7c 17350->17360 17351 490e0c 17355 490e16 __vbaObjSetAddref 17351->17355 17352 490de6 __vbaHresultCheckObj 17352->17355 17356 490cae __vbaFpI4 17353->17356 17354->17356 17357 490e4c __vbaFreeObj __vbaFreeStr __vbaFreeStr 17355->17357 17359 490cd9 17356->17359 17357->17244 17358 490d0c __vbaSetSystemError 17358->17359 17359->17358 17359->17360 17360->17351 17360->17352 17362 414485 17361->17362 16364 4d6a00 __vbaChkstk __vbaOnError 16365 4d6a75 18 API calls 16364->16365 16366 4d6a66 16364->16366 16381 4dce20 __vbaChkstk __vbaStrCopy __vbaStrCopy 16365->16381 16366->16365 16367 4d6c85 16366->16367 16371 4d6ca8 __vbaSetSystemError 16367->16371 16369 4d6b4a __vbaFreeStrList 16370 4d6bb5 16369->16370 16374 4d6b86 16369->16374 16372 4d6bd5 __vbaNew2 16370->16372 16376 4d6bee 16370->16376 16373 4d6c83 16371->16373 16372->16376 16374->16370 16375 4d6c51 16374->16375 16377 4d6c74 __vbaSetSystemError 16375->16377 16378 4d6c18 __vbaHresultCheckObj 16376->16378 16379 4d6c32 16376->16379 16377->16373 16378->16379 16380 4d6c49 __vbaSetSystemError 16379->16380 16380->16373 16382 4dd75b __vbaFreeStr __vbaFreeStr 16381->16382 16382->16369 17686 475c20 __vbaChkstk 17687 475c75 __vbaOnError 17686->17687 17688 475ca1 __vbaObjSet 17687->17688 17689 475cc8 17688->17689 17690 475cd3 __vbaHresultCheckObj 17689->17690 17691 475ced __vbaObjSet 17689->17691 17690->17691 17693 475d30 17691->17693 17694 475d55 17693->17694 17695 475d3b __vbaHresultCheckObj 17693->17695 17696 475d80 __vbaHresultCheckObj 17694->17696 17697 475d9d 17694->17697 17695->17694 17698 475da4 __vbaStrI2 __vbaStrMove 17696->17698 17697->17698 17699 475dcc 17698->17699 17700 475dd7 __vbaHresultCheckObj 17699->17700 17701 475df4 17699->17701 17702 475dfb __vbaFreeStr __vbaFreeObjList 17700->17702 17701->17702 17703 475e35 __vbaObjSet 17702->17703 17704 475e4f __vbaObjSet __vbaObjSet 17703->17704 17708 4af970 __vbaChkstk __vbaAryConstruct2 __vbaAryConstruct2 __vbaOnError 17704->17708 17713 4afa0a 17708->17713 17709 4afa43 17816 4d3000 17709->17816 17713->17709 17786 4af6e0 17713->17786 17714 4afa9f __vbaObjSet 17717 4afaf1 17714->17717 17715 4afa83 __vbaNew2 17715->17714 17718 4afb02 __vbaHresultCheckObj 17717->17718 17719 4afb25 17717->17719 17718->17719 17720 4afb68 __vbaHresultCheckObj 17719->17720 17721 4afb8e 17719->17721 17722 4afb98 #581 17720->17722 17721->17722 17723 4afbd0 __vbaObjSet 17722->17723 17724 4afbb4 __vbaNew2 17722->17724 17726 4afc22 17723->17726 17724->17723 17727 4afc33 __vbaHresultCheckObj 17726->17727 17728 4afc56 17726->17728 17727->17728 17729 4afc99 __vbaHresultCheckObj 17728->17729 17730 4afcbf 17728->17730 17731 4afcc9 #581 17729->17731 17730->17731 17732 4afd01 __vbaObjSet 17731->17732 17733 4afce5 __vbaNew2 17731->17733 17735 4afd53 17732->17735 17733->17732 17736 4afd87 17735->17736 17737 4afd64 __vbaHresultCheckObj 17735->17737 17738 4afdca __vbaHresultCheckObj 17736->17738 17739 4afdf0 17736->17739 17737->17736 17740 4afdfa #581 17738->17740 17739->17740 17741 4afe32 __vbaObjSet 17740->17741 17742 4afe16 __vbaNew2 17740->17742 17744 4afe84 17741->17744 17742->17741 17745 4afeb8 17744->17745 17746 4afe95 __vbaHresultCheckObj 17744->17746 17747 4afefb __vbaHresultCheckObj 17745->17747 17748 4aff21 17745->17748 17746->17745 17749 4aff2b #581 __vbaR8FixI4 __vbaR8FixI4 __vbaR8FixI4 __vbaR8FixI4 17747->17749 17748->17749 17836 414278 17749->17836 17787 4af74f 17786->17787 17788 4af6f6 17786->17788 17791 4af759 17787->17791 17792 4af7bc 17787->17792 17789 4af70a 17788->17789 17790 4af712 _adj_fdiv_m32i 17788->17790 17795 4af71d __vbaFPInt __vbaFpI4 17789->17795 17790->17795 17796 4af77b _adj_fdiv_m32i 17791->17796 17797 4af773 17791->17797 17793 4af81f 17792->17793 17794 4af7c6 17792->17794 17801 4af829 17793->17801 17802 4af892 17793->17802 17799 4af7e8 _adj_fdiv_m32i 17794->17799 17800 4af7e0 17794->17800 17795->17713 17798 4af786 __vbaFPInt __vbaFpI4 17796->17798 17797->17798 17798->17713 17803 4af7f3 __vbaFPInt __vbaFpI4 17799->17803 17800->17803 17804 4af84b _adj_fdiv_m32i 17801->17804 17805 4af843 17801->17805 17806 4af89c 17802->17806 17807 4af8f5 17802->17807 17803->17713 17809 4af856 __vbaFPInt __vbaFpI4 17804->17809 17805->17809 17810 4af8be _adj_fdiv_m32i 17806->17810 17811 4af8b6 17806->17811 17808 4af95f 17807->17808 17812 4af91e _adj_fdiv_m32i 17807->17812 17813 4af916 17807->17813 17808->17713 17809->17713 17814 4af8c9 __vbaFPInt __vbaFpI4 17810->17814 17811->17814 17815 4af929 __vbaFPInt __vbaFpI4 17812->17815 17813->17815 17814->17713 17815->17713 17817 4afa73 17816->17817 17821 4d301e 17816->17821 17817->17714 17817->17715 17818 4d306e __vbaFPFix 17819 4d3094 17818->17819 17820 4d30a0 __vbaR8FixI4 17818->17820 17819->17817 17819->17820 17822 4d30c2 17820->17822 17821->17817 17821->17818 17822->17822 17823 4d3141 17822->17823 17824 4d3101 17822->17824 17827 4d3158 _adj_fdiv_m64 17823->17827 17828 4d3150 17823->17828 17825 4d311e _adj_fdivr_m64 17824->17825 17826 4d3116 __vbaR8FixI4 17824->17826 17825->17826 17838 4b86a0 __vbaFpI4 __vbaFpI4 __vbaFpI4 17826->17838 17827->17828 17828->17826 17830 4d318a _adj_fdiv_m32 17828->17830 17830->17826 17832 4d31e5 __vbaFpI4 __vbaFpI4 17839 4b67e0 #681 #681 __vbaI4Var __vbaFreeVarList 17832->17839 17834 4d320d 17834->17817 17835 4b86a0 __vbaFpI4 __vbaFpI4 __vbaFpI4 17834->17835 17835->17834 17837 414281 17836->17837 17838->17832 17840 4b68de 17839->17840 17840->17834 25675 478e20 __vbaChkstk __vbaOnError 25676 4b67e0 4 API calls 25675->25676 25677 478e8e 25676->25677 25678 4b66b0 4 API calls 25677->25678 25679 478eb1 25678->25679 25680 4b66b0 4 API calls 25679->25680 25681 478ed4 __vbaRedim __vbaRedim 25680->25681 25682 495f20 125 API calls 25681->25682 25683 478f3c __vbaObjSet 25682->25683 25685 478f90 25683->25685 25686 478fc7 25685->25686 25687 478fa1 __vbaHresultCheckObj 25685->25687 25688 478fd1 __vbaFpI4 __vbaFreeObj 25686->25688 25687->25688 25689 479004 __vbaObjSet 25688->25689 25690 479031 25689->25690 25691 479042 __vbaHresultCheckObj 25690->25691 25692 479068 25690->25692 25693 479072 __vbaFpI4 __vbaFreeObj 25691->25693 25692->25693 25698 4790ee 25693->25698 25694 479206 25695 47922f __vbaSetSystemError 25694->25695 25709 479235 25695->25709 25696 479359 __vbaAryDestruct __vbaAryDestruct 25698->25694 25700 47915f __vbaFpI4 25698->25700 25699 479253 __vbaSetSystemError __vbaAryLock __vbaAryLock __vbaAryLock 25699->25709 25700->25694 25701 479312 __vbaSetSystemError __vbaAryUnlock __vbaAryUnlock __vbaAryUnlock 25702 494500 420 API calls 25701->25702 25702->25709 25704 479374 __vbaObjSet 25704->25709 25705 4793af __vbaHresultCheckObj 25705->25709 25706 4793eb __vbaObjSet 25706->25709 25707 479429 __vbaHresultCheckObj 25707->25709 25708 479468 __vbaObjSet 25708->25709 25709->25696 25709->25699 25709->25701 25709->25704 25709->25705 25709->25706 25709->25707 25709->25708 25710 4794a6 __vbaHresultCheckObj 25709->25710 25711 4794e5 __vbaObjSet 25709->25711 25713 479540 __vbaHresultCheckObj 25709->25713 25714 4795c4 #681 __vbaR4Var 25709->25714 25715 47962d __vbaHresultCheckObj 25709->25715 25716 47965a __vbaFreeObjList __vbaFreeVarList 25709->25716 25717 4b6da0 __vbaChkstk __vbaOnError #598 25709->25717 25710->25709 25712 479505 __vbaObjSet 25711->25712 25712->25709 25713->25709 25714->25709 25715->25716 25716->25709 25718 4b6e2f 25717->25718 25719 4b6e20 25717->25719 25720 4b6e3b __vbaSetSystemError 25718->25720 25719->25709 25720->25719 25721 4b6e6a 25720->25721 25721->25719 25722 4b6e83 Sleep 25721->25722 25722->25719 17841 444030 __vbaChkstk 17842 444085 __vbaOnError 17841->17842 17843 4440b1 __vbaObjSet 17842->17843 17844 4440cb __vbaObjSet __vbaObjSet __vbaCastObj __vbaObjSet 17843->17844 18048 4dc930 8 API calls 17844->18048 17846 444122 17847 44416f 17846->17847 17848 444149 __vbaHresultCheckObj 17846->17848 17849 444179 __vbaFreeObjList 17847->17849 17848->17849 17850 4441aa __vbaObjSet 17849->17850 17851 4441d3 17850->17851 17852 4441e4 __vbaHresultCheckObj 17851->17852 17853 444207 17851->17853 17852->17853 17854 444245 __vbaHresultCheckObj 17853->17854 17855 44426b 17853->17855 17856 444275 __vbaFreeObjList 17854->17856 17855->17856 17857 44429e __vbaObjSet 17856->17857 17858 4442c7 17857->17858 17859 4442d8 __vbaHresultCheckObj 17858->17859 17860 4442fb 17858->17860 17859->17860 17861 44435f 17860->17861 17862 444339 __vbaHresultCheckObj 17860->17862 17863 444369 __vbaFreeObjList 17861->17863 17862->17863 17864 444392 __vbaObjSet 17863->17864 17865 4443bb 17864->17865 17866 4443cc __vbaHresultCheckObj 17865->17866 17867 4443ef 17865->17867 17866->17867 17868 444453 17867->17868 17869 44442d __vbaHresultCheckObj 17867->17869 17870 44445d __vbaFreeObjList 17868->17870 17869->17870 17871 444486 __vbaObjSet 17870->17871 17872 4444af 17871->17872 17873 4444c0 __vbaHresultCheckObj 17872->17873 17874 4444e3 17872->17874 17873->17874 17875 444547 17874->17875 17876 444521 __vbaHresultCheckObj 17874->17876 17877 444551 __vbaFreeObjList 17875->17877 17876->17877 17878 44457a __vbaObjSet 17877->17878 17879 4445a3 17878->17879 17880 4445b4 __vbaHresultCheckObj 17879->17880 17881 4445d7 17879->17881 17880->17881 17882 444615 __vbaHresultCheckObj 17881->17882 17883 44463b 17881->17883 17884 444645 __vbaFreeObjList 17882->17884 17883->17884 17885 44466e __vbaObjSet 17884->17885 17886 444697 17885->17886 17887 4446a8 __vbaHresultCheckObj 17886->17887 17888 4446cb 17886->17888 17887->17888 17889 44472f 17888->17889 17890 444709 __vbaHresultCheckObj 17888->17890 17891 444739 __vbaFreeObjList 17889->17891 17890->17891 17892 444762 __vbaObjSet 17891->17892 17893 44478b 17892->17893 17894 44479c __vbaHresultCheckObj 17893->17894 17895 4447bf 17893->17895 17894->17895 17896 444820 17895->17896 17897 4447fa __vbaHresultCheckObj 17895->17897 17898 44482a __vbaFreeObjList 17896->17898 17897->17898 17899 444853 __vbaObjSet 17898->17899 17900 44487c 17899->17900 17901 4448b0 17900->17901 17902 44488d __vbaHresultCheckObj 17900->17902 17903 444914 17901->17903 17904 4448ee __vbaHresultCheckObj 17901->17904 17902->17901 17905 44491e __vbaFreeObjList 17903->17905 17904->17905 17906 444947 __vbaObjSet 17905->17906 17907 444970 17906->17907 17908 4449a4 17907->17908 17909 444981 __vbaHresultCheckObj 17907->17909 17910 444a05 17908->17910 17911 4449df __vbaHresultCheckObj 17908->17911 17909->17908 17912 444a0f __vbaFreeObjList 17910->17912 17911->17912 17913 444a38 __vbaObjSet 17912->17913 17914 444a61 17913->17914 17915 444a95 17914->17915 17916 444a72 __vbaHresultCheckObj 17914->17916 17917 444af6 17915->17917 17918 444ad0 __vbaHresultCheckObj 17915->17918 17916->17915 17919 444b00 __vbaFreeObjList 17917->17919 17918->17919 17920 444b29 __vbaObjSet 17919->17920 17921 444b52 17920->17921 17922 444b86 17921->17922 17923 444b63 __vbaHresultCheckObj 17921->17923 17924 444bc4 __vbaHresultCheckObj 17922->17924 17925 444bea 17922->17925 17923->17922 17926 444bf4 __vbaFreeObjList 17924->17926 17925->17926 17927 444c1d __vbaObjSet 17926->17927 17928 444c46 17927->17928 17929 444c57 __vbaHresultCheckObj 17928->17929 17930 444c7a 17928->17930 17929->17930 17931 444cde 17930->17931 17932 444cb8 __vbaHresultCheckObj 17930->17932 17933 444ce8 __vbaFreeObjList 17931->17933 17932->17933 17934 444d11 __vbaObjSet __vbaBoolStr #681 __vbaI2Var 17933->17934 17935 444d8a 17934->17935 17936 444dc1 17935->17936 17937 444d9b __vbaHresultCheckObj 17935->17937 17938 444dcb __vbaFreeObj __vbaFreeVarList 17936->17938 17937->17938 17939 444e05 __vbaObjSet __vbaI2Str 17938->17939 17940 444e37 17939->17940 17941 444e6e 17940->17941 17942 444e48 __vbaHresultCheckObj 17940->17942 17943 444e78 __vbaFreeObj __vbaI4Str 17941->17943 17942->17943 17944 444ea3 __vbaObjSet 17943->17944 17946 444ed3 __vbaObjSet 17944->17946 17947 444f00 17946->17947 17948 444f37 17947->17948 17949 444f11 __vbaHresultCheckObj 17947->17949 17950 444f41 __vbaObjSet __vbaCastObj __vbaObjSet 17948->17950 17949->17950 18054 4d70f0 12 API calls 17950->18054 17952 444f99 __vbaFreeObjList 17953 444fca __vbaObjSet __vbaBoolStr #681 __vbaI2Var 17952->17953 17954 445043 17953->17954 17955 445054 __vbaHresultCheckObj 17954->17955 17956 44507a 17954->17956 17957 445084 __vbaFreeObj __vbaFreeVarList 17955->17957 17956->17957 17958 4450be __vbaObjSet 17957->17958 17959 4450e6 17958->17959 17960 4450f7 __vbaHresultCheckObj 17959->17960 17961 44511d 17959->17961 17962 445127 __vbaFreeObj 17960->17962 17961->17962 17963 445146 __vbaObjSet 17962->17963 17964 44516e 17963->17964 17965 4451a5 17964->17965 17966 44517f __vbaHresultCheckObj 17964->17966 17967 4451af __vbaFreeObj 17965->17967 17966->17967 17968 4451ce __vbaObjSet 17967->17968 17969 4451f6 17968->17969 17970 445207 __vbaHresultCheckObj 17969->17970 17971 44522d 17969->17971 17972 445237 __vbaFreeObj 17970->17972 17971->17972 17973 445256 __vbaObjSet 17972->17973 17974 44527e 17973->17974 17975 4452b5 17974->17975 17976 44528f __vbaHresultCheckObj 17974->17976 17977 4452bf __vbaFreeObj 17975->17977 17976->17977 17978 4452de __vbaObjSet 17977->17978 17979 445307 17978->17979 17980 445318 __vbaHresultCheckObj 17979->17980 17981 44533b 17979->17981 17980->17981 17982 44539f 17981->17982 17983 445379 __vbaHresultCheckObj 17981->17983 17984 4453a9 __vbaFreeObjList 17982->17984 17983->17984 17985 4453d2 __vbaObjSet 17984->17985 17986 4453fb 17985->17986 17987 44540c __vbaHresultCheckObj 17986->17987 17988 44542f 17986->17988 17987->17988 17989 445493 17988->17989 17990 44546d __vbaHresultCheckObj 17988->17990 17991 44549d __vbaFreeObjList 17989->17991 17990->17991 17992 4454c6 __vbaObjSet 17991->17992 17993 4454ef 17992->17993 17994 445500 __vbaHresultCheckObj 17993->17994 17995 445523 17993->17995 17994->17995 17996 445587 17995->17996 17997 445561 __vbaHresultCheckObj 17995->17997 17998 445591 __vbaFreeObjList 17996->17998 17997->17998 17999 4455ba __vbaObjSet 17998->17999 18000 4455e3 17999->18000 18001 4455f4 __vbaHresultCheckObj 18000->18001 18002 445617 18000->18002 18001->18002 18003 445655 __vbaHresultCheckObj 18002->18003 18004 44567b 18002->18004 18005 445685 __vbaFreeObjList 18003->18005 18004->18005 18006 4456ae __vbaObjSet 18005->18006 18007 4456d7 18006->18007 18008 4456e8 __vbaHresultCheckObj 18007->18008 18009 44570b 18007->18009 18008->18009 18010 44576f 18009->18010 18011 445749 __vbaHresultCheckObj 18009->18011 18012 445779 __vbaFreeObjList 18010->18012 18011->18012 18013 4457a2 __vbaObjSet 18012->18013 18014 4457cb 18013->18014 18015 4457dc __vbaHresultCheckObj 18014->18015 18016 4457ff 18014->18016 18015->18016 18017 445863 18016->18017 18018 44583d __vbaHresultCheckObj 18016->18018 18019 44586d __vbaFreeObjList 18017->18019 18018->18019 18020 445896 __vbaObjSet 18019->18020 18021 4458bf 18020->18021 18022 4458d0 __vbaHresultCheckObj 18021->18022 18023 4458f3 18021->18023 18022->18023 18024 445957 18023->18024 18025 445931 __vbaHresultCheckObj 18023->18025 18026 445961 __vbaFreeObjList 18024->18026 18025->18026 18027 44598a __vbaObjSet 18026->18027 18028 4459b3 18027->18028 18029 4459c4 __vbaHresultCheckObj 18028->18029 18030 4459e7 18028->18030 18029->18030 18031 445a25 __vbaHresultCheckObj 18030->18031 18032 445a4b 18030->18032 18033 445a55 __vbaFreeObjList 18031->18033 18032->18033 18034 445a7e __vbaObjSet 18033->18034 18035 445aa7 18034->18035 18036 445ab8 __vbaHresultCheckObj 18035->18036 18037 445adb 18035->18037 18036->18037 18038 445b3f 18037->18038 18039 445b19 __vbaHresultCheckObj 18037->18039 18040 445b49 __vbaFreeObjList __vbaChkstk 18038->18040 18039->18040 18071 4a8010 __vbaVarDup #592 18040->18071 18042 445b98 __vbaObjSet 18044 445bc8 __vbaObjSet __vbaObjSet 18042->18044 18045 4af970 85 API calls 18044->18045 18046 445c01 __vbaFreeObjList 18045->18046 18047 445c59 18046->18047 18053 4dca14 18048->18053 18049 4dca29 __vbaChkstk __vbaLateMemCallLd __vbaVarTstEq __vbaFreeVar 18051 4dcaa5 18049->18051 18049->18053 18050 4dcac0 __vbaObjSetAddref 18052 4dcaee __vbaFreeObj __vbaFreeStr 18050->18052 18051->18050 18052->17846 18053->18049 18053->18050 18055 4d7265 18054->18055 18056 4d7274 #685 __vbaObjSet 18055->18056 18059 4d76cb __vbaFreeVar 18055->18059 18058 4d72a4 13 API calls 18056->18058 18058->18059 18060 4d73d7 6 API calls 18058->18060 18059->17952 18060->18059 18061 4d747b #685 __vbaObjSet 18060->18061 18062 4d74b2 18061->18062 18063 4d74e6 18062->18063 18064 4d74c3 __vbaHresultCheckObj 18062->18064 18065 4d74f0 __vbaFreeObj 18063->18065 18064->18065 18066 4d751d __vbaChkstk __vbaChkstk __vbaVarLateMemCallLdRf __vbaVarLateMemSt __vbaFreeVarList 18065->18066 18067 4d75c0 __vbaChkstk __vbaVarLateMemCallLd __vbaCheckTypeVar __vbaFreeVar 18065->18067 18066->18067 18067->18059 18068 4d763d __vbaChkstk __vbaVarLateMemCallLd __vbaCastObjVar __vbaObjSet 18067->18068 18069 4d70f0 18068->18069 18070 4d76b9 __vbaFreeObj __vbaFreeVar 18069->18070 18070->18059 18072 4a82b9 __vbaI4Str 18071->18072 18073 4a8066 __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18071->18073 18074 4de3d0 53 API calls 18072->18074 18075 4b67e0 4 API calls 18073->18075 18077 4a82dd 18074->18077 18076 4a80c8 __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18075->18076 18078 4b67e0 4 API calls 18076->18078 18079 4b67e0 4 API calls 18077->18079 18080 4a813d __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18078->18080 18081 4a82e9 __vbaI4Str 18079->18081 18082 4b67e0 4 API calls 18080->18082 18083 4de3d0 53 API calls 18081->18083 18084 4a81b0 __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18082->18084 18085 4a830c 18083->18085 18087 4b67e0 4 API calls 18084->18087 18086 4b67e0 4 API calls 18085->18086 18088 4a831e __vbaI4Str 18086->18088 18089 4a8226 __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18087->18089 18090 4de3d0 53 API calls 18088->18090 18091 4b67e0 4 API calls 18089->18091 18092 4a8341 18090->18092 18093 4a829c __vbaFreeVarList 18091->18093 18094 4b67e0 4 API calls 18092->18094 18095 4a83ce 6 API calls 18093->18095 18096 4a8353 __vbaI4Str 18094->18096 18097 4a86af __vbaI4Str 18095->18097 18098 4a84a5 __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18095->18098 18100 4de3d0 53 API calls 18096->18100 18101 4de3d0 53 API calls 18097->18101 18099 4b67e0 4 API calls 18098->18099 18102 4a84ff __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18099->18102 18103 4a8376 18100->18103 18104 4a86d3 18101->18104 18105 4b67e0 4 API calls 18102->18105 18106 4b67e0 4 API calls 18103->18106 18107 4b67e0 4 API calls 18104->18107 18108 4a857b __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18105->18108 18109 4a8388 __vbaI4Str 18106->18109 18110 4a86e0 __vbaI4Str 18107->18110 18111 4b67e0 4 API calls 18108->18111 18112 4de3d0 53 API calls 18109->18112 18113 4de3d0 53 API calls 18110->18113 18114 4a85fa __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaVarLateMemCallLd __vbaI4Var 18111->18114 18115 4a83ab 18112->18115 18116 4a8710 18113->18116 18117 4b67e0 4 API calls 18114->18117 18118 4b67e0 4 API calls 18115->18118 18119 4b67e0 4 API calls 18116->18119 18121 4a867f __vbaFreeVarList 18117->18121 18122 4a83bd 18118->18122 18120 4a871a __vbaI4Str 18119->18120 18123 4de3d0 53 API calls 18120->18123 18124 4a87d4 __vbaFreeVar 18121->18124 18122->18095 18125 4a874a 18123->18125 18124->18042 18126 4b67e0 4 API calls 18125->18126 18127 4a8757 __vbaI4Str 18126->18127 18128 4de3d0 53 API calls 18127->18128 18129 4a8793 18128->18129 18130 4b67e0 4 API calls 18129->18130 18131 4a87a0 18130->18131 18131->18124 18132 45d0d0 18133 45d110 __vbaObjSet __vbaObjSet 18132->18133 18138 4b0e60 __vbaObjSetAddref 18133->18138 18136 45d152 __vbaFreeObjList 18137 45d172 18136->18137 18139 4b1012 18138->18139 18140 4b0eb2 18138->18140 18145 4b1028 __vbaHresultCheckObj 18139->18145 18146 4b103d #581 __vbaFpI4 __vbaFpI4 __vbaFpI4 18139->18146 18141 4b0eb9 18140->18141 18142 4b0f63 18140->18142 18143 4b10b7 __vbaObjSetAddref 18141->18143 18152 4b0eeb #581 __vbaFpI4 __vbaFpI4 __vbaFpI4 18141->18152 18153 4b0ed6 __vbaHresultCheckObj 18141->18153 18147 4b0f79 __vbaHresultCheckObj 18142->18147 18148 4b0f8e #581 18142->18148 18144 4b10de __vbaFreeObj 18143->18144 18144->18136 18145->18146 18149 4b67e0 4 API calls 18146->18149 18147->18148 18167 4b66b0 18148->18167 18150 4b106c __vbaStrI4 __vbaStrMove 18149->18150 18156 4b1089 18150->18156 18155 4b67e0 4 API calls 18152->18155 18153->18152 18158 4b0f1a __vbaStrI4 __vbaStrMove 18155->18158 18159 4b108f __vbaHresultCheckObj 18156->18159 18160 4b1005 18156->18160 18163 4b0f37 18158->18163 18159->18160 18162 4b10ac __vbaFreeStrList 18160->18162 18161 4b0fd4 __vbaStrMove 18164 4b0fea 18161->18164 18162->18143 18163->18160 18165 4b0f41 __vbaHresultCheckObj 18163->18165 18164->18160 18166 4b0ff0 __vbaHresultCheckObj 18164->18166 18165->18162 18166->18160 18168 4b670e #681 18167->18168 18170 4b6756 #681 __vbaR4Var __vbaFreeVarList 18168->18170 18172 4b0fa9 18170->18172 18173 4c2070 8 API calls 18172->18173 18174 4c213b __vbaFreeVar 18173->18174 18174->18161 18741 43e8b0 __vbaChkstk 18742 43e905 __vbaOnError __vbaObjSetAddref 18741->18742 18790 4b39e0 __vbaChkstk __vbaStrCopy __vbaOnError 18742->18790 18744 43e93e __vbaFreeObj 18745 43e95d __vbaObjSet 18744->18745 18746 43e98a 18745->18746 18747 43e9c1 18746->18747 18748 43e99b __vbaHresultCheckObj 18746->18748 18749 43e9f2 __vbaHresultCheckObj 18747->18749 18750 43ea15 18747->18750 18748->18747 18749->18750 18751 43ea46 __vbaHresultCheckObj 18750->18751 18752 43ea69 __vbaObjSet 18750->18752 18751->18752 18754 43eaac 18752->18754 18755 43eae0 18754->18755 18756 43eabd __vbaHresultCheckObj 18754->18756 18757 43eb45 __vbaHresultCheckObj 18755->18757 18758 43eb68 18755->18758 18756->18755 18759 43eb72 __vbaFreeObjList 18757->18759 18758->18759 18760 43eb9f 18759->18760 18761 43ebd0 18760->18761 18762 43ebb0 __vbaHresultCheckObj 18760->18762 18763 43ebda __vbaChkstk 18761->18763 18762->18763 18804 4de2e0 __vbaStrCopy __vbaStrCopy __vbaVarDup __vbaStrCopy 18763->18804 18765 43ec28 __vbaStrMove __vbaChkstk 18766 4de2e0 49 API calls 18765->18766 18767 43ec81 __vbaStrMove 18766->18767 18768 43eca2 __vbaObjSet 18767->18768 18769 43ecc2 __vbaObjSet 18768->18769 18770 43ecec 18769->18770 18771 43ed23 18770->18771 18772 43ecfd __vbaHresultCheckObj 18770->18772 18773 43ed2d __vbaLenBstr #681 __vbaStrVarVal 18771->18773 18772->18773 18774 43edae 18773->18774 18775 43ede5 18774->18775 18776 43edbf __vbaHresultCheckObj 18774->18776 18777 43edef __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 18775->18777 18776->18777 18778 43ee38 __vbaObjSet 18777->18778 18779 43ee58 __vbaObjSet 18778->18779 18780 43ee82 18779->18780 18781 43ee93 __vbaHresultCheckObj 18780->18781 18782 43eeb9 18780->18782 18783 43eec3 __vbaLenBstr #681 __vbaStrVarVal 18781->18783 18782->18783 18784 43ef44 18783->18784 18785 43ef55 __vbaHresultCheckObj 18784->18785 18786 43ef7b 18784->18786 18787 43ef85 __vbaFreeStr __vbaFreeObjList __vbaFreeVarList 18785->18787 18786->18787 18788 43efce __vbaFreeStr __vbaFreeStr 18787->18788 18791 4de3d0 53 API calls 18790->18791 18792 4b3a5e 18791->18792 18793 4b3a6e 18792->18793 18794 4b3a83 __vbaChkstk __vbaLateMemSt __vbaChkstk 18792->18794 18808 4b7d70 6 API calls 18793->18808 18796 4b6900 40 API calls 18794->18796 18798 4b3b36 __vbaStrMove #519 __vbaStrMove __vbaFreeStr __vbaLenBstr 18796->18798 18797 4b3a7e __vbaFreeStr __vbaFreeStr 18797->18744 18798->18797 18799 4b3b75 18798->18799 18799->18797 18800 4b3b7f __vbaLateMemCallLd __vbaVarTstEq __vbaFreeVar 18799->18800 18802 4b3be1 19 API calls 18800->18802 18803 4b3df5 11 API calls 18800->18803 18802->18797 18803->18797 18805 4b6900 40 API calls 18804->18805 18806 4de375 __vbaStrMove 18805->18806 18807 4de391 __vbaFreeStr __vbaFreeVar __vbaFreeStr __vbaFreeStr 18806->18807 18807->18765 18809 4b7e41 10 API calls 18808->18809 18810 4b7fa0 __vbaObjSetAddref 18808->18810 18809->18810 18811 4b7fe2 __vbaFreeObj 18810->18811 18811->18797 18947 4758b0 18948 4758f0 __vbaObjSet 18947->18948 18950 47591b 18948->18950 18951 475921 __vbaHresultCheckObj 18950->18951 18952 475930 __vbaObjSetAddref __vbaStrCmp 18950->18952 18951->18952 18956 4d4150 __vbaChkstk __vbaOnError __vbaCastObj __vbaObjSet 18952->18956 19028 4b4d60 __vbaChkstk __vbaStrCopy __vbaOnError 18956->19028 18958 4d41ec __vbaCastObj __vbaObjSet __vbaFreeObj __vbaObjSetAddref 18959 4d4245 __vbaObjSet __vbaVarDup __vbaVarDup #681 __vbaStrVarVal 18958->18959 18960 4d42d7 18959->18960 18961 4d42e8 __vbaHresultCheckObj 18960->18961 18962 4d430b 18960->18962 18963 4d4315 __vbaFreeStr __vbaFreeObj __vbaFreeVarList 18961->18963 18962->18963 18964 4d435a __vbaObjSet 18963->18964 18965 4d4387 18964->18965 18966 4d43be 18965->18966 18967 4d4398 __vbaHresultCheckObj 18965->18967 18968 4d43c8 __vbaFreeObj 18966->18968 18967->18968 18969 4d43ed __vbaObjSet 18968->18969 18970 4d441d 18969->18970 18971 4d442e __vbaHresultCheckObj 18970->18971 18972 4d4454 18970->18972 18973 4d445e __vbaFreeObj 18971->18973 18972->18973 18974 4d4483 __vbaObjSet 18973->18974 18975 4d44b3 18974->18975 18976 4d44ea 18975->18976 18977 4d44c4 __vbaHresultCheckObj 18975->18977 18978 4d44f4 __vbaFreeObj 18976->18978 18977->18978 18979 4d4519 __vbaObjSet 18978->18979 18980 4d4543 18979->18980 18981 4d4554 __vbaHresultCheckObj 18980->18981 18982 4d4577 18980->18982 18983 4d4581 __vbaFreeObj 18981->18983 18982->18983 18984 4d45b8 18983->18984 18985 4d4846 __vbaObjSetAddref 18984->18985 18988 4d45e5 __vbaObjSet 18984->18988 18986 4bb300 30 API calls 18985->18986 18987 4d486c 18986->18987 18989 4d487f __vbaObjSet __vbaObjSet 18987->18989 18990 4d4929 __vbaObjSet 18987->18990 18991 4d4613 18988->18991 19059 4ab8b0 __vbaChkstk __vbaOnError 18989->19059 18999 4d4980 18990->18999 18994 4d4624 __vbaHresultCheckObj 18991->18994 18995 4d4647 18991->18995 18996 4d4651 __vbaChkstk 18994->18996 18995->18996 18998 4de2e0 49 API calls 18996->18998 19001 4d46a1 __vbaStrMove __vbaStrCmp 18998->19001 19002 4d49b7 18999->19002 19003 4d4991 __vbaHresultCheckObj 18999->19003 19007 4d46d9 19001->19007 19574 4bdde0 __vbaChkstk __vbaOnError __vbaObjSetAddref 19002->19574 19003->19002 19005 4d48f6 19241 4a4960 __vbaChkstk __vbaOnError 19005->19241 19010 4d46ea __vbaHresultCheckObj 19007->19010 19011 4d4710 19007->19011 19013 4d471a __vbaFreeStr __vbaFreeObjList 19010->19013 19011->19013 19012 4d49da __vbaFreeObj 19633 4ab320 __vbaChkstk __vbaOnError __vbaObjSetAddref 19012->19633 19017 4d4752 __vbaObjSet 19013->19017 19021 4d4780 19017->19021 19023 4d47b4 19021->19023 19024 4d4791 __vbaHresultCheckObj 19021->19024 19025 4d481d 19023->19025 19026 4d47f7 __vbaHresultCheckObj 19023->19026 19024->19023 19027 4d4827 __vbaFreeObjList 19025->19027 19026->19027 19027->18985 19029 4b4deb 19028->19029 19030 4b4dfc __vbaHresultCheckObj 19029->19030 19031 4b4e22 19029->19031 19032 4b4e2c __vbaLateMemCallLd __vbaVarSub __vbaI4Var __vbaFreeObj __vbaFreeVar 19030->19032 19031->19032 19033 4b4ea8 19032->19033 19035 4b4f2c 19033->19035 19036 4b4f06 __vbaHresultCheckObj 19033->19036 19046 4b5797 __vbaFreeStr 19033->19046 19037 4b4f36 __vbaChkstk __vbaLateIdCallLd #591 __vbaStrMove __vbaStrCmp 19035->19037 19036->19037 19038 4b4fe8 19037->19038 19039 4b4ff9 __vbaHresultCheckObj 19038->19039 19040 4b501f 19038->19040 19039->19040 19041 4b50ab 19040->19041 19042 4b5085 __vbaHresultCheckObj 19040->19042 19043 4b5111 __vbaHresultCheckObj 19041->19043 19044 4b5137 19041->19044 19042->19041 19045 4b5141 19 API calls 19043->19045 19044->19045 19045->19046 19047 4b5356 19045->19047 19046->18958 19048 4b53cb 19047->19048 19049 4b53a5 __vbaHresultCheckObj 19047->19049 19050 4b53d5 __vbaChkstk __vbaLateIdCallLd __vbaCheckTypeVar 19048->19050 19049->19050 19051 4b5477 19050->19051 19052 4b5488 __vbaHresultCheckObj 19051->19052 19053 4b54ae 19051->19053 19052->19053 19054 4b553a 19053->19054 19055 4b5514 __vbaHresultCheckObj 19053->19055 19056 4b559f __vbaHresultCheckObj 19054->19056 19057 4b55c5 19054->19057 19055->19054 19058 4b55cf 16 API calls 19056->19058 19057->19058 19058->19046 19060 4ab922 19059->19060 19062 4ab911 19059->19062 19061 4ab961 __vbaHresultCheckObj 19060->19061 19060->19062 19061->19062 19063 4aba09 19062->19063 19064 4ab9e6 __vbaHresultCheckObj 19062->19064 19065 4aba48 __vbaHresultCheckObj 19063->19065 19066 4aba6e 19063->19066 19064->19063 19065->19066 19067 4abacb 19066->19067 19068 4abaa8 __vbaHresultCheckObj 19066->19068 19069 4abad5 __vbaStrCmp __vbaStrCmp __vbaFreeStrList __vbaFreeObj 19067->19069 19068->19069 19070 4abb39 19069->19070 19071 4abb34 19069->19071 19074 4abb9b 19070->19074 19075 4abb75 __vbaHresultCheckObj 19070->19075 19072 4abe28 #581 __vbaChkstk 19071->19072 19832 4de530 7 API calls 19072->19832 19080 4abbf8 19074->19080 19081 4abbd5 __vbaHresultCheckObj 19074->19081 19075->19074 19076 4abe92 __vbaI4Str 19077 4de3d0 53 API calls 19076->19077 19078 4abec1 __vbaI4Str 19077->19078 19079 4de3d0 53 API calls 19078->19079 19082 4abeef 19079->19082 19089 4abc5d 19080->19089 19090 4abc37 __vbaHresultCheckObj 19080->19090 19081->19080 19083 4abef7 #581 __vbaChkstk 19082->19083 19097 4abfbe __vbaChkstk 19082->19097 19085 4de530 63 API calls 19083->19085 19086 4abf61 __vbaI4Str 19085->19086 19088 4de3d0 53 API calls 19086->19088 19087 4de2e0 49 API calls 19091 4ac035 __vbaStrMove __vbaI4Str 19087->19091 19092 4abf90 19088->19092 19098 4abcba 19089->19098 19099 4abc97 __vbaHresultCheckObj 19089->19099 19090->19089 19093 4de3d0 53 API calls 19091->19093 19095 4b67e0 4 API calls 19092->19095 19092->19097 19094 4ac06b __vbaI4Str 19093->19094 19096 4de3d0 53 API calls 19094->19096 19095->19097 19100 4ac099 __vbaChkstk 19096->19100 19097->19087 19101 4abcc4 __vbaStrCmp __vbaStrCmp __vbaFreeStrList __vbaFreeObjList 19098->19101 19099->19101 19102 4de2e0 49 API calls 19100->19102 19101->19072 19104 4abd31 19101->19104 19103 4ac0ec __vbaStrMove __vbaI4Str 19102->19103 19105 4de3d0 53 API calls 19103->19105 19106 4abd5d __vbaObjSet 19104->19106 19107 4abd41 __vbaNew2 19104->19107 19108 4ac122 __vbaI4Str 19105->19108 19113 4abdaa 19106->19113 19107->19106 19109 4de3d0 53 API calls 19108->19109 19110 4ac150 __vbaI4Str 19109->19110 19112 4de3d0 53 API calls 19110->19112 19114 4ac17e __vbaChkstk 19112->19114 19115 4abdbb __vbaHresultCheckObj 19113->19115 19116 4abde1 19113->19116 19117 4de2e0 49 API calls 19114->19117 19118 4abdeb #581 __vbaFpI4 19115->19118 19116->19118 19119 4ac1d1 __vbaStrMove __vbaChkstk 19117->19119 19120 4b67e0 4 API calls 19118->19120 19121 4de2e0 49 API calls 19119->19121 19122 4abe11 __vbaFreeStr __vbaFreeObj 19120->19122 19123 4ac22c __vbaStrMove __vbaChkstk 19121->19123 19122->19072 19124 4a8010 111 API calls 19123->19124 19125 4ac276 19124->19125 19842 4d2ef0 19125->19842 19128 4b66b0 4 API calls 19129 4ac2a3 6 API calls 19128->19129 19130 4b67e0 4 API calls 19129->19130 19131 4ac35d 19130->19131 19132 4b67e0 4 API calls 19131->19132 19133 4ac37b 6 API calls 19132->19133 19134 4ac3f6 19133->19134 19135 4ac43f 19134->19135 19136 4ac463 19134->19136 19137 4ac568 19135->19137 19138 4ac44c 19135->19138 19142 4ac4c8 19136->19142 19143 4ac4a2 __vbaHresultCheckObj 19136->19143 19139 4de3d0 53 API calls 19137->19139 19148 4ac7b9 __vbaHresultCheckObj 19138->19148 19149 4ac7df 19138->19149 19172 4ac459 19138->19172 19140 4ac58b 19139->19140 19144 4de3d0 53 API calls 19140->19144 19141 4ac87a 6 API calls 19145 4ac98e 19141->19145 19146 4ac996 _adj_fdiv_m64 19141->19146 19147 4ac4d2 __vbaFpI4 19142->19147 19143->19147 19150 4ac5b4 __vbaUbound 19144->19150 19151 4ac9a7 __vbaFPInt __vbaFpI4 19145->19151 19146->19151 19152 4ac511 19147->19152 19153 4ac7e9 __vbaFpI4 19148->19153 19149->19153 19154 4ac5e8 __vbaUbound 19150->19154 19155 4aca0b __vbaFpI4 __vbaFpI4 19151->19155 19156 4ac548 19152->19156 19157 4ac522 __vbaHresultCheckObj 19152->19157 19162 4ac828 19153->19162 19160 4ac66b 19154->19160 19163 4acaf2 19155->19163 19161 4ac552 __vbaFpI4 19156->19161 19157->19161 19168 4ac6f9 19160->19168 19169 4ac6d3 __vbaHresultCheckObj 19160->19169 19161->19141 19164 4ac839 __vbaHresultCheckObj 19162->19164 19165 4ac85f 19162->19165 19166 4acb03 __vbaHresultCheckObj 19163->19166 19170 4acb29 19163->19170 19167 4ac869 __vbaFpI4 19164->19167 19165->19167 19166->19170 19167->19141 19168->19172 19173 4ac745 __vbaHresultCheckObj 19168->19173 19169->19168 19171 4acde2 19170->19171 19176 4acbb0 __vbaHresultCheckObj 19170->19176 19177 4acbd6 19170->19177 19174 4acfac 19171->19174 19175 4acf86 __vbaHresultCheckObj 19171->19175 19172->19141 19173->19172 19178 4acfb6 __vbaFpI4 19174->19178 19175->19178 19176->19177 19180 4acc18 __vbaHresultCheckObj 19177->19180 19186 4acc3e 19177->19186 19179 4ad0f4 19178->19179 19181 4ad12b 19179->19181 19182 4ad105 __vbaHresultCheckObj 19179->19182 19180->19186 19183 4ad16c 19181->19183 19184 4ad150 __vbaNew2 19181->19184 19182->19181 19185 4ad176 __vbaChkstk __vbaChkstk __vbaChkstk __vbaChkstk __vbaChkstk 19183->19185 19184->19185 19189 4ad2c5 19185->19189 19187 4acc90 19186->19187 19188 4acdf1 19186->19188 19193 4acccf __vbaHresultCheckObj 19187->19193 19194 4accf5 19187->19194 19195 4ace30 __vbaHresultCheckObj 19188->19195 19196 4ace56 19188->19196 19190 4ad2f9 19189->19190 19191 4ad2d6 __vbaHresultCheckObj 19189->19191 19192 4ad303 __vbaObjSet 19190->19192 19191->19192 19197 4ad337 19192->19197 19193->19194 19201 4acd68 19194->19201 19202 4acd42 __vbaHresultCheckObj 19194->19202 19195->19196 19203 4acec9 19196->19203 19204 4acea3 __vbaHresultCheckObj 19196->19204 19198 4ad36b 19197->19198 19199 4ad348 __vbaHresultCheckObj 19197->19199 19200 4ad375 __vbaFreeObj __vbaObjSetAddref __vbaRedim __vbaRedim 19198->19200 19199->19200 19205 4ad432 __vbaFreeObjList 19200->19205 19201->19171 19206 4acdbc __vbaHresultCheckObj 19201->19206 19202->19201 19203->19171 19207 4acf17 __vbaHresultCheckObj 19203->19207 19204->19203 19208 495f20 __vbaChkstk __vbaOnError 19205->19208 19206->19171 19207->19171 19209 49600a __vbaOnError 19208->19209 19210 495faf 19208->19210 19213 4de3d0 53 API calls 19209->19213 19211 495fc1 19210->19211 19212 495ff6 19210->19212 19217 495fda __vbaSetSystemError 19211->19217 19218 496004 __vbaSetSystemError 19212->19218 19214 4960c0 19213->19214 19215 496174 19214->19215 19216 4960f4 19214->19216 19220 4de3d0 53 API calls 19215->19220 19219 4960fd 19216->19219 19222 4de3d0 53 API calls 19216->19222 19221 41447c 19217->19221 19218->19209 19227 4961f5 __vbaChkstk 19219->19227 19237 496354 __vbaExitProc 19219->19237 19223 496193 __vbaChkstk 19220->19223 19224 495fee __vbaSetSystemError 19221->19224 19225 496126 __vbaChkstk 19222->19225 19226 4b5dc0 38 API calls 19223->19226 19224->19209 19228 4b5dc0 38 API calls 19225->19228 19226->19219 19230 4de2e0 49 API calls 19227->19230 19228->19219 19232 496243 __vbaStrMove #557 19230->19232 19231 4964d8 __vbaFreeVar __vbaFreeStr 19231->19005 19233 4962dc #546 #662 __vbaVarMove __vbaFreeVar __vbaVarTstLt 19232->19233 19234 496273 #546 __vbaChkstk 19232->19234 19236 49636a __vbaVarTstLt 19233->19236 19233->19237 19235 4b5dc0 38 API calls 19234->19235 19238 4962bd __vbaFreeVar 19235->19238 19236->19237 19239 4963aa __vbaVarTstLt 19236->19239 19237->19231 19238->19237 19239->19237 19240 4963e7 __vbaVarTstLt 19239->19240 19240->19237 19242 4a49dd 19241->19242 19243 4a49c4 __vbaNew2 19241->19243 19244 4a49e4 __vbaObjSetAddref 19242->19244 19243->19244 19245 4a4a0a __vbaObjSet 19244->19245 19246 4a4a2a 19245->19246 19247 4a4a4f 19246->19247 19248 4a4a35 __vbaHresultCheckObj 19246->19248 19249 4a4a7a __vbaHresultCheckObj 19247->19249 19250 4a4a97 19247->19250 19248->19247 19251 4a4a9e #581 __vbaFpI4 19249->19251 19250->19251 19252 4b67e0 4 API calls 19251->19252 19253 4a4ac1 __vbaFreeStr __vbaFreeObjList 19252->19253 19254 4a4af8 __vbaObjSet 19253->19254 19255 4a4b18 19254->19255 19256 4a4b3d 19255->19256 19257 4a4b23 __vbaHresultCheckObj 19255->19257 19258 4a4b88 19256->19258 19259 4a4b68 __vbaHresultCheckObj 19256->19259 19257->19256 19260 4a4b92 #581 __vbaFpI4 19258->19260 19259->19260 19261 4b67e0 4 API calls 19260->19261 19262 4a4bb5 __vbaFreeStr __vbaFreeObjList 19261->19262 19263 4a4bec __vbaObjSet 19262->19263 19264 4a4c0c 19263->19264 19265 4a4c17 __vbaHresultCheckObj 19264->19265 19266 4a4c34 19264->19266 19265->19266 19267 4a4c82 19266->19267 19268 4a4c62 __vbaHresultCheckObj 19266->19268 19269 4a4c8c #581 __vbaFpI4 19267->19269 19268->19269 19270 4b67e0 4 API calls 19269->19270 19271 4a4caf __vbaFreeStr __vbaFreeObjList 19270->19271 19272 4a4cf3 __vbaObjSet 19271->19272 19273 4a4d13 19272->19273 19274 4a4d3b 19273->19274 19275 4a4d1e __vbaHresultCheckObj 19273->19275 19276 4a4d89 19274->19276 19277 4a4d69 __vbaHresultCheckObj 19274->19277 19275->19274 19278 4a4d93 #581 __vbaFpI4 19276->19278 19277->19278 19279 4b67e0 4 API calls 19278->19279 19280 4a4db6 __vbaFreeStr __vbaFreeObjList 19279->19280 19281 4a4dfa __vbaObjSet 19280->19281 19282 4a4e1a 19281->19282 19283 4a4e42 19282->19283 19284 4a4e25 __vbaHresultCheckObj 19282->19284 19285 4a4e90 19283->19285 19286 4a4e70 __vbaHresultCheckObj 19283->19286 19284->19283 19287 4a4e9a #581 __vbaFpI4 19285->19287 19286->19287 19288 4b67e0 4 API calls 19287->19288 19289 4a4ebd __vbaFreeStr __vbaFreeObjList 19288->19289 19290 4a4f01 __vbaObjSet 19289->19290 19291 4a4f21 19290->19291 19292 4a4f49 19291->19292 19293 4a4f2c __vbaHresultCheckObj 19291->19293 19294 4a4f97 19292->19294 19295 4a4f77 __vbaHresultCheckObj 19292->19295 19293->19292 19296 4a4fa1 #581 __vbaFpI4 19294->19296 19295->19296 19297 4b67e0 4 API calls 19296->19297 19298 4a4fc4 __vbaFreeStr __vbaFreeObjList 19297->19298 19299 4a5008 __vbaObjSet 19298->19299 19300 4a5028 19299->19300 19301 4a5033 __vbaHresultCheckObj 19300->19301 19302 4a5050 19300->19302 19301->19302 19303 4a509e 19302->19303 19304 4a507e __vbaHresultCheckObj 19302->19304 19305 4a50a8 #581 __vbaFpI4 19303->19305 19304->19305 19306 4b67e0 4 API calls 19305->19306 19307 4a50cb __vbaFreeStr __vbaFreeObjList 19306->19307 19308 4a510f __vbaObjSet 19307->19308 19309 4a512f 19308->19309 19310 4a513a __vbaHresultCheckObj 19309->19310 19311 4a5157 19309->19311 19310->19311 19312 4a51a5 19311->19312 19313 4a5185 __vbaHresultCheckObj 19311->19313 19314 4a51af #581 __vbaFpI4 19312->19314 19313->19314 19315 4b67e0 4 API calls 19314->19315 19316 4a51d2 __vbaFreeStr __vbaFreeObjList 19315->19316 19317 4a5216 __vbaObjSet 19316->19317 19318 4a5236 19317->19318 19319 4a525e 19318->19319 19320 4a5241 __vbaHresultCheckObj 19318->19320 19321 4a52ac 19319->19321 19322 4a528c __vbaHresultCheckObj 19319->19322 19320->19319 19323 4a52b6 #581 __vbaFpI4 19321->19323 19322->19323 19324 4b67e0 4 API calls 19323->19324 19325 4a52d9 __vbaFreeStr __vbaFreeObjList 19324->19325 19326 4a531d __vbaObjSet 19325->19326 19327 4a533e 19326->19327 19328 4a5369 19327->19328 19329 4a5349 __vbaHresultCheckObj 19327->19329 19330 4a5373 #581 __vbaFpI4 19328->19330 19329->19330 19331 4b67e0 4 API calls 19330->19331 19332 4a5393 __vbaFreeStr __vbaFreeObj 19331->19332 19333 4a53c0 __vbaObjSet 19332->19333 19334 4a53e0 19333->19334 19335 4a53eb __vbaHresultCheckObj 19334->19335 19336 4a5408 19334->19336 19335->19336 19337 4a5456 19336->19337 19338 4a5436 __vbaHresultCheckObj 19336->19338 19339 4a5460 #581 __vbaFpI4 19337->19339 19338->19339 19340 4b67e0 4 API calls 19339->19340 19341 4a5480 __vbaFreeStr __vbaFreeObjList 19340->19341 19342 4a54b7 __vbaObjSet 19341->19342 19343 4a54d7 19342->19343 19344 4a54ff 19343->19344 19345 4a54e2 __vbaHresultCheckObj 19343->19345 19346 4a554d 19344->19346 19347 4a552d __vbaHresultCheckObj 19344->19347 19345->19344 19348 4a5557 #581 __vbaFpI4 19346->19348 19347->19348 19349 4b67e0 4 API calls 19348->19349 19350 4a557a __vbaFreeStr __vbaFreeObjList 19349->19350 19351 4a55b1 __vbaObjSet 19350->19351 19352 4a55d2 19351->19352 19353 4a55fd 19352->19353 19354 4a55dd __vbaHresultCheckObj 19352->19354 19355 4b67e0 4 API calls 19353->19355 19354->19353 19356 4a5615 __vbaFreeObj 19355->19356 19357 4a5639 __vbaObjSet 19356->19357 19358 4a565a 19357->19358 19359 4a5685 19358->19359 19360 4a5665 __vbaHresultCheckObj 19358->19360 19361 4b67e0 4 API calls 19359->19361 19360->19359 19362 4a569d __vbaFreeObj 19361->19362 19363 4a56c1 __vbaObjSet 19362->19363 19364 4a56e2 19363->19364 19365 4a570d 19364->19365 19366 4a56ed __vbaHresultCheckObj 19364->19366 19367 4b67e0 4 API calls 19365->19367 19366->19365 19368 4a5725 __vbaFreeObj 19367->19368 19369 4a5749 __vbaObjSet 19368->19369 19370 4a576a 19369->19370 19371 4a5795 19370->19371 19372 4a5775 __vbaHresultCheckObj 19370->19372 19373 4b67e0 4 API calls 19371->19373 19372->19371 19374 4a57ad __vbaFreeObj 19373->19374 19375 4a57d1 __vbaObjSet 19374->19375 19376 4a57f1 19375->19376 19377 4a5819 19376->19377 19378 4a57fc __vbaHresultCheckObj 19376->19378 19379 4a5867 19377->19379 19380 4a5847 __vbaHresultCheckObj 19377->19380 19378->19377 19381 4a5871 #581 __vbaFpI4 19379->19381 19380->19381 19382 4b67e0 4 API calls 19381->19382 19575 4bde61 __vbaObjSet 19574->19575 19576 4bde85 19575->19576 19577 4bdead 19576->19577 19578 4bde90 __vbaHresultCheckObj 19576->19578 19579 4bdeb4 __vbaFreeObj 19577->19579 19578->19579 19580 4bded3 __vbaObjSet 19579->19580 19581 4bdef7 19580->19581 19582 4bdf1f 19581->19582 19583 4bdf02 __vbaHresultCheckObj 19581->19583 19584 4bdf26 __vbaFreeObj 19582->19584 19583->19584 19585 4bdf45 __vbaObjSet 19584->19585 19586 4bdf65 19585->19586 19587 4bdf8a 19586->19587 19588 4bdf70 __vbaHresultCheckObj 19586->19588 19589 4bdfb8 __vbaHresultCheckObj 19587->19589 19590 4bdfd5 19587->19590 19588->19587 19591 4bdfdc __vbaFreeObjList 19589->19591 19590->19591 19592 4be005 __vbaObjSet 19591->19592 19593 4be025 19592->19593 19594 4be04a 19593->19594 19595 4be030 __vbaHresultCheckObj 19593->19595 19596 4be078 __vbaHresultCheckObj 19594->19596 19597 4be095 19594->19597 19595->19594 19598 4be09c __vbaFreeObjList 19596->19598 19597->19598 19599 4be0c5 __vbaObjSet 19598->19599 19600 4be0e5 19599->19600 19601 4be10a 19600->19601 19602 4be0f0 __vbaHresultCheckObj 19600->19602 19603 4be138 __vbaHresultCheckObj 19601->19603 19604 4be155 19601->19604 19602->19601 19605 4be15c __vbaFreeObjList 19603->19605 19604->19605 19606 4be185 __vbaObjSet 19605->19606 19607 4be1a5 19606->19607 19608 4be1ca 19607->19608 19609 4be1b0 __vbaHresultCheckObj 19607->19609 19610 4be1f8 __vbaHresultCheckObj 19608->19610 19611 4be215 19608->19611 19609->19608 19612 4be21c __vbaFreeObjList 19610->19612 19611->19612 19613 4be245 __vbaObjSet 19612->19613 19614 4be265 19613->19614 19615 4be28a 19614->19615 19616 4be270 __vbaHresultCheckObj 19614->19616 19617 4be2b8 __vbaHresultCheckObj 19615->19617 19618 4be2d5 19615->19618 19616->19615 19619 4be2dc __vbaFreeObjList 19617->19619 19618->19619 19620 4be305 __vbaObjSet 19619->19620 19621 4be325 19620->19621 19622 4be34d 19621->19622 19623 4be330 __vbaHresultCheckObj 19621->19623 19624 4be39e 19622->19624 19625 4be37e __vbaHresultCheckObj 19622->19625 19623->19622 19626 4be3a8 __vbaFreeObjList __vbaObjSetAddref 19624->19626 19625->19626 19627 4be3e8 __vbaObjSet 19626->19627 19628 4be40c 19627->19628 19629 4be437 19628->19629 19630 4be417 __vbaHresultCheckObj 19628->19630 19631 4be441 __vbaFreeObj 19629->19631 19630->19631 19632 4be465 __vbaFreeObj 19631->19632 19632->19012 19634 4ab3aa __vbaObjSet 19633->19634 19635 4ab3cf 6 API calls 19634->19635 20231 4d3ff0 __vbaChkstk __vbaOnError __vbaChkstk 19635->20231 19638 4ab46c __vbaObjSet 19639 4ab48c 19638->19639 19640 4ab497 __vbaHresultCheckObj 19639->19640 19641 4ab4b4 19639->19641 19640->19641 19642 4ab502 19641->19642 19643 4ab4e2 __vbaHresultCheckObj 19641->19643 19644 4ab50c #581 19642->19644 19643->19644 19645 4ab52e __vbaObjSet 19644->19645 19646 4ab54e 19645->19646 19647 4ab559 __vbaHresultCheckObj 19646->19647 19648 4ab576 19646->19648 19647->19648 19649 4ab5c4 19648->19649 19650 4ab5a4 __vbaHresultCheckObj 19648->19650 19651 4ab5ce #581 19649->19651 19650->19651 19652 4ab5f0 __vbaObjSet 19651->19652 19653 4ab610 19652->19653 19654 4ab641 19653->19654 19655 4ab621 __vbaHresultCheckObj 19653->19655 19656 4ab67e __vbaHresultCheckObj 19654->19656 19657 4ab6a4 19654->19657 19655->19654 19658 4ab6ae #581 19656->19658 19657->19658 20237 4a9580 __vbaChkstk __vbaOnError 19658->20237 19660 4ab6eb __vbaFreeStrList __vbaFreeObjList __vbaObjSetAddref 19833 4b6900 40 API calls 19832->19833 19834 4de5f3 __vbaStrMove __vbaVarDup #561 __vbaFreeVar 19833->19834 19835 4de63e __vbaInStr 19834->19835 19836 4de684 #561 19834->19836 19835->19836 19837 4de65c #581 __vbaStrR8 __vbaStrMove 19835->19837 19838 4de6bf __vbaR4Var 19836->19838 19839 4de6a9 __vbaR4Str 19836->19839 19837->19836 19840 4de6d3 __vbaFreeStr __vbaFreeVar __vbaFreeStr __vbaFreeStr __vbaFreeStr 19838->19840 19839->19840 19840->19076 19843 4d2f4a 19842->19843 19847 4d2f0d 19842->19847 19844 4ac286 19843->19844 19846 4d3000 15 API calls 19843->19846 19844->19128 19845 4af6e0 18 API calls 19845->19847 19846->19844 19847->19843 19847->19845 19848 4d2f90 2 API calls 19847->19848 19848->19847 20232 4a8010 111 API calls 20231->20232 20233 4d4081 __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet 20232->20233 20234 4af970 85 API calls 20233->20234 20235 4d40cd __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet __vbaFreeObjList 20234->20235 20236 4ab431 __vbaFreeObjList 20235->20236 20236->19638 20238 4a95e3 20237->20238 20239 4a963a _adj_fdiv_m64 20238->20239 20240 4a9632 20238->20240 20239->20240 20241 4a967a 20240->20241 20242 4a965e __vbaNew2 20240->20242 20243 4a9684 __vbaObjSetAddref 20241->20243 20242->20243 20244 4a96b6 __vbaObjSet 20243->20244 20245 4a96d4 20244->20245 20246 4a96df __vbaHresultCheckObj 20245->20246 20247 4a96fc __vbaObjSet 20245->20247 20246->20247 20249 4a9739 20247->20249 20250 4a9761 20249->20250 20251 4a9744 __vbaHresultCheckObj 20249->20251 20252 4a976b __vbaFreeObjList 20250->20252 20251->20252 20253 4a97ab __vbaObjSet 20252->20253 20254 4a97c9 20253->20254 20255 4a97f1 __vbaObjSet 20254->20255 20256 4a97d4 __vbaHresultCheckObj 20254->20256 20258 4a982e 20255->20258 20256->20255 20259 4a9839 __vbaHresultCheckObj 20258->20259 20260 4a9856 20258->20260 20261 4a9860 __vbaFreeObjList 20259->20261 20260->20261 20262 4a98a0 __vbaObjSet 20261->20262 20263 4a98be 20262->20263 20264 4a98c9 __vbaHresultCheckObj 20263->20264 20265 4a98e6 20263->20265 20266 4a98f0 __vbaFreeObj 20264->20266 20265->20266 20267 4a9921 __vbaObjSet 20266->20267 20268 4a993f 20267->20268 20269 4a994a __vbaHresultCheckObj 20268->20269 20270 4a9967 20268->20270 20271 4a9971 __vbaFreeObj _CIcos 20269->20271 20270->20271 20272 4a99bd __vbaObjSet 20271->20272 20273 4a99dd 20272->20273 20274 4a99e8 __vbaHresultCheckObj 20273->20274 20275 4a9a05 20273->20275 20274->20275 20276 4a9a5e 20275->20276 20277 4a9a41 __vbaHresultCheckObj 20275->20277 20278 4a9a68 __vbaFreeObjList _CIsin 20276->20278 20277->20278 20279 4a9aa2 __vbaObjSet 20278->20279 20280 4a9ac2 20279->20280 20281 4a9aea 20280->20281 20282 4a9acd __vbaHresultCheckObj 20280->20282 20283 4a9b43 20281->20283 20284 4a9b26 __vbaHresultCheckObj 20281->20284 20282->20281 20285 4a9b4d __vbaFreeObjList _CIcos 20283->20285 20284->20285 20286 4a9b87 __vbaObjSet 20285->20286 20287 4a9ba7 20286->20287 20288 4a9bcf 20287->20288 20289 4a9bb2 __vbaHresultCheckObj 20287->20289 20290 4a9c0b __vbaHresultCheckObj 20288->20290 20291 4a9c28 20288->20291 20289->20288 20292 4a9c32 __vbaFreeObjList _CIsin 20290->20292 20291->20292 20293 4a9c6c __vbaObjSet 20292->20293 20294 4a9c8c 20293->20294 20295 4a9c97 __vbaHresultCheckObj 20294->20295 20296 4a9cb4 20294->20296 20295->20296 20297 4a9d0d 20296->20297 20298 4a9cf0 __vbaHresultCheckObj 20296->20298 20299 4a9d17 __vbaFreeObjList 20297->20299 20298->20299 20300 4a9d46 __vbaObjSet 20299->20300 20301 4a9d64 20300->20301 20302 4a9d6f __vbaHresultCheckObj 20301->20302 20303 4a9d8c 20301->20303 20304 4a9d96 __vbaFreeObj __vbaFpI4 _CIcos 20302->20304 20303->20304 20305 4a9e04 __vbaObjSet 20304->20305 20306 4a9e24 20305->20306 20307 4a9e2f __vbaHresultCheckObj 20306->20307 20308 4a9e4c 20306->20308 20307->20308 20309 4a9e88 __vbaHresultCheckObj 20308->20309 20310 4a9ea5 20308->20310 20311 4a9eaf __vbaFreeObjList _CIsin 20309->20311 20310->20311 20312 4a9ee9 __vbaObjSet 20311->20312 20313 4a9f09 20312->20313 20314 4a9f31 20313->20314 20315 4a9f14 __vbaHresultCheckObj 20313->20315 20316 4a9f8a 20314->20316 20317 4a9f6d __vbaHresultCheckObj 20314->20317 20315->20314 20318 4a9f94 __vbaFreeObjList _CIcos 20316->20318 20317->20318 20319 4a9fce __vbaObjSet 20318->20319 20320 4a9fee 20319->20320 20321 4a9ff9 __vbaHresultCheckObj 20320->20321 20322 4aa016 20320->20322 20321->20322 20323 4aa06f 20322->20323 20324 4aa052 __vbaHresultCheckObj 20322->20324 20325 4aa079 __vbaFreeObjList _CIsin 20323->20325 20324->20325 20326 4aa0b3 __vbaObjSet 20325->20326 20327 4aa0d3 20326->20327 20328 4aa0fb 20327->20328 20329 4aa0de __vbaHresultCheckObj 20327->20329 20330 4aa137 __vbaHresultCheckObj 20328->20330 20331 4aa154 20328->20331 20329->20328 20332 4aa15e __vbaFreeObjList __vbaFpI4 _CIcos 20330->20332 20331->20332 20333 4aa1ca __vbaObjSet 20332->20333 20334 4aa1ea 20333->20334 20335 4aa212 20334->20335 20336 4aa1f5 __vbaHresultCheckObj 20334->20336 20337 4aa26b 20335->20337 20338 4aa24e __vbaHresultCheckObj 20335->20338 20336->20335 20339 4aa275 __vbaFreeObjList _CIsin 20337->20339 20338->20339 20340 4aa2af __vbaObjSet 20339->20340 20341 4aa2cf 20340->20341 20342 4aa2da __vbaHresultCheckObj 20341->20342 20343 4aa2f7 20341->20343 20342->20343 20344 4aa333 __vbaHresultCheckObj 20343->20344 20345 4aa350 20343->20345 20346 4aa35a __vbaFreeObjList _CIcos 20344->20346 20345->20346 20347 4aa394 __vbaObjSet 20346->20347 20348 4aa3b4 20347->20348 20349 4aa3bf __vbaHresultCheckObj 20348->20349 20350 4aa3dc 20348->20350 20349->20350 20351 4aa418 __vbaHresultCheckObj 20350->20351 20352 4aa435 20350->20352 20353 4aa43f __vbaFreeObjList _CIsin 20351->20353 20352->20353 20354 4aa479 __vbaObjSet 20353->20354 20355 4aa499 20354->20355 20356 4aa4c1 20355->20356 20357 4aa4a4 __vbaHresultCheckObj 20355->20357 20358 4aa51a 20356->20358 20359 4aa4fd __vbaHresultCheckObj 20356->20359 20357->20356 20360 4aa524 __vbaFreeObjList 20358->20360 20359->20360 20361 4aa553 __vbaObjSet 20360->20361 20362 4aa573 20361->20362 20363 4aa5a4 __vbaObjSet 20362->20363 20364 4aa584 __vbaHresultCheckObj 20362->20364 20366 4aa5ec 20363->20366 20364->20363 20367 4aa5f7 __vbaHresultCheckObj 20366->20367 20368 4aa614 20366->20368 20367->20368 20369 4aa662 20368->20369 20370 4aa642 __vbaHresultCheckObj 20368->20370 20371 4aa66c __vbaLateIdCallLd __vbaBoolVar 20369->20371 20370->20371 20372 4aa6a2 20371->20372 20373 4aa6d9 20372->20373 20374 4aa6b3 __vbaHresultCheckObj 20372->20374 20375 4aa6e3 __vbaFreeObjList __vbaFreeVar 20373->20375 20374->20375 20376 4aa727 __vbaObjSet 20375->20376 20377 4aa747 20376->20377 20378 4aa778 __vbaObjSet 20377->20378 20379 4aa758 __vbaHresultCheckObj 20377->20379 20381 4aa7c0 20378->20381 20379->20378 20382 4aa7cb __vbaHresultCheckObj 20381->20382 20383 4aa7e8 20381->20383 20382->20383 20384 4aa836 20383->20384 20385 4aa816 __vbaHresultCheckObj 20383->20385 20386 4aa840 __vbaLateIdCallLd __vbaBoolVar 20384->20386 20385->20386 20387 4aa876 20386->20387 20388 4aa8ad 20387->20388 20389 4aa887 __vbaHresultCheckObj 20387->20389 20390 4aa8b7 __vbaFreeObjList __vbaFreeVar 20388->20390 20389->20390 20391 4ab118 __vbaObjSet 20390->20391 20392 4aa8f2 20390->20392 20396 4ab154 20391->20396 20392->20391 20393 4aa906 __vbaObjSet 20392->20393 20397 4aa940 20393->20397 20398 4ab15f __vbaHresultCheckObj 20396->20398 20399 4ab17c 20396->20399 20400 4aa94b __vbaHresultCheckObj 20397->20400 20401 4aa968 20397->20401 20398->20399 20403 4ab1c8 20399->20403 20404 4ab1a8 __vbaHresultCheckObj 20399->20404 20402 4aa972 __vbaFreeObj __vbaFpI4 _CIcos 20400->20402 20401->20402 20405 4aa9e0 __vbaObjSet 20402->20405 20406 4ab1d2 __vbaFreeObjList 20403->20406 20404->20406 20407 4aaa00 20405->20407 20408 4ab201 __vbaObjSet 20406->20408 20409 4aaa0b __vbaHresultCheckObj 20407->20409 20410 4aaa28 20407->20410 20411 4ab221 20408->20411 20409->20410 20414 4aaa81 20410->20414 20415 4aaa64 __vbaHresultCheckObj 20410->20415 20412 4ab249 20411->20412 20413 4ab22c __vbaHresultCheckObj 20411->20413 20417 4ab295 20412->20417 20418 4ab275 __vbaHresultCheckObj 20412->20418 20413->20412 20416 4aaa8b __vbaFreeObjList _CIsin 20414->20416 20415->20416 20419 4aaac5 __vbaObjSet 20416->20419 20420 4ab29f __vbaFreeObjList 20417->20420 20418->20420 20422 4aaae5 20419->20422 20421 4ab2b2 __vbaObjSetAddref 20420->20421 20423 4ab2f9 __vbaFreeObj 20421->20423 20424 4aab0d 20422->20424 20425 4aaaf0 __vbaHresultCheckObj 20422->20425 20423->19660 20425->20424 20471 4864b0 __vbaChkstk __vbaOnError 20472 48651a __vbaObjSet __vbaObjSet 20471->20472 20473 4ab8b0 284 API calls 20472->20473 20474 486552 __vbaFreeObjList 20473->20474 20475 495f20 125 API calls 20474->20475 20477 486571 20475->20477 20476 4865b0 20477->20476 20479 4a1d90 1004 API calls 20477->20479 20480 4d60b0 20477->20480 20479->20477 20481 4de3d0 53 API calls 20480->20481 20482 4d6134 20481->20482 20483 4d6159 __vbaI4Str 20482->20483 20484 4d6142 20482->20484 20485 4de3d0 53 API calls 20483->20485 20486 4a6da0 715 API calls 20484->20486 20487 4d617d 20485->20487 20488 4d614e 20486->20488 20489 4d6185 20487->20489 20490 4d6984 20487->20490 20492 4d69cb __vbaAryDestruct __vbaFreeStr 20488->20492 20491 4d6198 __vbaI4Str 20489->20491 20498 4d660f 20489->20498 20493 4a6da0 715 API calls 20490->20493 20494 4de3d0 53 API calls 20491->20494 20492->20477 20493->20488 20495 4d61ca __vbaPowerR8 __vbaFpI4 20494->20495 20497 4b67e0 4 API calls 20495->20497 20496 4d65f1 20499 4d6684 20496->20499 20500 4d66a1 6 API calls 20496->20500 20501 4d61fe 20497->20501 20498->20496 20505 4d6628 __vbaR8IntI4 20498->20505 20536 4a6da0 __vbaChkstk __vbaOnError 20499->20536 20503 4de2e0 49 API calls 20500->20503 20508 4d6293 20501->20508 20509 4d6213 __vbaPowerR8 __vbaFpI4 20501->20509 20504 4d6766 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaFreeVar 20503->20504 20694 4d2540 __vbaChkstk __vbaStrCopy __vbaOnError __vbaStrCopy 20504->20694 20505->20496 20506 4d6690 20510 4d67b3 __vbaI4Str 20506->20510 20514 4de2e0 49 API calls 20508->20514 20509->20501 20513 4d6231 __vbaRedimPreserve 20509->20513 20512 4de3d0 53 API calls 20510->20512 20511 4d67a6 20515 4a6da0 715 API calls 20511->20515 20516 4d67d5 20512->20516 20513->20501 20517 4d62d1 16 API calls 20514->20517 20515->20510 20516->20488 20519 4d68ad 6 API calls 20516->20519 20520 4d6801 6 API calls 20516->20520 20518 4de3d0 53 API calls 20517->20518 20522 4d643b 20518->20522 20521 4de2e0 49 API calls 20519->20521 20520->20492 20523 4d6953 __vbaStrMove __vbaFreeStrList __vbaFreeVar 20521->20523 20524 4d64a5 20522->20524 20525 4d6444 __vbaRedimPreserve 20522->20525 20523->20492 20526 4d64ff __vbaI2Str 20524->20526 20527 4d64b4 __vbaRedim 20524->20527 20525->20522 20528 4de3d0 53 API calls 20526->20528 20527->20526 20529 4d6524 20528->20529 20529->20496 20530 4d657f 20529->20530 20531 4d6548 20529->20531 20532 4de3d0 53 API calls 20530->20532 20531->20496 20534 4d6554 __vbaR8IntI4 20531->20534 20533 4d6597 20532->20533 20535 4b5dc0 38 API calls 20533->20535 20534->20496 20535->20496 20537 4de3d0 53 API calls 20536->20537 20538 4a6e13 20537->20538 20539 4b9cc0 209 API calls 20538->20539 20540 4a6e21 __vbaStrMove __vbaFreeStr 20539->20540 20541 4a7579 20540->20541 20542 4a6e46 __vbaI4Str 20540->20542 20845 49e170 20541->20845 20544 4de3d0 53 API calls 20542->20544 20546 4a6e6f __vbaI4Str 20544->20546 20548 4de3d0 53 API calls 20546->20548 20547 4b0ce0 15 API calls 20549 4a75a6 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20547->20549 20550 4a6e9d __vbaFpI4 __vbaI4Str 20548->20550 20551 4b0ce0 15 API calls 20549->20551 20552 4de3d0 53 API calls 20550->20552 20553 4a75de __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20551->20553 20554 4a6eda __vbaI4Str 20552->20554 20555 4b0ce0 15 API calls 20553->20555 20556 4de3d0 53 API calls 20554->20556 20558 4a761c __vbaStrMove #581 __vbaFreeStr 20555->20558 20557 4a6f0f __vbaI4Str 20556->20557 20559 4de3d0 53 API calls 20557->20559 20560 4b0ce0 15 API calls 20558->20560 20561 4a6f44 __vbaI4Str 20559->20561 20562 4a764f __vbaStrMove #581 __vbaFreeStr 20560->20562 20563 4de3d0 53 API calls 20561->20563 20564 4b0ce0 15 API calls 20562->20564 20565 4a6f79 __vbaI4Str 20563->20565 20566 4a7682 __vbaStrMove #581 __vbaFreeStr 20564->20566 20568 4de3d0 53 API calls 20565->20568 20567 4b0ce0 15 API calls 20566->20567 20569 4a76b5 __vbaStrMove #581 __vbaFreeStr 20567->20569 20570 4a6fae __vbaI4Str 20568->20570 20571 4b0ce0 15 API calls 20569->20571 20572 4de3d0 53 API calls 20570->20572 20573 4a76e8 __vbaStrMove #581 __vbaFreeStr 20571->20573 20574 4a6fe3 __vbaI4Str 20572->20574 20575 4b0ce0 15 API calls 20573->20575 20576 4de3d0 53 API calls 20574->20576 20577 4a771b __vbaStrMove #581 __vbaFreeStr 20575->20577 20578 4a7018 __vbaI4Str 20576->20578 20579 4b0ce0 15 API calls 20577->20579 20580 4de3d0 53 API calls 20578->20580 20581 4a774e __vbaStrMove #581 __vbaFreeStr 20579->20581 20582 4a704d __vbaI4Str 20580->20582 20583 4b0ce0 15 API calls 20581->20583 20584 4de3d0 53 API calls 20582->20584 20585 4a7781 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20583->20585 20586 4a707b __vbaI4Str 20584->20586 20587 4b0ce0 15 API calls 20585->20587 20588 4de3d0 53 API calls 20586->20588 20590 4a77b9 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20587->20590 20589 4a70a9 __vbaI4Str 20588->20589 20591 4de3d0 53 API calls 20589->20591 20592 4b0ce0 15 API calls 20590->20592 20593 4a70d7 __vbaI4Str 20591->20593 20594 4a77f1 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20592->20594 20595 4de3d0 53 API calls 20593->20595 20596 4b0ce0 15 API calls 20594->20596 20597 4a7105 __vbaI4Str 20595->20597 20598 4a7829 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20596->20598 20600 4de3d0 53 API calls 20597->20600 20599 4b0ce0 15 API calls 20598->20599 20601 4a7861 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20599->20601 20602 4a7133 __vbaI4Str 20600->20602 20603 4b0ce0 15 API calls 20601->20603 20604 4de3d0 53 API calls 20602->20604 20605 4a7899 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20603->20605 20606 4a7161 __vbaI4Str 20604->20606 20607 4b0ce0 15 API calls 20605->20607 20608 4de3d0 53 API calls 20606->20608 20609 4a78d1 __vbaStrMove #581 __vbaFreeStr 20607->20609 20610 4a719c __vbaI4Str 20608->20610 20611 4b0ce0 15 API calls 20609->20611 20612 4de3d0 53 API calls 20610->20612 20613 4a7904 __vbaStrMove #581 __vbaFreeStr 20611->20613 20614 4a71d7 __vbaI4Str 20612->20614 20615 4b0ce0 15 API calls 20613->20615 20616 4de3d0 53 API calls 20614->20616 20617 4a7937 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20615->20617 20618 4a7205 __vbaI4Str 20616->20618 20619 4b0ce0 15 API calls 20617->20619 20620 4de3d0 53 API calls 20618->20620 20622 4a796f __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20619->20622 20621 4a7233 __vbaI4Str 20620->20621 20623 4de3d0 53 API calls 20621->20623 20624 4b0ce0 15 API calls 20622->20624 20625 4a726e __vbaI4Str 20623->20625 20626 4a79a7 __vbaStrMove #581 __vbaFreeStr 20624->20626 20627 4de3d0 53 API calls 20625->20627 20628 4b0ce0 15 API calls 20626->20628 20629 4a729c __vbaI4Str 20627->20629 20630 4a79da __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20628->20630 20632 4de3d0 53 API calls 20629->20632 20631 4b0ce0 15 API calls 20630->20631 20633 4a7a12 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20631->20633 20634 4a72ca __vbaI4Str 20632->20634 20635 4b0ce0 15 API calls 20633->20635 20636 4de3d0 53 API calls 20634->20636 20637 4a7a4a __vbaStrMove #581 __vbaFreeStr 20635->20637 20638 4a7305 __vbaI4Str 20636->20638 20639 4b0ce0 15 API calls 20637->20639 20640 4de3d0 53 API calls 20638->20640 20641 4a7a7d __vbaStrMove #581 __vbaFreeStr 20639->20641 20642 4a7340 __vbaI4Str 20640->20642 20643 4b0ce0 15 API calls 20641->20643 20644 4de3d0 53 API calls 20642->20644 20645 4a7ab0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20643->20645 20646 4a736e __vbaI4Str 20644->20646 20647 4b0ce0 15 API calls 20645->20647 20648 4de3d0 53 API calls 20646->20648 20649 4a7ae8 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20647->20649 20650 4a739c __vbaI4Str 20648->20650 20651 4b0ce0 15 API calls 20649->20651 20652 4de3d0 53 API calls 20650->20652 20654 4a7b20 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20651->20654 20653 4a73ca __vbaI4Str 20652->20653 20655 4de3d0 53 API calls 20653->20655 20656 4b0ce0 15 API calls 20654->20656 20657 4a7405 __vbaI4Str 20655->20657 20658 4a7b58 __vbaStrMove #581 __vbaFreeStr 20656->20658 20659 4de3d0 53 API calls 20657->20659 20660 4b0ce0 15 API calls 20658->20660 20661 4a7440 __vbaI4Str 20659->20661 20662 4a7b8b __vbaStrMove #581 __vbaFreeStr 20660->20662 20664 4de3d0 53 API calls 20661->20664 20663 4b0ce0 15 API calls 20662->20663 20665 4a7bbe __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20663->20665 20666 4a746e __vbaI4Str 20664->20666 20667 4b0ce0 15 API calls 20665->20667 20668 4de3d0 53 API calls 20666->20668 20669 4a7bf6 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20667->20669 20670 4a749c __vbaI4Str 20668->20670 20671 4b0ce0 15 API calls 20669->20671 20672 4de3d0 53 API calls 20670->20672 20673 4a7c2e __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20671->20673 20674 4a74ca __vbaI4Str 20672->20674 20675 4b0ce0 15 API calls 20673->20675 20676 4de3d0 53 API calls 20674->20676 20677 4a7c66 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20675->20677 20678 4a74f8 __vbaI4Str 20676->20678 20679 4b0ce0 15 API calls 20677->20679 20680 4de3d0 53 API calls 20678->20680 20681 4a7c9e __vbaStrMove #581 __vbaFreeStr 20679->20681 20682 4a7533 20680->20682 20683 4a8800 239 API calls 20681->20683 20684 4a8800 239 API calls 20682->20684 20686 4a7cde 20683->20686 20685 4a755a __vbaFreeVar 20684->20685 20689 4a7574 20685->20689 20687 4b0ce0 15 API calls 20686->20687 20688 4a7cf0 __vbaStrMove #581 20687->20688 20690 4a7d0f __vbaFreeStr 20688->20690 20692 4a7d6a __vbaFreeStr 20689->20692 20857 4b4090 __vbaChkstk __vbaStrCopy __vbaOnError 20690->20857 20692->20506 20695 4d25c8 __vbaStrI4 __vbaStrMove 20694->20695 20696 4d26db 20694->20696 20867 4d7870 9 API calls 20695->20867 20697 4d7870 105 API calls 20696->20697 20699 4d26f8 20697->20699 20701 4d7870 105 API calls 20699->20701 20700 4d25f9 __vbaFreeStr __vbaStrI4 __vbaStrMove 20702 4d7870 105 API calls 20700->20702 20703 4d2715 20701->20703 20704 4d2633 __vbaFreeStr __vbaStrI4 __vbaStrMove 20702->20704 20705 4d7870 105 API calls 20703->20705 20706 4d7870 105 API calls 20704->20706 20707 4d2732 20705->20707 20708 4d2668 __vbaFreeStr __vbaStrI4 __vbaStrMove 20706->20708 20710 4d7870 105 API calls 20707->20710 20709 4d7870 105 API calls 20708->20709 20711 4d269d __vbaFreeStr __vbaStrI4 __vbaStrMove 20709->20711 20712 4d274f 20710->20712 20713 4d7870 105 API calls 20711->20713 20714 4d7870 105 API calls 20712->20714 20715 4d26d2 __vbaFreeStr 20713->20715 20716 4d276c 20714->20716 20715->20696 20717 4d7870 105 API calls 20716->20717 20718 4d2789 20717->20718 20719 4d7870 105 API calls 20718->20719 20720 4d27a6 20719->20720 20721 4d7870 105 API calls 20720->20721 20722 4d27c3 20721->20722 20723 4d7870 105 API calls 20722->20723 20724 4d27e0 20723->20724 20725 4d2aa2 20724->20725 20726 4d7870 105 API calls 20724->20726 20727 4d7870 105 API calls 20725->20727 20728 4d2810 20726->20728 20729 4d2abf 20727->20729 20730 4d7870 105 API calls 20728->20730 20731 4d7870 105 API calls 20729->20731 20732 4d282d 20730->20732 20733 4d2adc 20731->20733 20734 4d7870 105 API calls 20732->20734 20735 4d7870 105 API calls 20733->20735 20736 4d284a 20734->20736 20737 4d2af9 20735->20737 20738 4d7870 105 API calls 20736->20738 20739 4d7870 105 API calls 20737->20739 20740 4d2867 20738->20740 20741 4d2b16 20739->20741 20742 4d7870 105 API calls 20740->20742 20743 4d7870 105 API calls 20741->20743 20744 4d2884 20742->20744 20745 4d2b33 20743->20745 20746 4d7870 105 API calls 20744->20746 20747 4d7870 105 API calls 20745->20747 20748 4d28a1 20746->20748 20749 4d2b50 20747->20749 20750 4d7870 105 API calls 20748->20750 20751 4d7870 105 API calls 20749->20751 20752 4d28bb 20750->20752 20753 4d2b6d 20751->20753 20754 4d7870 105 API calls 20752->20754 20755 4d7870 105 API calls 20753->20755 20756 4d28d8 20754->20756 20757 4d2b8a 20755->20757 20758 4d7870 105 API calls 20756->20758 20759 4d7870 105 API calls 20757->20759 20760 4d28f5 20758->20760 20761 4d2ba7 20759->20761 20762 4d7870 105 API calls 20760->20762 20763 4d7870 105 API calls 20761->20763 20764 4d2912 20762->20764 20765 4d2bc4 20763->20765 20766 4d7870 105 API calls 20764->20766 20767 4d7870 105 API calls 20765->20767 20768 4d292f 20766->20768 20769 4d2be1 20767->20769 20770 4d7870 105 API calls 20768->20770 20771 4d7870 105 API calls 20769->20771 20772 4d294c 20770->20772 20773 4d2bfe 20771->20773 20774 4d7870 105 API calls 20772->20774 20775 4d7870 105 API calls 20773->20775 20776 4d2969 20774->20776 20777 4d2c1b 20775->20777 20778 4d7870 105 API calls 20776->20778 20779 4d7870 105 API calls 20777->20779 20780 4d2983 20778->20780 20781 4d2c38 20779->20781 20782 4d7870 105 API calls 20780->20782 20783 4d7870 105 API calls 20781->20783 20784 4d299d 20782->20784 20785 4d2c55 20783->20785 20786 4d7870 105 API calls 20784->20786 20787 4d7870 105 API calls 20785->20787 20788 4d29ba 20786->20788 20789 4d2c72 20787->20789 20790 4d7870 105 API calls 20788->20790 20791 4d7870 105 API calls 20789->20791 20792 4d29d7 20790->20792 20793 4d2c8f 20791->20793 20794 4d7870 105 API calls 20792->20794 20795 4d7870 105 API calls 20793->20795 20796 4d29f4 20794->20796 20797 4d2cac 20795->20797 20798 4d7870 105 API calls 20796->20798 20799 4d7870 105 API calls 20797->20799 20800 4d2a11 20798->20800 20801 4d2cc9 20799->20801 20802 4d7870 105 API calls 20800->20802 20803 4d7870 105 API calls 20801->20803 20804 4d2a2e 20802->20804 20805 4d2ce6 20803->20805 20806 4d7870 105 API calls 20804->20806 20807 4d7870 105 API calls 20805->20807 20808 4d2a4b 20806->20808 20809 4d2d03 20807->20809 20810 4d7870 105 API calls 20808->20810 20811 4d7870 105 API calls 20809->20811 20812 4d2a68 20810->20812 20813 4d2d20 20811->20813 20814 4d7870 105 API calls 20812->20814 20815 4d7870 105 API calls 20813->20815 20816 4d2a85 20814->20816 20817 4d2d3d 20815->20817 20818 4d7870 105 API calls 20816->20818 20819 4d7870 105 API calls 20817->20819 20818->20725 20820 4d2d5a 20819->20820 20821 4d7870 105 API calls 20820->20821 20822 4d2d77 20821->20822 20823 4d7870 105 API calls 20822->20823 20824 4d2d94 20823->20824 20825 4d7870 105 API calls 20824->20825 20826 4d2db1 20825->20826 20827 4d7870 105 API calls 20826->20827 20828 4d2dce 20827->20828 20829 4d7870 105 API calls 20828->20829 20830 4d2deb 20829->20830 20831 4d7870 105 API calls 20830->20831 20832 4d2e08 20831->20832 20833 4d7870 105 API calls 20832->20833 20834 4d2e25 20833->20834 20835 4d7870 105 API calls 20834->20835 20836 4d2e42 20835->20836 20837 4d7870 105 API calls 20836->20837 20838 4d2e5f 20837->20838 20839 4d7870 105 API calls 20838->20839 20840 4d2e7c 20839->20840 20841 4d7870 105 API calls 20840->20841 20842 4d2e99 20841->20842 20843 4d2eaa __vbaStrCopy 20842->20843 20844 4d2ecf __vbaFreeStr 20843->20844 20844->20511 20846 49e1de 20845->20846 20847 4a022a __vbaStrMove 20845->20847 20848 49e40a 32 API calls 20846->20848 20849 49e2f0 34 API calls 20846->20849 20850 49e1e5 32 API calls 20846->20850 20851 49e515 34 API calls 20846->20851 20847->20547 20852 4a005c __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 20848->20852 20855 49fb1c __vbaStrCat __vbaStrMove 20849->20855 20854 4a01c3 __vbaStrCat __vbaStrMove 20850->20854 20853 4a01d2 __vbaStrCat __vbaStrMove 20851->20853 20856 4a021f __vbaFreeStrList 20852->20856 20853->20856 20854->20853 20855->20856 20856->20847 20866 4b410e 20857->20866 20858 4b4200 __vbaFreeStr 20858->20689 20860 4b0ce0 15 API calls 20861 4b413d __vbaStrMove #581 __vbaFreeStr 20860->20861 20862 4b0ce0 15 API calls 20861->20862 20863 4b4182 __vbaStrMove #581 __vbaFreeStr 20862->20863 20864 4b0ce0 15 API calls 20863->20864 20865 4b41c7 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr 20864->20865 20865->20866 20866->20858 20866->20860 20873 4b4820 14 API calls 20867->20873 20869 4d7986 __vbaStrMove 20870 4b5dc0 38 API calls 20869->20870 20871 4d79c8 __vbaFreeStr __vbaFreeVar 20870->20871 20872 4d79f4 __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 20871->20872 20872->20700 20874 4b4978 10 API calls 20873->20874 20875 4b4a56 6 API calls 20873->20875 20874->20875 20876 4b4c0d __vbaFreeVar __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 20875->20876 20877 4b4ac6 8 API calls 20875->20877 20876->20869 20877->20876 20878 4b4b6b __vbaStrCat __vbaStrMove __vbaLenBstr __vbaFreeStr __vbaInStr 20877->20878 20878->20876 20880 4b4bd0 #631 __vbaStrMove __vbaFreeVar 20878->20880 20880->20876 16211 408df4 #100 16212 4ad590 __vbaChkstk __vbaOnError 16362 4153e4 16212->16362 16363 4153ed 16362->16363 16177 43f1a0 __vbaChkstk 16178 43f1f5 7 API calls 16177->16178 16179 43f268 16178->16179 16180 43f273 __vbaHresultCheckObj 16179->16180 16181 43f28d 16179->16181 16182 43f294 __vbaFreeStrList __vbaCastObj __vbaObjSet 16180->16182 16181->16182 16201 4d6fd0 __vbaChkstk __vbaOnError 16182->16201 16185 43f2f6 __vbaObjSet 16186 43f317 16185->16186 16187 43f322 __vbaHresultCheckObj 16186->16187 16188 43f33f 16186->16188 16189 43f346 __vbaFreeObj 16187->16189 16188->16189 16209 415304 16189->16209 16202 4d70b8 16201->16202 16203 4d7037 16201->16203 16204 4d70d3 __vbaSetSystemError 16202->16204 16206 4d707b 16203->16206 16207 4d7061 __vbaHresultCheckObj 16203->16207 16205 43f2d7 __vbaFreeObj 16204->16205 16205->16185 16208 4d70a4 __vbaSetSystemError 16206->16208 16207->16206 16208->16205 16210 41530d 16209->16210

                                              Executed Functions

                                              Function 004A6DA0 Relevance: 380.7, APIs: 167, Strings: 50, Instructions: 950COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 4a6da0-4a6e40 __vbaChkstk __vbaOnError call 4de3d0 call 4b9cc0 __vbaStrMove __vbaFreeStr 5 4a7579-4a7584 call 49e170 0->5 6 4a6e46-4a7574 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaFpI4 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 __vbaI4Str call 4de3d0 call 4a8800 __vbaFreeVar call 4c1240 0->6 9 4a7589-4a7d0d __vbaStrMove call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFpI4 __vbaFreeStr call 4b0ce0 __vbaStrMove #581 __vbaFreeStr call 4a8800 call 4b0ce0 __vbaStrMove #581 5->9 155 4a7d4f-4a7d73 __vbaFreeStr 6->155 156 4a7d1b 9->156 157 4a7d0f-4a7d19 9->157 158 4a7d25-4a7d4a __vbaFreeStr call 4b4090 156->158 157->158 158->155
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,Advanced,Adv_SpfxCycle,00000000), ref: 004A6DBE
                                              • __vbaOnError.MSVBVM60(000000FF,00000000,6C31CB0D,?,00000000,00408966,Advanced), ref: 004A6DEE
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                                • Part of subcall function 004DE3D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004DE3D0: __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                                • Part of subcall function 004DE3D0: #561.MSVBVM60(00004008), ref: 004DE4B7
                                                • Part of subcall function 004DE3D0: __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE501
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                                • Part of subcall function 004B9CC0: __vbaChkstk.MSVBVM60(?,00408966,00000000,00000001,Light,?,00000000,00408966,Advanced), ref: 004B9CDE
                                                • Part of subcall function 004B9CC0: __vbaOnError.MSVBVM60(000000FF,00000000,6C31CB0D,?,?,00408966,00000000), ref: 004B9D0E
                                                • Part of subcall function 004B9CC0: __vbaStrCopy.MSVBVM60(?,?,00408966,00000000), ref: 004B9D23
                                                • Part of subcall function 004B9CC0: #593.MSVBVM60(0000000A), ref: 004B9D87
                                                • Part of subcall function 004B9CC0: __vbaR8IntI4.MSVBVM60 ref: 004B9D93
                                                • Part of subcall function 004B9CC0: __vbaFreeVar.MSVBVM60 ref: 004B9D9F
                                              • __vbaStrMove.MSVBVM60(?,00000002,DirectX,DX_FilterIndex,00000000,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6E26
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A6E2F
                                              • __vbaI4Str.MSVBVM60(750,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6E59
                                              • __vbaI4Str.MSVBVM60(6000,00000001,Light,Light,OrbTotal,00000000,?,00000000,00408966,Advanced), ref: 004A6E87
                                              • __vbaFpI4.MSVBVM60(Light,OrbStars,00000000,?,00000000,00408966,Advanced), ref: 004A6EA6
                                              • __vbaI4Str.MSVBVM60(200,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6EC4
                                              • __vbaI4Str.MSVBVM60(3000,00000001,Light,Light,OrbBiasCore,00000000,?,00000000,00408966,Advanced), ref: 004A6EF9
                                              • __vbaI4Str.MSVBVM60(0041309C,00000001,Light,Light,OrbStarLife,00000000,?,00000000,00408966,Advanced), ref: 004A6F2E
                                              • __vbaI4Str.MSVBVM60(750,00000001,Light,Light,OrbHueWedge,00000000,?,00000000,00408966,Advanced), ref: 004A6F63
                                              • __vbaI4Str.MSVBVM60(100,00000001,Light,Light,OrbStarVeloc,00000000,?,00000000,00408966,Advanced), ref: 004A6F98
                                              • __vbaI4Str.MSVBVM60(400,00000001,Light,Light,OrbRadCoreMul,00000000,?,00000000,00408966,Advanced), ref: 004A6FCD
                                              • __vbaI4Str.MSVBVM60(0041309C,00000001,Light,Light,OrbRadiusMax,00000000,?,00000000,00408966,Advanced), ref: 004A7002
                                              • __vbaI4Str.MSVBVM60(00413140,00000001,Light,Light,OrbRadiusExp,00000000,?,00000000,00408966,Advanced), ref: 004A7037
                                              • __vbaI4Str.MSVBVM60(004130B4,00000001,Light,Light,BlendMul,00000000,?,00000000,00408966,Advanced), ref: 004A7065
                                              • __vbaI4Str.MSVBVM60(004130C0,00000001,Light,Light,StarPattern,00000000,?,00000000,00408966,Advanced), ref: 004A7093
                                              • __vbaI4Str.MSVBVM60(004130C8,00000001,Light,Light,ColorScheme,00000000,?,00000000,00408966,Advanced), ref: 004A70C1
                                              • __vbaI4Str.MSVBVM60(004130D0,00000001,Light,Light,OrbDistType,00000000,?,00000000,00408966,Advanced), ref: 004A70EF
                                              • __vbaI4Str.MSVBVM60(400,00000001,Light,Light,SymmetryType,00000000,?,00000000,00408966,Advanced), ref: 004A711D
                                              • __vbaI4Str.MSVBVM60(250,00000001,Light,Light,BurstFrames,00000000,?,00000000,00408966,Advanced), ref: 004A714B
                                              • __vbaI4Str.MSVBVM60(004130E4,00000001,Light,Light,BurstSpeed,00000000,?,00000000,00408966,Advanced), ref: 004A7186
                                              • __vbaI4Str.MSVBVM60(004130F0,00000001,Light,Light,BurstBiasCore,00000000,?,00000000,00408966,Advanced), ref: 004A71C1
                                              • __vbaI4Str.MSVBVM60(004130FC,00000001,Light,Light,VisitUniOrbs,00000000,?,00000000,00408966,Advanced), ref: 004A71EF
                                              • __vbaI4Str.MSVBVM60(140,00000001,Light,Light,HaloPercent,00000000,?,00000000,00408966,Advanced), ref: 004A721D
                                              • __vbaI4Str.MSVBVM60(0041309C,00000001,Light,Light,HaloRadExp,00000000,?,00000000,00408966,Advanced), ref: 004A7258
                                              • __vbaI4Str.MSVBVM60(0041309C,00000001,Light,Light,HaloBright,00000000,?,00000000,00408966,Advanced), ref: 004A7286
                                              • __vbaI4Str.MSVBVM60(150,00000001,Light,Light,HaloHueOff,00000000,?,00000000,00408966,Advanced), ref: 004A72B4
                                              • __vbaI4Str.MSVBVM60(200,00000001,Light,Light,HaloRadMul,00000000,?,00000000,00408966,Advanced), ref: 004A72EF
                                              • __vbaI4Str.MSVBVM60(00413110,00000001,Light,Light,HaloVelocity,00000000,?,00000000,00408966,Advanced), ref: 004A732A
                                              • __vbaI4Str.MSVBVM60(400,00000001,Light,Light,SplineCtrlPts,00000000,?,00000000,00408966,Advanced), ref: 004A7358
                                              • __vbaI4Str.MSVBVM60(0041311C,00000001,Light,Light,SplineCtrlStp,00000000,?,00000000,00408966,Advanced), ref: 004A7386
                                              • __vbaI4Str.MSVBVM60(8800,00000001,Light,Light,SplineBiasPts,00000000,?,00000000,00408966,Advanced), ref: 004A73B4
                                              • __vbaI4Str.MSVBVM60(00412B2C,00000001,Light,Light,SplineBiasExp,00000000,?,00000000,00408966,Advanced), ref: 004A73EF
                                              • __vbaI4Str.MSVBVM60(004130C8,00000001,Light,Light,SplineBiasSpd,00000000,?,00000000,00408966,Advanced), ref: 004A742A
                                              • __vbaI4Str.MSVBVM60(004130FC,00000001,Light,Light,SplineNebArcs,00000000,?,00000000,00408966,Advanced), ref: 004A7458
                                              • __vbaI4Str.MSVBVM60(00413138,00000001,Light,Light,ControlVector,00000000,?,00000000,00408966,Advanced), ref: 004A7486
                                              • __vbaI4Str.MSVBVM60(400,00000001,Light,Light,ControlOrbs,00000000,?,00000000,00408966,Advanced), ref: 004A74B4
                                              • __vbaI4Str.MSVBVM60(004130F0,00000001,Light,Light,ControlFrames,00000000,?,00000000,00408966,Advanced), ref: 004A74E2
                                              • __vbaFreeVar.MSVBVM60(00000001,00000000), ref: 004A755D
                                              • __vbaI4Str.MSVBVM60(004130C8,00000001,Light,Light,TravelZRotAng,00000000,?,00000000,00408966,Advanced), ref: 004A751D
                                                • Part of subcall function 004A8800: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966,Advanced), ref: 004A881E
                                                • Part of subcall function 004A8800: __vbaOnError.MSVBVM60(000000FF,00000000,6C31CB0D,?,00000000,00408966), ref: 004A884E
                                                • Part of subcall function 004A8800: #563.MSVBVM60(00000000,?,00000000,00408966), ref: 004A885F
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(100,00000001,Light,?,00000000,00408966), ref: 004A8881
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(00412AD0,00000001,Light,GenColor,HWC_ConeBright,00000000,?,00000000,00408966), ref: 004A88AF
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(200,00000001,Light,GenColor,HWC_ConeBlack,00000000,?,00000000,00408966), ref: 004A88DD
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(00412AE8,00000001,Light,GenColor,HWC_ConeBBias,00000000,?,00000000,00408966), ref: 004A890B
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(100,00000001,Light,GenColor,HWC_ConeTwist,00000000,?,00000000,00408966), ref: 004A8939
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(150,00000001,Light,GenColor,HWC_WedgeMin,00000000,?,00000000,00408966), ref: 004A8967
                                                • Part of subcall function 004A8800: __vbaI4Str.MSVBVM60(7200,00000001,Light,GenColor,HWC_WedgeMax,00000000,?,00000000,00408966), ref: 004A8995
                                              • __vbaStrMove.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A758E
                                              • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,00408966,Advanced), ref: 004A75AB
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A75B2
                                              • __vbaFpI4.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A75B8
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A75C6
                                              • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,00408966,Advanced), ref: 004A75E3
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A75EA
                                              • __vbaFpI4.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A75F6
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A7604
                                              • __vbaStrMove.MSVBVM60(?,00000002,?,00000000,00408966,Advanced), ref: 004A7621
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A7628
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A7637
                                              • __vbaStrMove.MSVBVM60(?,00000003,?,00000000,00408966,Advanced), ref: 004A7654
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A765B
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A766A
                                              • __vbaStrMove.MSVBVM60(?,00000004,?,00000000,00408966,Advanced), ref: 004A7687
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A768E
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A769D
                                              • __vbaStrMove.MSVBVM60(?,00000005,?,00000000,00408966,Advanced), ref: 004A76BA
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A76C1
                                              • __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A76D0
                                              • __vbaStrMove.MSVBVM60(?,00000006,?,00000000,00408966,Advanced), ref: 004A76ED
                                              • #581.MSVBVM60(00000000,?,00000000,00408966,Advanced), ref: 004A76F4
                                              • __vbaFreeStr.MSVBVM60(004A7D74,?,00000047), ref: 004A7D6D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$#581$Chkstk$CopyError$#561#563#593
                                              • String ID: 100$140$150$200$250$3000$400$6000$750$8800$BlendMul$BurstBiasCore$BurstFrames$BurstSpeed$ColorScheme$ControlFrames$ControlOrbs$ControlVector$CyclePropsRegToArrays$DX_FilterIndex$DirectX$HaloBright$HaloHueOff$HaloPercent$HaloRadExp$HaloRadMul$HaloVelocity$Light$LightCycleProps$OrbBiasCore$OrbDistType$OrbHueWedge$OrbRadCoreMul$OrbRadiusExp$OrbRadiusMax$OrbStarLife$OrbStarVeloc$OrbStars$OrbTotal$P$SplineBiasExp$SplineBiasPts$SplineBiasSpd$SplineCtrlPts$SplineCtrlStp$SplineNebArcs$StarPattern$SymmetryType$TravelZRotAng$VisitUniOrbs
                                              • API String ID: 4290532669-464978509
                                              • Opcode ID: f88acb0db080fec2fe3995601cf7835d5d6ad1e6e4a0a46aa48efdd1c1e54478
                                              • Instruction ID: 4b1cfcd6e8d5cc505c0287cbd4999e9e48e77ec48ae02fca3e77b0d7d6064d53
                                              • Opcode Fuzzy Hash: f88acb0db080fec2fe3995601cf7835d5d6ad1e6e4a0a46aa48efdd1c1e54478
                                              • Instruction Fuzzy Hash: C2923D71A40204EFDB10EFA0DE59BDE7BB4FF58746F20416AF501B61A1CBB85A90CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0049E170 Relevance: 361.1, APIs: 143, Strings: 63, Instructions: 587COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 161 49e170-49e1d8 162 4a022a-4a0290 161->162 163 49e1de 161->163 165 49e40a-4a00b8 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 163->165 166 49e2f0-49fb69 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 163->166 167 49e1e5-49e2eb __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 163->167 168 49e515-49e62a __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 163->168 173 4a021f-4a0227 __vbaFreeStrList 165->173 166->173 171 4a01c3-4a01cd __vbaStrCat __vbaStrMove 167->171 170 4a01d2-4a021e __vbaStrCat __vbaStrMove 168->170 170->173 171->170 173->162
                                              APIs
                                              • __vbaStrCat.MSVBVM60( 19, 2, 0, 1, , 96, , , , , , 750, 6000, 200, 3000, 30, 750, 100, 400, 30, , ,00000000,6C31CB0D), ref: 0049E1F5
                                              • __vbaStrMove.MSVBVM60 ref: 0049E202
                                              • __vbaStrCat.MSVBVM60( 400, 250, 50, 15, , , , , , , ,00000000), ref: 0049E20A
                                              • __vbaStrMove.MSVBVM60 ref: 0049E211
                                              • __vbaStrCat.MSVBVM60( 3, 140, 30, 30, 150, 200, , , , , ,00000000), ref: 0049E219
                                              • __vbaStrMove.MSVBVM60 ref: 0049E220
                                              • __vbaStrCat.MSVBVM60( 16, 400, 12, 8800, 10, 0, , , , , ,00000000), ref: 0049E228
                                              • __vbaStrMove.MSVBVM60 ref: 0049E22F
                                              • __vbaStrCat.MSVBVM60( 3, 4, 400, 15, , , , , , , ,00000000), ref: 0049E237
                                              • __vbaStrMove.MSVBVM60 ref: 0049E23E
                                              • __vbaStrCat.MSVBVM60( 100, 25, 200, 45, , 100, 150, 7200, 30000, 235, ,00000000), ref: 0049E246
                                              • __vbaStrMove.MSVBVM60 ref: 0049E24D
                                              • __vbaStrCat.MSVBVM60( 1, 3000, 3000, 6000, ,00000000), ref: 0049E255
                                              • __vbaStrMove.MSVBVM60 ref: 0049E25C
                                              • __vbaStrCat.MSVBVM60( 100, 100, 6000, ,00000000), ref: 0049E264
                                              • __vbaStrMove.MSVBVM60 ref: 0049E26B
                                              • __vbaStrCat.MSVBVM60( 400, 1000, 9600, ,00000000), ref: 0049E273
                                              • __vbaStrMove.MSVBVM60 ref: 0049E27A
                                              • __vbaStrCat.MSVBVM60( 200, 25, 17500, ,00000000), ref: 0049E282
                                              • __vbaStrMove.MSVBVM60 ref: 0049E289
                                              • __vbaStrCat.MSVBVM60( 2, 3, 16000, ,00000000), ref: 0049E291
                                              • __vbaStrMove.MSVBVM60 ref: 0049E298
                                              • __vbaStrCat.MSVBVM60( 30, 30, 6000, ,00000000), ref: 0049E2A0
                                              • __vbaStrMove.MSVBVM60 ref: 0049E2A7
                                              • __vbaStrCat.MSVBVM60( 30, 30, 4200, ,00000000), ref: 0049E2AF
                                              • __vbaStrMove.MSVBVM60 ref: 0049E2B6
                                              • __vbaStrCat.MSVBVM60( 250, 150, 9200, ,00000000), ref: 0049E2BE
                                              • __vbaStrMove.MSVBVM60 ref: 0049E2C5
                                              • __vbaStrCat.MSVBVM60( 7000, 9999, 12500, ,00000000), ref: 0049E2CD
                                              • __vbaStrMove.MSVBVM60 ref: 0049E2D4
                                              • __vbaStrCat.MSVBVM60( 15, 5, 13600, ,00000000), ref: 0049E2DC
                                              • __vbaStrMove.MSVBVM60 ref: 0049E2E3
                                              • __vbaStrCat.MSVBVM60( 17, 2, 4, 1, , 96, , , , , , 600, 5000, 240, 3000, 45, 1000, 0, 300, 25, , ,004A0291), ref: 0049E300
                                              • __vbaStrMove.MSVBVM60 ref: 0049E30D
                                              • __vbaStrCat.MSVBVM60( 300, 250, 25, 8, , , , , , , ,00000000), ref: 0049E315
                                              • __vbaStrMove.MSVBVM60 ref: 0049E31C
                                              • __vbaStrCat.MSVBVM60( 10, 140, 25, 30, 170, 500, , , , , ,00000000), ref: 0049E324
                                              • __vbaStrMove.MSVBVM60 ref: 0049E32B
                                              • __vbaStrCat.MSVBVM60( 8, 1500, 12, 1000, 15, 0, , , , , ,00000000), ref: 0049E333
                                              • __vbaStrMove.MSVBVM60 ref: 0049E33A
                                              • __vbaStrCat.MSVBVM60( 3, 4, 250, 15, , , , , , , ,00000000), ref: 0049E342
                                              • __vbaStrMove.MSVBVM60 ref: 0049E349
                                              • __vbaStrCat.MSVBVM60( 100, 20, 200, 30, , 150, 240, 5000, 21000, 300, ,00000000), ref: 0049E351
                                              • __vbaStrMove.MSVBVM60 ref: 0049E358
                                              • __vbaStrCat.MSVBVM60( 1, 3000, 3000, 4500, ,00000000), ref: 0049E360
                                              • __vbaStrMove.MSVBVM60 ref: 0049E367
                                              • __vbaStrCat.MSVBVM60( 75, 90, 3600, ,00000000), ref: 0049E36F
                                              • __vbaStrMove.MSVBVM60 ref: 0049E376
                                              • __vbaStrCat.MSVBVM60( 900, 1200, 6000, ,00000000), ref: 0049E37E
                                              • __vbaStrMove.MSVBVM60 ref: 0049E385
                                              • __vbaStrCat.MSVBVM60( 0, 0, 6000, ,00000000), ref: 0049E38D
                                              • __vbaStrMove.MSVBVM60 ref: 0049E394
                                              • __vbaStrCat.MSVBVM60( 5, 50, 2410, ,00000000), ref: 0049E39C
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3A3
                                              • __vbaStrCat.MSVBVM60( 40, 15, 4805, ,00000000), ref: 0049E3AB
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3B2
                                              • __vbaStrCat.MSVBVM60( 15, 90, 7200, ,00000000), ref: 0049E3BA
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3C1
                                              • __vbaStrCat.MSVBVM60( 75, 2000, 2400, ,00000000), ref: 0049E3C9
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3D0
                                              • __vbaStrCat.MSVBVM60( 2500, 2500, 6000, ,00000000), ref: 0049E3D8
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3DF
                                              • __vbaStrCat.MSVBVM60( 25, 25, 6000, ,00000000), ref: 0049E3E7
                                              • __vbaStrMove.MSVBVM60 ref: 0049E3EE
                                              • __vbaStrCat.MSVBVM60( 17, 2, 0, 1, , 95, , , , , , 500, 5000, 275, 3000, 15, 1000, 0, 400, 25, , ), ref: 0049E41A
                                              • __vbaStrMove.MSVBVM60 ref: 0049E427
                                              • __vbaStrCat.MSVBVM60( 100, 500, 25, 20, , , , , , , ,00000000), ref: 0049E42F
                                              • __vbaStrMove.MSVBVM60 ref: 0049E436
                                              • __vbaStrCat.MSVBVM60( 7, 140, 25, 30, 180, 500, , , , , ,00000000), ref: 0049E43E
                                              • __vbaStrMove.MSVBVM60 ref: 0049E445
                                              • __vbaStrCat.MSVBVM60( 8, 1500, 12, 1000, 15, 0, , , , , ,00000000), ref: 0049E44D
                                              • __vbaStrMove.MSVBVM60 ref: 0049E454
                                              • __vbaStrCat.MSVBVM60( 3, 2, 80, 100, , , , , , , ,00000000), ref: 0049E45C
                                              • __vbaStrMove.MSVBVM60 ref: 0049E463
                                              • __vbaStrCat.MSVBVM60( 100, 20, 220, 30, , 120, 180, 6000, 7500, 270, ,00000000), ref: 0049E46B
                                              • __vbaStrMove.MSVBVM60 ref: 0049E472
                                              • __vbaStrCat.MSVBVM60( 1, 3000, 3000, 6000, ,00000000), ref: 0049E47A
                                              • __vbaStrMove.MSVBVM60 ref: 0049E481
                                              • __vbaStrCat.MSVBVM60( 90, 90, 6000, ,00000000), ref: 0049E489
                                              • __vbaStrMove.MSVBVM60 ref: 0049E490
                                              • __vbaStrCat.MSVBVM60( 1000, 1000, 6000, ,00000000), ref: 0049E498
                                              • __vbaStrMove.MSVBVM60 ref: 0049E49F
                                              • __vbaStrCat.MSVBVM60( 0, 0, 6000, ,00000000), ref: 0049E4A7
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4AE
                                              • __vbaStrCat.MSVBVM60( 7, 7, 6000, ,00000000), ref: 0049E4B6
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4BD
                                              • __vbaStrCat.MSVBVM60( 25, 25, 6000, ,00000000), ref: 0049E4C5
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4CC
                                              • __vbaStrCat.MSVBVM60( 30, 30, 6000, ,00000000), ref: 0049E4D4
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4DB
                                              • __vbaStrCat.MSVBVM60( 500, 500, 6000, ,00000000), ref: 0049E4E3
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4EA
                                              • __vbaStrCat.MSVBVM60( 2500, 2500, 6000, ,00000000), ref: 0049E4F2
                                              • __vbaStrMove.MSVBVM60 ref: 0049E4F9
                                              • __vbaStrCat.MSVBVM60( 25, 25, 6000, ,00000000), ref: 0049E501
                                              • __vbaStrMove.MSVBVM60 ref: 0049E508
                                              • __vbaStrCat.MSVBVM60( 17, 2, 0, 1, , 98, , , , , , 400, 6000, 275, 3000, 30, 200, 0, 300, 25, , ,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049E525
                                              • __vbaStrMove.MSVBVM60 ref: 0049E532
                                              • __vbaStrCat.MSVBVM60( 800, 40, 50, 10, , , , , , , ,00000000), ref: 0049E53A
                                              • __vbaStrMove.MSVBVM60 ref: 0049E541
                                              • __vbaStrCat.MSVBVM60( 10, 150, 30, 15, 160, 25, , , , , ,00000000), ref: 0049E549
                                              • __vbaStrMove.MSVBVM60 ref: 0049E550
                                              • __vbaStrCat.MSVBVM60( 8, 1500, 12, 1000, 15, 0, , , , , ,00000000), ref: 0049E558
                                              • __vbaStrMove.MSVBVM60 ref: 0049E55F
                                              • __vbaStrCat.MSVBVM60( 3, 4, 850, 10, , , , , , , ,00000000), ref: 0049E567
                                              • __vbaStrMove.MSVBVM60 ref: 0049E56E
                                              • __vbaStrCat.MSVBVM60( 100, 20, 225, 30, , 120, 145, 6000, 25000, 270, ,00000000), ref: 0049E576
                                              • __vbaStrMove.MSVBVM60 ref: 0049E57D
                                              • __vbaStrCat.MSVBVM60( 1, 3000, 3000, 6000, ,00000000), ref: 0049E585
                                              • __vbaStrMove.MSVBVM60 ref: 0049E58C
                                              • __vbaStrCat.MSVBVM60( 100, 100, 6000, ,00000000), ref: 0049E594
                                              • __vbaStrMove.MSVBVM60 ref: 0049E59B
                                              • __vbaStrCat.MSVBVM60( 200, 300, 6000, ,00000000), ref: 0049E5A3
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5AA
                                              • __vbaStrCat.MSVBVM60( 0, 0, 6000, ,00000000), ref: 0049E5B2
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5B9
                                              • __vbaStrCat.MSVBVM60( 5, 10, 6000, ,00000000), ref: 0049E5C1
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5C8
                                              • __vbaStrCat.MSVBVM60( 45, 30, 6000, ,00000000), ref: 0049E5D0
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5D7
                                              • __vbaStrCat.MSVBVM60( 15, 15, 6000, ,00000000), ref: 0049E5DF
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5E6
                                              • __vbaStrCat.MSVBVM60( 50, 25, 6000, ,00000000), ref: 0049E5EE
                                              • __vbaStrMove.MSVBVM60 ref: 0049E5F5
                                              • __vbaStrCat.MSVBVM60( 2500, 2500, 6000, ,00000000), ref: 0049E5FD
                                              • __vbaStrMove.MSVBVM60 ref: 0049E604
                                              • __vbaStrCat.MSVBVM60( 25, 25, 6000, ,00000000), ref: 0049E60C
                                              • __vbaStrMove.MSVBVM60 ref: 0049E613
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move
                                              • String ID: 0, 0, 6000, $ 2, 3, 16000, $ 5, 10, 6000, $ 5, 50, 2410, $ 7, 7, 6000, $ 15, 5, 8500, $ 15, 5, 13600, $ 15, 15, 6000, $ 15, 75, 7200, $ 15, 90, 7200, $ 20, 10, 9000, $ 25, 25, 6000, $ 30, 30, 4200, $ 30, 30, 6000, $ 40, 15, 4805, $ 45, 30, 6000, $ 50, 25, 6000, $ 75, 90, 3600, $ 75, 2000, 2400, $ 90, 90, 6000, $ 95, 95, 6000, $ 95, 99, 9600, $ 96, 96, 6000, $ 98, 98, 6000, $ 100, 100, 6000, $ 100, 500, 6000, $ 200, 25, 17500, $ 200, 300, 6000, $ 250, 150, 9200, $ 400, 1000, 9600, $ 500, 500, 6000, $ 900, 1200, 6000, $ 1000, 1000, 6000, $ 2500, 2500, 6000, $ 7000, 9999, 12500, $ 1, 3000, 3000, 4500, $ 1, 3000, 3000, 6000, $ 3, 2, 80, 100, , , , , , , $ 3, 4, 250, 15, , , , , , , $ 3, 4, 400, 15, , , , , , , $ 3, 4, 850, 10, , , , , , , $ 3, 140, 30, 30, 150, 200, , , , , $ 7, 140, 25, 30, 180, 500, , , , , $ 8, 1500, 12, 1000, 15, 0, , , , , $ 10, 140, 25, 30, 170, 500, , , , , $ 10, 150, 30, 15, 160, 25, , , , , $ 16, 400, 12, 8800, 10, 0, , , , , $ 17, 2, 0, 1, , 95, , , , , $ 17, 2, 0, 1, , 98, , , , , $ 17, 2, 4, 1, , 96, , , , , $ 19, 2, 0, 1, , 96, , , , , $ 100, 20, 200, 30, , 150, 240, 5000, 21000, 300, $ 100, 20, 220, 30, , 120, 180, 6000, 7500, 270, $ 100, 20, 225, 30, , 120, 145, 6000, 25000, 270, $ 100, 25, 200, 45, , 100, 150, 7200, 30000, 235, $ 100, 500, 25, 20, , , , , , , $ 300, 250, 25, 8, , , , , , , $ 400, 250, 50, 15, , , , , , , $ 400, 6000, 275, 3000, 30, 200, 0, 300, 25, , $ 500, 5000, 275, 3000, 15, 1000, 0, 400, 25, , $ 600, 5000, 240, 3000, 45, 1000, 0, 300, 25, , $ 750, 6000, 200, 3000, 30, 750, 100, 400, 30, , $ 800, 40, 50, 10, , , , , , ,
                                              • API String ID: 3922324654-2673105167
                                              • Opcode ID: 5c45f53a698cc7e8e3fe2b4d292f1a9940aab9626cf1661d83397800f9e0de0b
                                              • Instruction ID: 4c9de743ff6e1be6c8f678415b0b4c292cdf3f98f9f17eeed1deb6a999f15613
                                              • Opcode Fuzzy Hash: 5c45f53a698cc7e8e3fe2b4d292f1a9940aab9626cf1661d83397800f9e0de0b
                                              • Instruction Fuzzy Hash: A9021B72F5016CAA8705EBE4DC51DEF7BBDEED8700B618127E002E2194EEB46905CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004AD590 Relevance: 342.6, APIs: 173, Strings: 22, Instructions: 1389COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 174 4ad590-4ad62f __vbaChkstk __vbaOnError call 4153e4 __vbaSetSystemError 177 4ad64d 174->177 178 4ad631-4ad64b __vbaNew2 174->178 179 4ad657-4ad68a 177->179 178->179 181 4ad6af 179->181 182 4ad68c-4ad6ad __vbaHresultCheckObj 179->182 183 4ad6b9-4ad70f __vbaObjSet 181->183 182->183 185 4ad711-4ad735 __vbaHresultCheckObj 183->185 186 4ad737 183->186 187 4ad741-4ad784 __vbaFpI4 185->187 186->187 189 4ad7ac 187->189 190 4ad786-4ad7aa __vbaHresultCheckObj 187->190 191 4ad7b6-4ad7f9 __vbaFpI4 189->191 190->191 193 4ad7fb-4ad81f __vbaHresultCheckObj 191->193 194 4ad821 191->194 195 4ad82b-4ad86b __vbaFpI4 193->195 194->195 197 4ad86d-4ad88e __vbaHresultCheckObj 195->197 198 4ad890 195->198 199 4ad89a-4ad8bf __vbaFpI4 197->199 198->199 200 4ad8c9-4ad8cf _adj_fdiv_m32i 199->200 201 4ad8c1-4ad8c7 199->201 202 4ad8d4-4ad8f3 __vbaFpI4 200->202 201->202 203 4ad8fd-4ad903 _adj_fdiv_m32i 202->203 204 4ad8f5-4ad8fb 202->204 205 4ad908-4ad973 __vbaFpI4 __vbaObjSetAddref call 4b4310 call 4ad450 call 490e80 call 4de3d0 203->205 204->205 214 4ad979-4ad9bc __vbaUbound 205->214 215 4adbc5-4adc18 __vbaStrCopy * 3 205->215 219 4ad9c2-4ad9e6 214->219 220 4adae3-4adafb __vbaUbound 214->220 217 4adc1a-4adc34 __vbaNew2 215->217 218 4adc36 215->218 221 4adc40-4adc73 217->221 218->221 223 4ad9ec-4ada0b 219->223 224 4adad7 219->224 220->215 222 4adb01-4adbc0 __vbaChkstk call 4b5dc0 __vbaChkstk call 4b5dc0 220->222 230 4adc98 221->230 231 4adc75-4adc96 __vbaHresultCheckObj 221->231 222->215 223->224 226 4ada11-4adad0 __vbaChkstk call 4b5dc0 __vbaChkstk call 4b5dc0 223->226 224->220 236 4adad5 226->236 234 4adca2-4adcd0 230->234 231->234 238 4adcd2-4adcf3 __vbaHresultCheckObj 234->238 239 4adcf5 234->239 236->220 240 4adcff-4add1d #618 __vbaStrMove 238->240 239->240 241 4add3b 240->241 242 4add1f-4add39 __vbaNew2 240->242 243 4add45-4add78 241->243 242->243 245 4add7a-4add9b __vbaHresultCheckObj 243->245 246 4add9d 243->246 247 4adda7-4addd5 245->247 246->247 249 4addfa 247->249 250 4addd7-4addf8 __vbaHresultCheckObj 247->250 251 4ade04-4adf8b __vbaVarDup * 2 __vbaStrMove __vbaStrCmp #681 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeObjList __vbaFreeVarList 249->251 250->251 252 4adfa9 251->252 253 4adf8d-4adfa7 __vbaNew2 251->253 254 4adfb3-4adfe6 252->254 253->254 256 4ae00b 254->256 257 4adfe8-4ae009 __vbaHresultCheckObj 254->257 258 4ae015-4ae049 256->258 257->258 260 4ae04b-4ae06f __vbaHresultCheckObj 258->260 261 4ae071 258->261 262 4ae07b-4ae0b6 __vbaFreeObj call 4de3d0 260->262 261->262 265 4ae118-4ae278 __vbaChkstk call 4de2e0 __vbaStrMove __vbaStrCmp __vbaChkstk call 4de2e0 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaI2Str call 4de3d0 * 2 262->265 266 4ae0b8-4ae113 __vbaChkstk call 4b5dc0 262->266 275 4ae27d-4ae2dd #669 __vbaStrMove #519 __vbaStrMove __vbaLenBstr __vbaFreeStrList 265->275 266->265 276 4ae2e3-4ae2f9 call 4d7a30 275->276 277 4ae484-4ae51f #669 __vbaStrMove * 2 #616 __vbaStrMove #527 __vbaStrMove __vbaStrCmp __vbaFreeStrList 275->277 289 4ae43a-4ae479 __vbaStrToAnsi call 41435c __vbaSetSystemError call 4143a8 __vbaSetSystemError __vbaFreeStr 276->289 290 4ae2ff-4ae312 call 4aed70 276->290 278 4ae6c6-4ae761 #669 __vbaStrMove * 2 #616 __vbaStrMove #527 __vbaStrMove __vbaStrCmp __vbaFreeStrList 277->278 279 4ae525-4ae53b call 4d7a30 277->279 282 4ae7ff-4ae89a #669 __vbaStrMove * 2 #616 __vbaStrMove #527 __vbaStrMove __vbaStrCmp __vbaFreeStrList 278->282 283 4ae767-4ae7ec __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4d7a30 __vbaFreeStrList 278->283 291 4ae67c-4ae6bb __vbaStrToAnsi call 41435c __vbaSetSystemError call 4143a8 __vbaSetSystemError __vbaFreeStr 279->291 292 4ae541-4ae554 call 4aed70 279->292 287 4ae8a0-4ae945 #669 __vbaStrMove #669 __vbaStrMove __vbaLenBstr __vbaStrMove #618 __vbaStrMove #581 __vbaFpI4 __vbaFreeStrList call 4aed70 282->287 288 4aea41-4aeadc #669 __vbaStrMove * 2 #616 __vbaStrMove #527 __vbaStrMove __vbaStrCmp __vbaFreeStrList 282->288 303 4ae7fa 283->303 304 4ae7ee-4ae7f5 call 4da7f0 283->304 309 4ae94b-4ae96a 287->309 310 4aea3c 287->310 296 4aeae2-4aeb9f #669 __vbaStrMove #669 __vbaStrMove __vbaLenBstr __vbaStrMove #618 __vbaStrMove #581 __vbaFpI4 __vbaStrToAnsi call 414864 __vbaSetSystemError __vbaFreeStrList 288->296 297 4aeba4-4aec72 #669 __vbaStrMove * 2 #618 __vbaStrMove #527 __vbaStrMove #527 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCmp __vbaFreeStrList 288->297 329 4ae47f 289->329 312 4ae438 290->312 313 4ae318-4ae326 290->313 338 4ae6c1 291->338 327 4ae67a 292->327 328 4ae55a-4ae568 292->328 319 4aece0-4aed57 __vbaFreeObj 296->319 300 4aecd4-4aecdb call 4da7f0 297->300 301 4aec74-4aecd2 #669 __vbaStrMove * 2 call 4d2540 __vbaFreeStrList call 4da7f0 297->301 300->319 301->319 303->319 304->303 321 4ae988 309->321 322 4ae96c-4ae986 __vbaNew2 309->322 310->319 312->329 323 4ae328-4ae342 __vbaNew2 313->323 324 4ae344 313->324 332 4ae992-4ae9a7 321->332 322->332 333 4ae34e-4ae406 __vbaChkstk * 2 323->333 324->333 327->338 336 4ae56a-4ae584 __vbaNew2 328->336 337 4ae586 328->337 329->319 339 4ae9a9-4ae9c3 __vbaNew2 332->339 340 4ae9c5 332->340 345 4ae408-4ae42c __vbaHresultCheckObj 333->345 346 4ae42e 333->346 342 4ae590-4ae648 __vbaChkstk * 2 336->342 337->342 338->319 343 4ae9cf-4aea04 __vbaObjSetAddref 339->343 340->343 349 4ae64a-4ae66e __vbaHresultCheckObj 342->349 350 4ae670 342->350 351 4aea29 343->351 352 4aea06-4aea27 __vbaHresultCheckObj 343->352 345->312 346->312 349->327 350->327 353 4aea33-4aea36 __vbaFreeObj 351->353 352->353 353->310
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004AD5AE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004AD5DE
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,004BD300,00000000,?,?,?,?,00408966), ref: 004AD5FB
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,00408966), ref: 004AD63B
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004AD6A1
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004AD6D7
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000080), ref: 004AD729
                                              • __vbaFpI4.MSVBVM60 ref: 004AD747
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000088), ref: 004AD79E
                                              • __vbaFpI4.MSVBVM60 ref: 004AD7BC
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000098), ref: 004AD813
                                              • __vbaFpI4.MSVBVM60 ref: 004AD831
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000050), ref: 004AD882
                                              • __vbaFpI4.MSVBVM60 ref: 004AD8A0
                                              • _adj_fdiv_m32i.MSVBVM60 ref: 004AD8CF
                                              • __vbaFpI4.MSVBVM60 ref: 004AD8D4
                                              • _adj_fdiv_m32i.MSVBVM60 ref: 004AD903
                                              • __vbaFpI4.MSVBVM60 ref: 004AD908
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004AD923
                                              • __vbaUbound.MSVBVM60(00000001,00000000,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004AD988
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 004ADA3A
                                              • __vbaChkstk.MSVBVM60(00000001,Light,DirectX,DX_WinWidth,00000001,Light), ref: 004ADA9C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Chkstk$Error_adj_fdiv_m32i$AddrefNew2SystemUbound
                                              • String ID: 5A$4.3$Adv_MultiMonitor$Advanced$DX_WinHeight$DX_WinWidth$DX_WriteLog$DirectX$General$J$LIG$Light$Light Templates (*.lig)|*.lig|All Files (*.*)|*.*|$MBSS Light$MBSS Light Properties$MBSS Light.hlp$MBSS83EREIAMJH$MBSS_ALL$RegMathM3$Registered$SCRSAVE$SPFX:
                                              • API String ID: 201566698-3880971436
                                              • Opcode ID: 884a04ddc8eca0110e808f1fcb71836c600241d059b9639412c714236b410ff6
                                              • Instruction ID: 684036a8d8957eb57f18ba2c01f5b42a06399f0fc32b58f857c62f745afbbb2e
                                              • Opcode Fuzzy Hash: 884a04ddc8eca0110e808f1fcb71836c600241d059b9639412c714236b410ff6
                                              • Instruction Fuzzy Hash: E4E229B4900219DFDB14DFA0DD48BDEB7B5BF48305F1081AAE60AB72A0DB745A84CF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B9CC0 Relevance: 242.7, APIs: 114, Strings: 24, Instructions: 1205COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,00000000,00000001,Light,?,00000000,00408966,Advanced), ref: 004B9CDE
                                              • __vbaOnError.MSVBVM60(000000FF,00000000,6C31CB0D,?,?,00408966,00000000), ref: 004B9D0E
                                              • __vbaStrCopy.MSVBVM60(?,?,00408966,00000000), ref: 004B9D23
                                              • #593.MSVBVM60(0000000A), ref: 004B9D87
                                              • __vbaR8IntI4.MSVBVM60 ref: 004B9D93
                                              • __vbaFreeVar.MSVBVM60 ref: 004B9D9F
                                              • __vbaNew2.MSVBVM60(0041000C,004E03A8,?,?,00408966,00000000), ref: 004BA210
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004BA24A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 004BA294
                                              • __vbaFPFix.MSVBVM60 ref: 004BA2EF
                                              • __vbaStrR8.MSVBVM60(?,00408966,00000000), ref: 004BA2FB
                                              • __vbaStrMove.MSVBVM60 ref: 004BA306
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 004BA34B
                                              • __vbaFreeStr.MSVBVM60 ref: 004BA366
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004BA376
                                              • __vbaNew2.MSVBVM60(0041000C,004E03A8), ref: 004BA399
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CheckHresultNew2$#593ChkstkCopyErrorListMove
                                              • String ID: Alien Green$Contours / Few Shades$Contours / Many Shades$DX_DesktopFrames$DX_DesktopPercent$DX_FilterMaskB$DX_FilterMaskG$DX_FilterMaskR$DirectX$Film Negative$Fire Red$Green & Blue$Green Sea Paint$High Contrast Shells$Light$Normal (Default)$Pure Blue$Red & Green$Reverse All Blue$Reverse All Red$Reverse Bright Colors$Reverse Dark Blue$Reverse Light Blue$i
                                              • API String ID: 1603966991-134403767
                                              • Opcode ID: c56a7bc2965791db5491e570fd5250bef12a7f38ac20b96f509cfe8f0e784122
                                              • Instruction ID: a309784114b3a30d045de14c99885ba6bee0f1113a7eb8f31d66dae2d0f7a175
                                              • Opcode Fuzzy Hash: c56a7bc2965791db5491e570fd5250bef12a7f38ac20b96f509cfe8f0e784122
                                              • Instruction Fuzzy Hash: 8EC22970900318EFDB14DF50DD88BDDBBB0FB48305F1081AAE549AB2A1CBB95A85DF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004AB8B0 Relevance: 234.4, APIs: 106, Strings: 27, Instructions: 1604COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,00000000,?,?,?,00000000,00408966), ref: 004AB8CE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000000), ref: 004AB8FE
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,000001C0), ref: 004AB979
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000048), ref: 004AB9FB
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000190), ref: 004ABA60
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004ABABD
                                              • __vbaStrCmp.MSVBVM60(picScreen,?), ref: 004ABADE
                                              • __vbaStrCmp.MSVBVM60(frmSaver,?), ref: 004ABAF6
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004ABB17
                                              • __vbaFreeObj.MSVBVM60(?,?,00408966,00000000), ref: 004ABB23
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000190), ref: 004ABB8D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004ABBEA
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000190), ref: 004ABC4F
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004ABCAC
                                              • __vbaStrCmp.MSVBVM60(frmProps,?), ref: 004ABCCD
                                              • #581.MSVBVM60(004130D0,?,?,?,?,?,?,?,?,00408966,00000000), ref: 004ABE34
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 004ABE65
                                                • Part of subcall function 004DE530: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004DE54E
                                                • Part of subcall function 004DE530: __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE57B
                                                • Part of subcall function 004DE530: __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE587
                                                • Part of subcall function 004DE530: __vbaVarDup.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE593
                                                • Part of subcall function 004DE530: __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE59F
                                                • Part of subcall function 004DE530: __vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00408966), ref: 004DE5AE
                                                • Part of subcall function 004DE530: __vbaChkstk.MSVBVM60(?,?,?,00000001,?,?,00408966), ref: 004DE5C8
                                                • Part of subcall function 004DE530: __vbaStrMove.MSVBVM60(?,?,?,?,?,00000001,?,?,00408966), ref: 004DE5F8
                                                • Part of subcall function 004DE530: __vbaVarDup.MSVBVM60 ref: 004DE619
                                                • Part of subcall function 004DE530: #561.MSVBVM60(?), ref: 004DE623
                                                • Part of subcall function 004DE530: __vbaFreeVar.MSVBVM60 ref: 004DE630
                                                • Part of subcall function 004DE530: __vbaInStr.MSVBVM60(00000000,00415A24,?,00000001), ref: 004DE652
                                                • Part of subcall function 004DE530: #581.MSVBVM60(?), ref: 004DE667
                                                • Part of subcall function 004DE530: __vbaStrR8.MSVBVM60(?,00408966), ref: 004DE673
                                                • Part of subcall function 004DE530: __vbaStrMove.MSVBVM60 ref: 004DE67E
                                                • Part of subcall function 004DE530: #561.MSVBVM60(00004008), ref: 004DE69C
                                              • __vbaI4Str.MSVBVM60(00412B2C,00000001,Light,Advanced,FocalLength,00000001,Light), ref: 004ABEAB
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                                • Part of subcall function 004DE3D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004DE3D0: __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                                • Part of subcall function 004DE3D0: #561.MSVBVM60(00004008), ref: 004DE4B7
                                                • Part of subcall function 004DE3D0: __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE501
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                              • __vbaI4Str.MSVBVM60(004130D0,00000001,Light,Advanced,Adv_TimeDelay,00000000), ref: 004ABED9
                                              • #581.MSVBVM60(004130D0,Advanced,Adv_SpfxCycle,00000000), ref: 004ABF03
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 004ABF34
                                                • Part of subcall function 004DE530: __vbaR4Str.MSVBVM60(?), ref: 004DE6B4
                                                • Part of subcall function 004DE530: __vbaFreeStr.MSVBVM60(004DE713), ref: 004DE6E8
                                                • Part of subcall function 004DE530: __vbaFreeVar.MSVBVM60 ref: 004DE6F1
                                                • Part of subcall function 004DE530: __vbaFreeStr.MSVBVM60 ref: 004DE6FA
                                                • Part of subcall function 004DE530: __vbaFreeStr.MSVBVM60 ref: 004DE703
                                                • Part of subcall function 004DE530: __vbaFreeStr.MSVBVM60 ref: 004DE70C
                                              • __vbaI4Str.MSVBVM60(00412B2C,00000001,Light,Advanced,Adv_PerfMult,00000001,Light), ref: 004ABF7A
                                              • __vbaChkstk.MSVBVM60(00000001,Light,Advanced,Adv_SpfxCycle,00000000), ref: 004AC008
                                              • __vbaStrMove.MSVBVM60(Advanced,Adv_FontName,00000001,Light,Advanced,Adv_SpfxCycle,00000000), ref: 004AC03C
                                              • __vbaI4Str.MSVBVM60(0041311C,00000001,Light), ref: 004AC055
                                              • __vbaI4Str.MSVBVM60(180,00000001,Light,Advanced,Adv_FontSize,00000000), ref: 004AC083
                                              • __vbaChkstk.MSVBVM60(00000001,Light,Advanced,Adv_FontHueV,00000000), ref: 004AC0BF
                                              • __vbaStrMove.MSVBVM60(Advanced,LockMessage,00000001,Light,Advanced,Adv_FontHueV,00000000), ref: 004AC0F3
                                              • __vbaI4Str.MSVBVM60(004130C0,00000001,Light), ref: 004AC10C
                                              • __vbaI4Str.MSVBVM60(00412B2C,00000001,Light,Advanced,Adv_FontTOff,00000000), ref: 004AC13A
                                              • __vbaI4Str.MSVBVM60(004130C8,00000001,Light,Advanced,Adv_FontHInc,00000000), ref: 004AC168
                                              • __vbaChkstk.MSVBVM60(00000001,Light,Advanced,Adv_CMinutes,00000000), ref: 004AC1A4
                                              • __vbaStrMove.MSVBVM60(Advanced,Adv_TimeText,00000001,Light,Advanced,Adv_CMinutes,00000000), ref: 004AC1D8
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 004AC1FF
                                              • __vbaStrMove.MSVBVM60(Advanced,Adv_ZeroText,00000001,Light), ref: 004AC233
                                              • __vbaChkstk.MSVBVM60 ref: 004AC253
                                              • __vbaVarDup.MSVBVM60(?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC2D8
                                              • __vbaStrCmp.MSVBVM60(00000000,00000000,?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC2E7
                                              • #681.MSVBVM60(?,0000000B,?,00004008,?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC312
                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC329
                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,?,?,?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC33D
                                              • __vbaStrVarMove.MSVBVM60(?,?,?,?,00000000,3C23D70A,41200000,000000FF,000000FF), ref: 004AC31C
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?,00000000,6C31CB0D), ref: 004B6862
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?), ref: 004B6899
                                                • Part of subcall function 004B67E0: __vbaI4Var.MSVBVM60(?), ref: 004B689F
                                                • Part of subcall function 004B67E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004B68BA
                                              • #519.MSVBVM60(00000000,00000000,00000000,00000167,00000000,0000000A,0000003C), ref: 004AC38E
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00408966,00000000), ref: 004AC399
                                              • __vbaStrMove.MSVBVM60(00000064), ref: 004AC3BA
                                              • #616.MSVBVM60(00000000), ref: 004AC3C1
                                              • __vbaStrMove.MSVBVM60 ref: 004AC3CE
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004AC3DE
                                              • #681.MSVBVM60(?,0000000B,00004003,00000002), ref: 004AC8C6
                                              • __vbaI4Var.MSVBVM60(?), ref: 004AC8D0
                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000002,?), ref: 004AC8E9
                                              • #681.MSVBVM60(?,0000000B,00004003,00000002), ref: 004AC93E
                                              • __vbaI4Var.MSVBVM60(?), ref: 004AC948
                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000002,?), ref: 004AC961
                                              • __vbaFPInt.MSVBVM60 ref: 004AC9A7
                                              • __vbaFpI4.MSVBVM60 ref: 004AC9B3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$ChkstkMove$CheckHresult$CopyList$#681$#561#581Error$#519#616
                                              • String ID: 180$Adv_CMinutes$Adv_EffectFPC$Adv_FontHInc$Adv_FontHueV$Adv_FontName$Adv_FontSize$Adv_FontTOff$Adv_PerfMult$Adv_SpfxCycle$Adv_TimeDelay$Adv_TimeText$Adv_ZeroText$Advanced$Arial$D5A$DX_WinHeight$DX_WinWidth$DirectX$FocalLength$Light$LockMessage$frmProps$frmSaver$frmVideo$h$picScreen
                                              • API String ID: 868519161-766940689
                                              • Opcode ID: 14fb6f2dc206a54cf6775ab4626c92b3d94ea46ec7da9547fb5b2ff6dc22daaf
                                              • Instruction ID: ed58b20da40b44cd88fa6a481b0c7ff924165450b28b649f0855810bb142319b
                                              • Opcode Fuzzy Hash: 14fb6f2dc206a54cf6775ab4626c92b3d94ea46ec7da9547fb5b2ff6dc22daaf
                                              • Instruction Fuzzy Hash: 77F206B4901218DFDB54DF94CD88BDDBBB5FB48304F20819AE609BB2A1C7B45A85CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004A1D90 Relevance: 130.8, APIs: 68, Strings: 6, Instructions: 1293COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 767 4a1d90-4a2736 __vbaChkstk __vbaOnError call 4c1240 call 4b67e0 * 2 __vbaFpI4 call 4b67e0 call 4b66b0 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 * 7 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 * 3 __vbaFpI4 * 2 call 4b67e0 * 2 __vbaFpI4 call 4b67e0 __vbaFpI4 * 2 call 4b67e0 __vbaFpI4 call 4b67e0 * 4 __vbaFpI4 call 4b67e0 __vbaFpI4 call 4b67e0 * 5 __vbaFpI4 call 4b67e0 __vbaRedim * 20 call 414228 __vbaSetSystemError 840 4a2738-4a2752 __vbaNew2 767->840 841 4a2754 767->841 842 4a275e-4a2791 840->842 841->842 844 4a2793-4a27b4 __vbaHresultCheckObj 842->844 845 4a27b6 842->845 846 4a27c0-4a27ee 844->846 845->846 848 4a2813 846->848 849 4a27f0-4a2811 __vbaHresultCheckObj 846->849 850 4a281d-4a284b 848->850 849->850 852 4a284d-4a286e __vbaHresultCheckObj 850->852 853 4a2870 850->853 854 4a287a-4a2915 __vbaI4Str call 4de3d0 __vbaStrCmp __vbaFreeStr __vbaFreeObjList 852->854 853->854 857 4a2917-4a2930 call 4b67e0 854->857 858 4a2935-4a29aa call 4b67e0 * 2 854->858 857->858 865 4a29ac-4a29b2 858->865 866 4a29b4-4a29c0 _adj_fdiv_m64 858->866 867 4a29c5-4a29ea 865->867 866->867 868 4a29f8-4a2a01 867->868 869 4a2ab2-4a2ac2 868->869 870 4a2a07-4a2a5e __vbaPowerR8 868->870 873 4a2ac8-4a2ae8 call 4a33b0 869->873 874 4a3359-4a339b 869->874 871 4a2a68-4a2a6e _adj_fdiv_m32 870->871 872 4a2a60-4a2a66 870->872 876 4a2a73-4a2aad __vbaPowerR8 871->876 872->876 880 4a2aea-4a2af0 873->880 881 4a2af2-4a2afe _adj_fdiv_m64 873->881 876->868 882 4a2b03-4a2b65 __vbaFpI4 call 4b67e0 880->882 881->882 885 4a2b6c-4a2b78 882->885 886 4a2b7e-4a2bb1 call 414620 __vbaSetSystemError 885->886 887 4a3343-4a3350 885->887 892 4a2d32-4a2d91 call 4b88d0 886->892 893 4a2bb7-4a2d2d call 4bd2a0 * 4 __vbaFpI4 call 4bd2a0 __vbaFpI4 call 4bd2a0 * 5 __vbaFpI4 886->893 889 4a3352 887->889 890 4a3354 887->890 889->874 890->869 899 4a2d9f-4a2da8 892->899 893->892 900 4a2e5b-4a2e66 899->900 901 4a2dae-4a2e56 __vbaR8FixI4 899->901 904 4a2e68-4a2e7b 900->904 905 4a2e7d-4a2e94 900->905 901->899 907 4a2eb6-4a2ee3 call 4a0c50 call 494500 call 4b70e0 904->907 908 4a2e9e-4a2ea4 _adj_fdiv_m32i 905->908 909 4a2e96-4a2e9c 905->909 925 4a2eea-4a2ef8 907->925 926 4a2ee5 907->926 911 4a2ea9-4a2eb1 __vbaFpI4 908->911 909->911 911->907 927 4a2efa-4a2f01 call 4b08f0 925->927 928 4a2f06-4a2f35 call 4a1360 925->928 926->887 927->928 935 4a2f5b-4a2f72 928->935 936 4a2f37-4a2f3e 928->936 941 4a2f7c-4a2f82 _adj_fdiv_m32i 935->941 942 4a2f74-4a2f7a 935->942 938 4a317e-4a3197 936->938 939 4a2f44-4a2f4b 936->939 943 4a3199-4a31a0 938->943 944 4a31a7 938->944 945 4a31ac-4a31d3 939->945 946 4a2f51 939->946 948 4a2f87-4a2fcd _CIcos 941->948 942->948 943->944 949 4a333e 944->949 950 4a31dd-4a31e3 _adj_fdiv_m32i 945->950 951 4a31d5-4a31db 945->951 946->949 955 4a30cf-4a3179 #681 __vbaI4Var __vbaFreeVarList 948->955 956 4a2fd3-4a30c3 948->956 949->885 954 4a31e8-4a322d _CIcos 950->954 951->954 958 4a332f-4a333a 954->958 959 4a3233-4a3323 954->959 955->949 956->955 958->949 960 4a333c 958->960 959->958 960->887
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 004A1DAE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 004A1DDE
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?,00000000,6C31CB0D), ref: 004B6862
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?), ref: 004B6899
                                                • Part of subcall function 004B67E0: __vbaI4Var.MSVBVM60(?), ref: 004B689F
                                                • Part of subcall function 004B67E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004B68BA
                                              • __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,0000000A,0000270F,00000000,0000000A,000003E7,CyclePropsSetMinMaxRange,?,?,?,00000000,00408966,00000000), ref: 004A1E49
                                                • Part of subcall function 004B66B0: #681.MSVBVM60(?,?,?,?,?,00000001), ref: 004B673B
                                                • Part of subcall function 004B66B0: #681.MSVBVM60(?,?,?,?,?,00000001), ref: 004B677B
                                                • Part of subcall function 004B66B0: __vbaR4Var.MSVBVM60(?,?,00000001), ref: 004B6781
                                                • Part of subcall function 004B66B0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 004B679C
                                              • __vbaFpI4.MSVBVM60(00000000,00000168,00000000,00000000,461C3C00,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1EA1
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1ED9
                                              • __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F11
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F49
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F81
                                              • __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,00000001,0000270F,00000000,00000000,00000006,00000000,00000000,0000000D,00000000,00000000,00000002,00000000,00000000), ref: 004A2062
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A209A
                                              • __vbaFpI4.MSVBVM60(00000000,00000000,00000064,00000000,00000001,00000063,00000000,?,?,?,00000000,00408966,00000000), ref: 004A2108
                                              • __vbaFpI4.MSVBVM60(00000001,000003E7,?,?,?,00000000,00408966,00000000), ref: 004A2127
                                              • __vbaFpI4.MSVBVM60(00000000,00000000,00000064,00000000,?,?,?,00000000,00408966,00000000), ref: 004A217A
                                              • __vbaFpI4.MSVBVM60(00000000,00000000,00000168,?,?,?,00000000,00408966,00000000), ref: 004A21B0
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,?,?,?,00000000,00408966,00000000), ref: 004A21CF
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A2207
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,00000001,00000063,00000000,00000000,0000270F,00000000,00000004,00000063,00000000,?,?,?,00000000), ref: 004A2295
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A22CD
                                              • __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,00000001,0000270F,00000000,00000001,00000063,00000000,00000001,00000063,00000000,00000000,00000063,00000000), ref: 004A2377
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05B8,00000004,00000002,00000003,00000000,-00000002,00000000,00000000,?,?,?,00000000,00408966,00000000), ref: 004A23C8
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05BC,00000004,00000002,00000003,00000000,-00000002,00000000), ref: 004A23F7
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05C0,00000004,00000002,00000003,00000000,-00000002,00000000), ref: 004A2427
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05C4,00000004,00000001,-00000002,00000000), ref: 004A2453
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05C8,00000004,00000001,-00000002,00000000), ref: 004A247E
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05CC,00000004,00000001,-00000002,00000000), ref: 004A24AA
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0550,00000004,00000001,00000000,00000000), ref: 004A24D3
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0554,00000004,00000001,00000000,00000000), ref: 004A24FB
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0558,00000004,00000001,00000000,00000000), ref: 004A2524
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E055C,00000004,00000001,00000000,00000000), ref: 004A254D
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0560,00000004,00000001,00000000,00000000), ref: 004A2575
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0564,00000004,00000001,00000000,00000000), ref: 004A259E
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0568,00000003,00000001,00000000,00000000), ref: 004A25C7
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E056C,00000003,00000001,00000000,00000000), ref: 004A25EF
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0570,00000004,00000001,00000000,00000000), ref: 004A2618
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0574,00000004,00000001,00000000,00000000), ref: 004A2641
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E0578,00000003,00000001,00000000,00000000), ref: 004A2669
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E057C,00000004,00000001,00000000,00000000), ref: 004A2692
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05D0,00000003,00000001,00000000,00000000), ref: 004A26BE
                                              • __vbaRedim.MSVBVM60(00000080,00000004,004E05D4,00000004,00000001,00000000,00000000), ref: 004A26E9
                                              • __vbaSetSystemError.MSVBVM60 ref: 004A2722
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490), ref: 004A2742
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004A27A8
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000068), ref: 004A2805
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004A2862
                                              • __vbaI4Str.MSVBVM60(004130D0,00000001,Light), ref: 004A2886
                                              • __vbaStrCmp.MSVBVM60(frmVideo,?,Advanced,Adv_SpfxCycle,00000000), ref: 004A28D1
                                              • __vbaFreeStr.MSVBVM60 ref: 004A28EF
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004A28FF
                                              • _adj_fdiv_m64.MSVBVM60(00000000,00000001,-00000001,00000000,00000001,00000000), ref: 004A29C0
                                              • __vbaPowerR8.MSVBVM60 ref: 004A2A33
                                              • _adj_fdiv_m32.MSVBVM60 ref: 004A2A6E
                                              • __vbaPowerR8.MSVBVM60 ref: 004A2A88
                                              • _adj_fdiv_m64.MSVBVM60(00000000,00000001,-00000001,00000000,00000001,00000000), ref: 004A2AFE
                                              • __vbaFpI4.MSVBVM60(00000000,00000001,-00000001,00000000,00000001,00000000), ref: 004A2B03
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000001,00000000), ref: 004A2B90
                                              • __vbaR8FixI4.MSVBVM60(?,00000000,?,00000000,00000000), ref: 004A2DD8
                                                • Part of subcall function 004BD2A0: _adj_fdivr_m64.MSVBVM60(00000000,00000000,004A2BD2,00000000,00000000,00000000,38D1B717), ref: 004BD2D0
                                              • __vbaFpI4.MSVBVM60(00000004,00000000,00000000,?,00000003,00000000,00000000,3A83126F,00000002,00000000,00000000,3727C5AC,00000000,00000000,00000000,38D1B717), ref: 004A2C46
                                              • __vbaFpI4.MSVBVM60(00000006,00000000,00000000,3F800000,?,00000003,00000000,00000000,3A83126F,00000002,00000000,00000000,3727C5AC,00000000,00000000,00000000), ref: 004A2C6C
                                              • __vbaFpI4.MSVBVM60(0000000B,00000000,00000000,3F800000,0000000A,00000000,00000000,?,00000009,00000000,00000000,38D1B717,00000008,00000000,00000000,38D1B717), ref: 004A2D27
                                              • _adj_fdiv_m32i.MSVBVM60(?,00000000,?,00000000,00000000), ref: 004A2EA4
                                              • __vbaFpI4.MSVBVM60(?,00000000,?,00000000,00000000), ref: 004A2EAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Redim$#681Free$CheckErrorHresultList$PowerSystem_adj_fdiv_m64$ChkstkNew2_adj_fdiv_m32_adj_fdiv_m32i_adj_fdivr_m64
                                              • String ID: Adv_SpfxCycle$Advanced$CyclePropsSetMinMaxRange$Light$frmVideo$}
                                              • API String ID: 1648932734-304829497
                                              • Opcode ID: d77a32105acd1c588928cd6394a66001cb7db5d03cadf52b7590c42f667e9baf
                                              • Instruction ID: e442d722582b98d74ee5eb04f963d17dbe6faed4266925b95cb47d587727f7cd
                                              • Opcode Fuzzy Hash: d77a32105acd1c588928cd6394a66001cb7db5d03cadf52b7590c42f667e9baf
                                              • Instruction Fuzzy Hash: A7D282B0A00244EFEB10DFA4DD89B9DBBB4FB44704F1081A9E2157B2E1C7B95A95CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D60B0 Relevance: 126.6, APIs: 57, Strings: 15, Instructions: 618COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 961 4d60b0-4d6137 call 4de3d0 964 4d6159-4d617f __vbaI4Str call 4de3d0 961->964 965 4d6139-4d6140 961->965 971 4d6185-4d6192 964->971 972 4d6984-4d698a call 4a6da0 964->972 965->964 966 4d6142-4d6154 call 4a6da0 965->966 975 4d69cb-4d69e0 __vbaAryDestruct __vbaFreeStr 966->975 973 4d660f-4d6617 971->973 974 4d6198-4d6201 __vbaI4Str call 4de3d0 __vbaPowerR8 __vbaFpI4 call 4b67e0 971->974 980 4d698f-4d6995 972->980 978 4d6619-4d661c 973->978 979 4d6662 973->979 995 4d6203-4d620d 974->995 982 4d661e-4d6621 978->982 983 4d6648-4d6656 978->983 984 4d6668-4d6682 979->984 980->975 982->979 986 4d6623-4d6646 call 4ad510 __vbaR8IntI4 982->986 987 4d665c 983->987 988 4d6684-4d668b call 4a6da0 984->988 989 4d66a1-4d67ae __vbaVarDup #650 __vbaStrMove * 2 __vbaStrCat __vbaStrMove call 4de2e0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaFreeVar call 4d2540 call 4a6da0 984->989 986->987 987->979 997 4d6690-4d669c 988->997 1001 4d67b3-4d67d0 __vbaI4Str call 4de3d0 989->1001 999 4d6293-4d643e call 4de2e0 __vbaStrMove __vbaStrCopy __vbaFreeStr #618 __vbaStrMove __vbaVarDup * 2 __vbaStrMove __vbaStrCmp #681 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList call 4de3d0 995->999 1000 4d6213-4d622f __vbaPowerR8 __vbaFpI4 995->1000 997->1001 1016 4d6440-4d6442 999->1016 1004 4d6287-4d628e 1000->1004 1005 4d6231-4d6281 __vbaRedimPreserve 1000->1005 1008 4d67d5-4d67d7 1001->1008 1004->995 1005->1004 1008->980 1010 4d67dd-4d67fb 1008->1010 1012 4d68ad-4d6982 __vbaVarDup #650 __vbaStrMove * 2 __vbaStrCat __vbaStrMove call 4de2e0 __vbaStrMove __vbaFreeStrList __vbaFreeVar 1010->1012 1013 4d6801-4d68a8 __vbaVarDup #711 __vbaAryVar __vbaAryCopy __vbaFreeVarList __vbaStrCopy 1010->1013 1012->975 1013->975 1018 4d64a5-4d64b2 1016->1018 1019 4d6444-4d64a3 __vbaRedimPreserve 1016->1019 1020 4d64ff-4d653f __vbaI2Str call 4de3d0 1018->1020 1021 4d64b4-4d64f5 __vbaRedim 1018->1021 1019->1016 1024 4d65fb-4d660d 1020->1024 1025 4d6545-4d6546 1020->1025 1021->1020 1024->984 1026 4d657f-4d65ec call 4de3d0 call 4b5dc0 1025->1026 1027 4d6548-4d6549 1025->1027 1035 4d65f1 1026->1035 1028 4d654f-4d657a call 4ad510 __vbaR8IntI4 1027->1028 1029 4d65f7-4d65f9 1027->1029 1028->984 1029->984 1035->1029
                                              APIs
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                                • Part of subcall function 004DE3D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004DE3D0: __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                                • Part of subcall function 004DE3D0: #561.MSVBVM60(00004008), ref: 004DE4B7
                                                • Part of subcall function 004DE3D0: __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE501
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                              • __vbaI4Str.MSVBVM60(004130D0,00000001,Light,General,UseCountSaver,00000000,00000001,Light), ref: 004D616B
                                              • __vbaI4Str.MSVBVM60(132671441,00000001,Light,Advanced,Adv_SpfxCycle,00000000), ref: 004D61B8
                                              • __vbaPowerR8.MSVBVM60(00000000,40000000,00000000,403C0000,Advanced,Adv_ThemeFlags,00000000), ref: 004D61DC
                                              • __vbaFpI4.MSVBVM60 ref: 004D61EE
                                              • __vbaPowerR8.MSVBVM60(00000000,40000000), ref: 004D6222
                                              • __vbaFpI4.MSVBVM60 ref: 004D6228
                                              • __vbaRedimPreserve.MSVBVM60(00000080,00000004,004E06D0,00000003,00000001,00000000,00000000), ref: 004D624F
                                              • __vbaStrMove.MSVBVM60(Advanced,Adv_TempDirectory,00000000), ref: 004D62DC
                                              • __vbaStrCopy.MSVBVM60 ref: 004D62F2
                                              • __vbaFreeStr.MSVBVM60 ref: 004D62F7
                                              • #618.MSVBVM60(00000000,00000001), ref: 004D630C
                                              • __vbaStrMove.MSVBVM60 ref: 004D6317
                                              • __vbaVarDup.MSVBVM60 ref: 004D6350
                                              • __vbaVarDup.MSVBVM60 ref: 004D636F
                                              • __vbaStrMove.MSVBVM60 ref: 004D637E
                                              • __vbaStrCmp.MSVBVM60(00415654,00000000), ref: 004D6386
                                              • #681.MSVBVM60(?,?,?,?), ref: 004D63B4
                                              • __vbaVarCat.MSVBVM60(?,?,?), ref: 004D63C9
                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004D63D0
                                              • __vbaStrMove.MSVBVM60 ref: 004D63DB
                                              • __vbaStrCopy.MSVBVM60 ref: 004D63EB
                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 004D63FB
                                              • __vbaFreeVarList.MSVBVM60(00000005,0000000B,?,?,?,?), ref: 004D641A
                                                • Part of subcall function 004A6DA0: __vbaChkstk.MSVBVM60(00000000,00408966,Advanced,Adv_SpfxCycle,00000000), ref: 004A6DBE
                                                • Part of subcall function 004A6DA0: __vbaOnError.MSVBVM60(000000FF,00000000,6C31CB0D,?,00000000,00408966,Advanced), ref: 004A6DEE
                                                • Part of subcall function 004A6DA0: __vbaStrMove.MSVBVM60(?,00000002,DirectX,DX_FilterIndex,00000000,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6E26
                                                • Part of subcall function 004A6DA0: __vbaFreeStr.MSVBVM60(?,00000000,00408966,Advanced), ref: 004A6E2F
                                                • Part of subcall function 004A6DA0: __vbaI4Str.MSVBVM60(750,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6E59
                                                • Part of subcall function 004A6DA0: __vbaI4Str.MSVBVM60(6000,00000001,Light,Light,OrbTotal,00000000,?,00000000,00408966,Advanced), ref: 004A6E87
                                                • Part of subcall function 004A6DA0: __vbaFpI4.MSVBVM60(Light,OrbStars,00000000,?,00000000,00408966,Advanced), ref: 004A6EA6
                                                • Part of subcall function 004A6DA0: __vbaI4Str.MSVBVM60(200,00000001,Light,?,00000000,00408966,Advanced), ref: 004A6EC4
                                                • Part of subcall function 004A6DA0: __vbaI4Str.MSVBVM60(3000,00000001,Light,Light,OrbBiasCore,00000000,?,00000000,00408966,Advanced), ref: 004A6EF9
                                                • Part of subcall function 004A6DA0: __vbaI4Str.MSVBVM60(0041309C,00000001,Light,Light,OrbStarLife,00000000,?,00000000,00408966,Advanced), ref: 004A6F2E
                                              • __vbaAryDestruct.MSVBVM60(00000000,?,004D69E1,00000000,3F800000,Advanced,Adv_SpfxCycle,00000000), ref: 004D69D1
                                              • __vbaFreeStr.MSVBVM60 ref: 004D69DA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$Copy$Chkstk$ErrorListPower$#561#618#681DestructPreserveRedim
                                              • String ID: 0000$132671441$< NONE >LightOscillating HalosFast ForwardSerenityFire BurstSphere WorldsLight PlaneRadial StructureSpherical ShellBrigh$Adv_CycleStyle$Adv_CycleStyleIndex$Adv_DispTempName$Adv_SpfxCycle$Adv_TempDirectory$Adv_TempFile$Adv_TempFileCount$Adv_ThemeFlags$Advanced$General$Light$UseCountSaver
                                              • API String ID: 2758063827-759274804
                                              • Opcode ID: 5b1752c9fda956d3549bdb8b7e5d29051081e65077fc919bed0d32ddfe921bbc
                                              • Instruction ID: 780f86e5cb6f9fb8c9d69ce7c6ecbab9f25e57774aa681162769be0d6c54085b
                                              • Opcode Fuzzy Hash: 5b1752c9fda956d3549bdb8b7e5d29051081e65077fc919bed0d32ddfe921bbc
                                              • Instruction Fuzzy Hash: D9429E70A002049FDB14DFA4CD95FDAB7B5FF88700F2081AAE509AB391DBB46985CF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B6900 Relevance: 72.0, APIs: 40, Strings: 1, Instructions: 238registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004DE375,?,?), ref: 004B691E
                                              • __vbaStrCopy.MSVBVM60(00000000,6C2ED83C,?,?,00408966), ref: 004B694B
                                              • __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B6957
                                              • __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B6963
                                              • __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B696F
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B697E
                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B6A08
                                              • __vbaStrMove.MSVBVM60 ref: 004B6A13
                                              • __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,0000003F,?), ref: 004B6A31
                                              • __vbaStrMove.MSVBVM60 ref: 004B6A3C
                                              • __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B6A48
                                              • __vbaStrMove.MSVBVM60 ref: 004B6A53
                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 004B6A5E
                                              • __vbaStrMove.MSVBVM60 ref: 004B6A69
                                              • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B6A74
                                              • __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 004B6A8A
                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004B6AB7
                                              • #525.MSVBVM60(000000FF), ref: 004B6AE8
                                              • __vbaStrMove.MSVBVM60 ref: 004B6AF3
                                              • __vbaStrToAnsi.MSVBVM60(?,?,000000FF), ref: 004B6B0C
                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 004B6B21
                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004B6B37
                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004B6B45
                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004B6B53
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B6B78
                                              • #631.MSVBVM60(?,000000FF,00000002), ref: 004B6BB1
                                              • __vbaStrMove.MSVBVM60 ref: 004B6BBC
                                              • #516.MSVBVM60(00000000), ref: 004B6BC3
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6BDB
                                              • __vbaFreeVar.MSVBVM60 ref: 004B6BE4
                                              • #616.MSVBVM60(?,000000FE), ref: 004B6C07
                                              • __vbaStrMove.MSVBVM60 ref: 004B6C12
                                              • #616.MSVBVM60(?,000000FF), ref: 004B6C29
                                              • __vbaStrMove.MSVBVM60 ref: 004B6C34
                                              • RegCloseKey.KERNELBASE(?), ref: 004B6C4A
                                              • __vbaFreeStr.MSVBVM60(004B6CBD), ref: 004B6C92
                                              • __vbaFreeVar.MSVBVM60 ref: 004B6C9B
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6CA4
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6CAD
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6CB6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$Copy$AnsiError$#616ListSystemUnicode$#516#525#631ChkstkClose
                                              • String ID: SOFTWARE\MBSS\
                                              • API String ID: 3165238930-3817278682
                                              • Opcode ID: 330647724365f3caab1fe6551972058a5ee998ccca1e5927595de27220c2c3bc
                                              • Instruction ID: 671df838cf659aa07d7a8a0c0962b884597d847221a2f0b25b7803e236630617
                                              • Opcode Fuzzy Hash: 330647724365f3caab1fe6551972058a5ee998ccca1e5927595de27220c2c3bc
                                              • Instruction Fuzzy Hash: CBB1E5B5900248DFDB04DFA0D958BEEBBB4FF48305F108169E506B7260DB785A89CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B5DC0 Relevance: 70.2, APIs: 38, Strings: 2, Instructions: 229registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004B5DDE
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E0B
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E17
                                              • __vbaVarDup.MSVBVM60(?,?,?,?,00408966), ref: 004B5E23
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E2F
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004B5E3E
                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B5ED5
                                              • __vbaStrMove.MSVBVM60 ref: 004B5EE0
                                              • #519.MSVBVM60(00000000), ref: 004B5EE7
                                              • __vbaStrMove.MSVBVM60 ref: 004B5EF2
                                              • __vbaFreeStr.MSVBVM60 ref: 004B5EFB
                                              • __vbaStrToAnsi.MSVBVM60(?,REG_SZ,00000000,0000003F,004E038C,?,?), ref: 004B5F22
                                              • __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,00000000), ref: 004B5F34
                                              • __vbaStrMove.MSVBVM60 ref: 004B5F3F
                                              • __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B5F4B
                                              • __vbaStrMove.MSVBVM60 ref: 004B5F56
                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 004B5F61
                                              • __vbaStrMove.MSVBVM60 ref: 004B5F6C
                                              • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B5F77
                                              • __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 004B5F8D
                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004B5FBE
                                              • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 004B6002
                                              • __vbaLenVarB.MSVBVM60(?,?), ref: 004B6027
                                              • __vbaVarAdd.MSVBVM60(?,00000002,00000000), ref: 004B603C
                                              • __vbaI4Var.MSVBVM60(00000000), ref: 004B6043
                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004B6052
                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000001,00000000), ref: 004B6065
                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004B607B
                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004B6089
                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004B6097
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B60B9
                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B60CF
                                              • RegCloseKey.KERNELBASE(?), ref: 004B60E8
                                              • __vbaFreeStr.MSVBVM60(004B6160), ref: 004B6135
                                              • __vbaFreeStr.MSVBVM60 ref: 004B613E
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6147
                                              • __vbaFreeVar.MSVBVM60 ref: 004B6150
                                              • __vbaFreeStr.MSVBVM60 ref: 004B6159
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$AnsiCopy$ErrorList$SystemUnicode$#519#717ChkstkClose
                                              • String ID: REG_SZ$SOFTWARE\MBSS\
                                              • API String ID: 3622192306-1949499188
                                              • Opcode ID: 2280ef4578fff624299f0bea3b8aa868353688f25bdcddbc7c99769db338ab02
                                              • Instruction ID: 0d223e9d5cc7ae3389a2d900c9c2edc9c4507b1fe5cb5158cde3043e5546280d
                                              • Opcode Fuzzy Hash: 2280ef4578fff624299f0bea3b8aa868353688f25bdcddbc7c99769db338ab02
                                              • Instruction Fuzzy Hash: DCA1C975900248EBDB14DFE0DE88BDEBBB8FB48305F108569E506B71A0DB745A88CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00495F20 Relevance: 59.8, APIs: 25, Strings: 9, Instructions: 298COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 00495F3E
                                              • __vbaOnError.MSVBVM60(00000001,?,?,?,00000000,00408966,00000000), ref: 00495F6E
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,00408966,00000000), ref: 00495FDA
                                              • __vbaSetSystemError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00495FEE
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,00408966,00000000), ref: 00496004
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00496013
                                              • __vbaChkstk.MSVBVM60(00000001,Light,General,UseCountPreview,00000001,Light,General,UseCountPreview,00000000,00000001,Light), ref: 00496216
                                              • __vbaStrMove.MSVBVM60(General,SaverStartDate,00000001,Light,General,UseCountPreview,00000001,Light,General,UseCountPreview,00000000,00000001,Light), ref: 00496248
                                              • #557.MSVBVM60(00004008), ref: 00496266
                                              • #546.MSVBVM60(?), ref: 0049627E
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 00496290
                                              • __vbaFreeVar.MSVBVM60(General,SaverStartDate,00000001,Light), ref: 004962C0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$ChkstkSystem$#546#557FreeMove
                                              • String ID: /$DX_ShowFPS$DirectX$General$Light$SaverStartDate$UseCountPreview$UseCountSaver$x
                                              • API String ID: 2574892228-3223475635
                                              • Opcode ID: e243b452d8f37d82116f34274b64a7964131735a0e6ffce71386dd98996c3266
                                              • Instruction ID: 15d3f253fb70378e2f3a55e94a8885e14dca1f87a01a2bc0f0fe453eb188b868
                                              • Opcode Fuzzy Hash: e243b452d8f37d82116f34274b64a7964131735a0e6ffce71386dd98996c3266
                                              • Instruction Fuzzy Hash: D9E138B0901248DFDB00DFD4DA59BDDBBB0FB04708F20C16AE511AB291C7B95A89DF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D6A00 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004D6A1E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004D6A4E
                                              • __vbaStrCat.MSVBVM60( lWin: , WinPreview:,000000FF,MBSS_Log.txt,?,?,?,?,00408966), ref: 004D6A8D
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6A98
                                              • __vbaStrI4.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004D6AA3
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6AAE
                                              • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00408966), ref: 004D6AB5
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6AC0
                                              • __vbaStrCat.MSVBVM60( lMsg: ,00000000,?,?,?,?,00408966), ref: 004D6ACC
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6AD7
                                              • __vbaStrI4.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 004D6AE2
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6AED
                                              • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00408966), ref: 004D6AF4
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6AFF
                                              • __vbaStrCat.MSVBVM60( lOpt: ,00000000,?,?,?,?,00408966), ref: 004D6B0B
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6B16
                                              • __vbaStrI4.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 004D6B21
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6B2C
                                              • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00408966), ref: 004D6B33
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 004D6B3E
                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,00000000,?,?,?,?,?,?,00000000,?,?,?,?,00408966), ref: 004D6B70
                                              • __vbaNew2.MSVBVM60(004093E4,004E03BC), ref: 004D6BDF
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415CAC,00000058), ref: 004D6C27
                                              • __vbaSetSystemError.MSVBVM60(00000000,?), ref: 004D6C49
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000218,?,?), ref: 004D6C77
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,00000000,00408270,?,?,?,?,00408966), ref: 004D6CAB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move$Error$System$CheckChkstkFreeHresultListNew2
                                              • String ID: WinPreview:$ lMsg: $ lOpt: $ lWin: $MBSS_Log.txt
                                              • API String ID: 1324757133-330562636
                                              • Opcode ID: c3c2f61bb1dd4e4c1eb09bc03f59bba60b61b4222382563b46934e6e56bc912e
                                              • Instruction ID: ffd7e60cf82be5543827198d44e54c47ec1ef8453d9a47de9c79f50372643120
                                              • Opcode Fuzzy Hash: c3c2f61bb1dd4e4c1eb09bc03f59bba60b61b4222382563b46934e6e56bc912e
                                              • Instruction Fuzzy Hash: E6814E75910248EFCB14DFA4DD48ADE77B9FB48301F10812AF516B72A0DB789985CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043F1A0 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 182COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043F1BE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043F205
                                              • __vbaStrCat.MSVBVM60(MBSS Light,SPFX:Preview ,?,?,?,?,00408966), ref: 0043F21C
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 0043F227
                                              • __vbaStrCat.MSVBVM60(0041314C,00000000,?,?,?,?,00408966), ref: 0043F233
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 0043F23E
                                              • __vbaStrCat.MSVBVM60(4.3,00000000,?,?,?,?,00408966), ref: 0043F24A
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 0043F255
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415CAC,00000054), ref: 0043F282
                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043F2A2
                                              • __vbaCastObj.MSVBVM60(?,00415D18,?,?,?,00408966), ref: 0043F2BB
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00408966), ref: 0043F2C6
                                              • __vbaFreeObj.MSVBVM60(?,000000FF,?,?,?,00408966), ref: 0043F2DA
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00408966), ref: 0043F2FB
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,000001C0), ref: 0043F334
                                              • __vbaFreeObj.MSVBVM60 ref: 0043F352
                                              • __vbaSetSystemError.MSVBVM60(00000000,000000FC,004D6A00), ref: 0043F374
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043F39E
                                              • __vbaFreeObj.MSVBVM60(?), ref: 0043F3B0
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0043F3D0
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043F3F1
                                                • Part of subcall function 004D5FC0: __vbaChkstk.MSVBVM60(00000000,00408966), ref: 004D5FDE
                                                • Part of subcall function 004D5FC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004D600E
                                              • __vbaFreeObj.MSVBVM60(?), ref: 0043F403
                                              • __vbaEnd.MSVBVM60 ref: 0043F410
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Error$Move$CheckChkstkHresultSystem$CastList
                                              • String ID: 4.3$MBSS Light$SPFX:Preview
                                              • API String ID: 810922468-2184729824
                                              • Opcode ID: 656154039a254933b0cf34e1dbbc98444fe54d060d934766809e428fa3e5acfa
                                              • Instruction ID: 67b3ccec138184e8f97646ac615ec26975f2aad41d05015dfb03fa6278019636
                                              • Opcode Fuzzy Hash: 656154039a254933b0cf34e1dbbc98444fe54d060d934766809e428fa3e5acfa
                                              • Instruction Fuzzy Hash: 35810F75910248EFDB04DFA4DA88EDE7BB4FF48305F208169F516A72A0DB749A44CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004DE530 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004DE54E
                                              • __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE57B
                                              • __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE587
                                              • __vbaVarDup.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE593
                                              • __vbaStrCopy.MSVBVM60(?,00000001,?,?,00408966), ref: 004DE59F
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,?,00408966), ref: 004DE5AE
                                              • __vbaChkstk.MSVBVM60(?,?,?,00000001,?,?,00408966), ref: 004DE5C8
                                                • Part of subcall function 004B6900: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004DE375,?,?), ref: 004B691E
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(00000000,6C2ED83C,?,?,00408966), ref: 004B694B
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B6957
                                                • Part of subcall function 004B6900: __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B6963
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B696F
                                                • Part of subcall function 004B6900: __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B697E
                                                • Part of subcall function 004B6900: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B6A08
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A13
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,0000003F,?), ref: 004B6A31
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A3C
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B6A48
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A53
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B6A5E
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A69
                                                • Part of subcall function 004B6900: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B6A74
                                                • Part of subcall function 004B6900: __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 004B6A8A
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000001,?,?,00408966), ref: 004DE5F8
                                              • __vbaVarDup.MSVBVM60 ref: 004DE619
                                              • #561.MSVBVM60(?), ref: 004DE623
                                              • __vbaFreeVar.MSVBVM60 ref: 004DE630
                                              • __vbaInStr.MSVBVM60(00000000,00415A24,?,00000001), ref: 004DE652
                                              • #581.MSVBVM60(?), ref: 004DE667
                                              • __vbaStrR8.MSVBVM60(?,00408966), ref: 004DE673
                                              • __vbaStrMove.MSVBVM60 ref: 004DE67E
                                              • #561.MSVBVM60(00004008), ref: 004DE69C
                                              • __vbaR4Str.MSVBVM60(?), ref: 004DE6B4
                                              • __vbaR4Var.MSVBVM60(?), ref: 004DE6CA
                                              • __vbaFreeStr.MSVBVM60(004DE713), ref: 004DE6E8
                                              • __vbaFreeVar.MSVBVM60 ref: 004DE6F1
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE6FA
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE703
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE70C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Copy$FreeMove$ChkstkError$#561$#581AnsiSystem
                                              • String ID: 0,5
                                              • API String ID: 82570216-3030946575
                                              • Opcode ID: e39ddde03c0c0a819045c77e3ad830a381c04d60d42d8d56a381a14320bed804
                                              • Instruction ID: d69be7daf068dac2ac4cafb88b9aa9ce2496561c701cfc7d3dfca5df3823be5f
                                              • Opcode Fuzzy Hash: e39ddde03c0c0a819045c77e3ad830a381c04d60d42d8d56a381a14320bed804
                                              • Instruction Fuzzy Hash: BB51F874901209EFDB04EF94DA98ADDBBB4FF08705F108169F506BB2A0DB789A49CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004DE3D0 Relevance: 19.6, APIs: 13, Instructions: 85COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                              • __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004B6900: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004DE375,?,?), ref: 004B691E
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(00000000,6C2ED83C,?,?,00408966), ref: 004B694B
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B6957
                                                • Part of subcall function 004B6900: __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B6963
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B696F
                                                • Part of subcall function 004B6900: __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B697E
                                                • Part of subcall function 004B6900: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B6A08
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A13
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,0000003F,?), ref: 004B6A31
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A3C
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B6A48
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A53
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B6A5E
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A69
                                                • Part of subcall function 004B6900: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B6A74
                                                • Part of subcall function 004B6900: __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 004B6A8A
                                              • __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                              • #561.MSVBVM60(00004008), ref: 004DE4B7
                                              • __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                              • __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE501
                                              • __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Copy$Move$Free$ChkstkError$#561AnsiSystem
                                              • String ID:
                                              • API String ID: 2900919615-0
                                              • Opcode ID: 4415b1c8261b7f9955c3f6ff4f2a1324b5b58367841d77f2c71ec6806cacafe3
                                              • Instruction ID: 6f2d1769d4261cc5711abde2481cb903cb468a89f9a7bc07304ace78980308df
                                              • Opcode Fuzzy Hash: 4415b1c8261b7f9955c3f6ff4f2a1324b5b58367841d77f2c71ec6806cacafe3
                                              • Instruction Fuzzy Hash: B841D6B5901209EFDB04DF94DA98ADEBBB4FF48345F208169F405B72A0DB74AA05CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004DE2E0 Relevance: 13.6, APIs: 9, Instructions: 66COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __vbaStrCopy.MSVBVM60(00000000,6C2ED83C,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE326
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE32E
                                              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE336
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE342
                                                • Part of subcall function 004B6900: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004DE375,?,?), ref: 004B691E
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(00000000,6C2ED83C,?,?,00408966), ref: 004B694B
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B6957
                                                • Part of subcall function 004B6900: __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B6963
                                                • Part of subcall function 004B6900: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B696F
                                                • Part of subcall function 004B6900: __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B697E
                                                • Part of subcall function 004B6900: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B6A08
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A13
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,0000003F,?), ref: 004B6A31
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A3C
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B6A48
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A53
                                                • Part of subcall function 004B6900: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B6A5E
                                                • Part of subcall function 004B6900: __vbaStrMove.MSVBVM60 ref: 004B6A69
                                                • Part of subcall function 004B6900: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B6A74
                                                • Part of subcall function 004B6900: __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 004B6A8A
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE37A
                                              • __vbaFreeStr.MSVBVM60(004DE3B0,?,?,?,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE39A
                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE39F
                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE3A8
                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00408966,?), ref: 004DE3AD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Copy$Move$Free$Error$AnsiChkstkSystem
                                              • String ID:
                                              • API String ID: 1177333359-0
                                              • Opcode ID: 7f19872500fb86089f0e8f6834f9ba11d7d428a18efbacee04964374702a4c87
                                              • Instruction ID: 6e82d56e700dfa0335f0b54f073b0fb8700b0090575e210b632acd151d219f6b
                                              • Opcode Fuzzy Hash: 7f19872500fb86089f0e8f6834f9ba11d7d428a18efbacee04964374702a4c87
                                              • Instruction Fuzzy Hash: 7421A8B1D002199FCB04DFA8D9959EEBBB4FB48704F10816AE805B7254EB34AE45CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B6DA0 Relevance: 7.6, APIs: 5, Instructions: 62sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1191 4b6da0-4b6e1e __vbaChkstk __vbaOnError #598 1192 4b6e2f-4b6e68 call 414620 __vbaSetSystemError 1191->1192 1193 4b6e20-4b6e2d 1191->1193 1194 4b6e89-4b6e9d 1192->1194 1197 4b6e6a-4b6e71 1192->1197 1193->1194 1197->1194 1198 4b6e73-4b6e7e call 414660 1197->1198 1200 4b6e83 Sleep 1198->1200 1200->1194
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,004B7140,?,00000000,?,00000000,00408966), ref: 004B6DBE
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966,004B7140), ref: 004B6DEE
                                              • #598.MSVBVM60(?,00000000), ref: 004B6E08
                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004B6E3E
                                              • Sleep.KERNELBASE(000003E8), ref: 004B6E83
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$#598ChkstkSleepSystem
                                              • String ID:
                                              • API String ID: 1776468943-0
                                              • Opcode ID: f5f0b1563a0ce05b9cee35d72f4b3f1826df7137d4fbebadda607bbe29f0b22d
                                              • Instruction ID: 2463b8dfb435664bd89197df57941937cd4cc9d6c3adfa9cc858bdd407c0563c
                                              • Opcode Fuzzy Hash: f5f0b1563a0ce05b9cee35d72f4b3f1826df7137d4fbebadda607bbe29f0b22d
                                              • Instruction Fuzzy Hash: AA2119B4D01248DBDB00DFA9DA487DEBBF4EB48718F10816AD505B7290D7B94A84CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B70E0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1201 4b70e0-4b7152 __vbaChkstk __vbaOnError call 4b6da0 1204 4b7192-4b71a6 1201->1204 1205 4b7154-4b7173 call 414318 __vbaSetSystemError 1201->1205 1205->1204 1208 4b7175-4b718c 1205->1208 1208->1204
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,004A2EDE,000000FF,000000FF), ref: 004B70FE
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966), ref: 004B712E
                                                • Part of subcall function 004B6DA0: __vbaChkstk.MSVBVM60(00000000,00408966,004B7140,?,00000000,?,00000000,00408966), ref: 004B6DBE
                                                • Part of subcall function 004B6DA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966,004B7140), ref: 004B6DEE
                                                • Part of subcall function 004B6DA0: #598.MSVBVM60(?,00000000), ref: 004B6E08
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,00408966), ref: 004B7169
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$Chkstk$#598System
                                              • String ID:
                                              • API String ID: 949847696-0
                                              • Opcode ID: 0516d5bfb75c22701d3e2275158cf8835d1fd0555a8f64fe2c6e4b5c0b9b49e2
                                              • Instruction ID: 6f8c7a0009acf6b88240a2faa11b0c9a8a4f9b4bad2ec61f8caeb284e410186b
                                              • Opcode Fuzzy Hash: 0516d5bfb75c22701d3e2275158cf8835d1fd0555a8f64fe2c6e4b5c0b9b49e2
                                              • Instruction Fuzzy Hash: 31116AB0901248DBDB10EF98CA497DEBBF4FB04718F2041AAE4047B391D3B90E45CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00408DF4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: #100
                                              • String ID: VB5!6&*
                                              • API String ID: 1341478452-3593831657
                                              • Opcode ID: 6d4b7862d1ae01a45cdb961d1c44425919a8d691720e9ef780eb1fd268f23291
                                              • Instruction ID: 543305a5b2a0f9272d71e0dc4c66cf2ea421c0b742cc11b770e3baa07522392b
                                              • Opcode Fuzzy Hash: 6d4b7862d1ae01a45cdb961d1c44425919a8d691720e9ef780eb1fd268f23291
                                              • Instruction Fuzzy Hash: E5E0BD5206E3C10ED70322B458296612FB49E53610B1B15EBC0C0DE0E3D9580889D366
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D5FC0 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966), ref: 004D5FDE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004D600E
                                                • Part of subcall function 004AB8B0: __vbaChkstk.MSVBVM60(?,00408966,00000000,?,?,?,00000000,00408966), ref: 004AB8CE
                                                • Part of subcall function 004AB8B0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000000), ref: 004AB8FE
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000048), ref: 004AB9FB
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000190), ref: 004ABA60
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004ABABD
                                                • Part of subcall function 00495F20: __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 00495F3E
                                                • Part of subcall function 00495F20: __vbaOnError.MSVBVM60(00000001,?,?,?,00000000,00408966,00000000), ref: 00495F6E
                                                • Part of subcall function 00495F20: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,00408966,00000000), ref: 00495FDA
                                                • Part of subcall function 00495F20: __vbaSetSystemError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00495FEE
                                                • Part of subcall function 00495F20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00496013
                                                • Part of subcall function 00495F20: __vbaChkstk.MSVBVM60(00000001,Light,General,UseCountPreview,00000001,Light,General,UseCountPreview,00000000,00000001,Light), ref: 00496216
                                                • Part of subcall function 004D60B0: __vbaAryDestruct.MSVBVM60(00000000,?,004D69E1,00000000,3F800000,Advanced,Adv_SpfxCycle,00000000), ref: 004D69D1
                                                • Part of subcall function 004D60B0: __vbaFreeStr.MSVBVM60 ref: 004D69DA
                                                • Part of subcall function 004A1D90: __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 004A1DAE
                                                • Part of subcall function 004A1D90: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 004A1DDE
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,0000000A,0000270F,00000000,0000000A,000003E7,CyclePropsSetMinMaxRange,?,?,?,00000000,00408966,00000000), ref: 004A1E49
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,00000168,00000000,00000000,461C3C00,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1EA1
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1ED9
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F11
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F49
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$Chkstk$CheckHresult$System$DestructFree
                                              • String ID:
                                              • API String ID: 4188285948-0
                                              • Opcode ID: 19e8660a5ab892d2f2aee7f15471edf7b9827cc392ce18b736a5d8562977889c
                                              • Instruction ID: ee8601acb2796c801dfa38cbe159b1e73cd400eeb1ac6d40c6b38e1dc9f89c93
                                              • Opcode Fuzzy Hash: 19e8660a5ab892d2f2aee7f15471edf7b9827cc392ce18b736a5d8562977889c
                                              • Instruction Fuzzy Hash: 851160B1901248EBEB10EF95DA0979EBBB4EB00718F20816EE5147B3C1C7BD1A049B99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0047B0F0 Relevance: 108.9, APIs: 49, Strings: 13, Instructions: 424COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0047B10E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0047B155
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 0047B176
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 0047B1C4
                                              • #519.MSVBVM60(?), ref: 0047B1E0
                                              • __vbaStrMove.MSVBVM60 ref: 0047B1EB
                                              • #517.MSVBVM60(00000000), ref: 0047B1F2
                                              • __vbaStrMove.MSVBVM60 ref: 0047B1FD
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0047B20D
                                              • __vbaFreeObj.MSVBVM60(?,?,00408966), ref: 0047B219
                                              • #712.MSVBVM60(?,0041B3D4,004130C8,00000001,000000FF,00000000,?,?,00408966), ref: 0047B23A
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 0047B245
                                              • #517.MSVBVM60(?,?,?,?,00408966), ref: 0047B25D
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 0047B268
                                              • __vbaStrCmp.MSVBVM60(00000000,?,?,00408966), ref: 0047B26F
                                              • __vbaFreeStr.MSVBVM60(?,?,00408966), ref: 0047B286
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0047B2CC
                                              • __vbaVarDup.MSVBVM60(General,RegMathM3,00000001,Light), ref: 0047B330
                                              • __vbaStrCat.MSVBVM60( has been properly registered.,MBSS Light), ref: 0047B340
                                              • #595.MSVBVM60(00000008,00000040,?,0000000A,0000000A), ref: 0047B362
                                              • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,0000000A,0000000A), ref: 0047B37A
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,?,?,?,00408966), ref: 0047B39D
                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0047B3CF
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000010), ref: 0047B40E
                                              • __vbaFreeObj.MSVBVM60 ref: 0047B429
                                              • #517.MSVBVM60(MBSS201030,?,?,?,00408966), ref: 0047B444
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 0047B44F
                                              • __vbaStrCmp.MSVBVM60(00000000,?,?,00408966), ref: 0047B456
                                              • #517.MSVBVM60(MBSS01201030,?,?,?,00408966), ref: 0047B46E
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 0047B479
                                              • __vbaStrCmp.MSVBVM60(00000000,?,?,00408966), ref: 0047B480
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00408966), ref: 0047B4A1
                                              • __vbaChkstk.MSVBVM60(00000001,MBSS_ALL), ref: 0047B4EA
                                                • Part of subcall function 004B5DC0: __vbaChkstk.MSVBVM60(?,00408966), ref: 004B5DDE
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E0B
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E17
                                                • Part of subcall function 004B5DC0: __vbaVarDup.MSVBVM60(?,?,?,?,00408966), ref: 004B5E23
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E2F
                                                • Part of subcall function 004B5DC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004B5E3E
                                                • Part of subcall function 004B5DC0: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B5ED5
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EE0
                                                • Part of subcall function 004B5DC0: #519.MSVBVM60(00000000), ref: 004B5EE7
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EF2
                                                • Part of subcall function 004B5DC0: __vbaFreeStr.MSVBVM60 ref: 004B5EFB
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,REG_SZ,00000000,0000003F,004E038C,?,?), ref: 004B5F22
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,00000000), ref: 004B5F34
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F3F
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B5F4B
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F56
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B5F61
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F6C
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B5F77
                                              • __vbaVarDup.MSVBVM60(General,RegMathM3,00000001,MBSS_ALL), ref: 0047B557
                                              • __vbaVarDup.MSVBVM60 ref: 0047B571
                                              • #595.MSVBVM60(?,00000040,?,0000000A,0000000A), ref: 0047B589
                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A), ref: 0047B5A1
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490), ref: 0047B5C4
                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0047B5F6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000010), ref: 0047B635
                                              • __vbaFreeObj.MSVBVM60 ref: 0047B650
                                              • __vbaVarDup.MSVBVM60 ref: 0047B69B
                                              • __vbaVarDup.MSVBVM60 ref: 0047B6B5
                                              • #595.MSVBVM60(?,00000040,?,0000000A,0000000A), ref: 0047B6CD
                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,0000000A,0000000A), ref: 0047B6E5
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047B709
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000204), ref: 0047B753
                                              • __vbaFreeObj.MSVBVM60 ref: 0047B76E
                                              • __vbaFreeStr.MSVBVM60(0047B7C4), ref: 0047B7BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$List$#517CheckChkstkCopyHresult$#595$#519AddrefAnsiErrorNew2$#712
                                              • String ID: 5A$ has been properly registered.$All of the MBSS Products have been properly registered.$General$License Validation$Light$MBSS Light$MBSS01201030$MBSS201030$MBSS83EREIAMJH$MBSS_ALL$RegMathM3$That is not the correct License Key.
                                              • API String ID: 3985647081-891164886
                                              • Opcode ID: c3d61ee750afccdcdd7737e6ac66e7d9b183579ccc24bfa460ff8ca7b0ff1add
                                              • Instruction ID: 7ce3853ff8a7ffc77db2dcfe430169511b3ea2065bc489b96c7fd3ce127af371
                                              • Opcode Fuzzy Hash: c3d61ee750afccdcdd7737e6ac66e7d9b183579ccc24bfa460ff8ca7b0ff1add
                                              • Instruction Fuzzy Hash: E61229B1900218DFDB14DFA4CD88BDDBBB5FB48304F108199E60ABB2A1DB745A84CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D70F0 Relevance: 105.4, APIs: 53, Strings: 7, Instructions: 415COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,00442A3F,?,00000000), ref: 004D710E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004D713E
                                              • __vbaChkstk.MSVBVM60 ref: 004D715F
                                              • __vbaLateMemSt.MSVBVM60(?,Enabled), ref: 004D7188
                                              • __vbaFreeVar.MSVBVM60 ref: 004D7191
                                              • __vbaLateMemCallLd.MSVBVM60(?,?,Parent,00000000), ref: 004D71AF
                                              • __vbaVarZero.MSVBVM60(?,?,00000000,00408966), ref: 004D71C0
                                              • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Controls,00000000,Count,00000000), ref: 004D7200
                                              • __vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,00408966), ref: 004D720E
                                              • __vbaVarSub.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00408966), ref: 004D7220
                                              • __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00408966), ref: 004D7227
                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D724E
                                              • #685.MSVBVM60 ref: 004D727B
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004D7286
                                              • __vbaFreeObj.MSVBVM60 ref: 004D72A7
                                              • __vbaChkstk.MSVBVM60 ref: 004D72D3
                                              • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Controls,00000001), ref: 004D7303
                                              • #591.MSVBVM60(00000000), ref: 004D730D
                                              • __vbaStrMove.MSVBVM60 ref: 004D7318
                                              • __vbaStrCmp.MSVBVM60(Line,00000000), ref: 004D7324
                                              • __vbaChkstk.MSVBVM60 ref: 004D7339
                                              • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Controls,00000001), ref: 004D7369
                                              • #591.MSVBVM60(00000000), ref: 004D7373
                                              • __vbaStrMove.MSVBVM60 ref: 004D737E
                                              • __vbaStrCmp.MSVBVM60(Menu,00000000), ref: 004D738A
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004D73AC
                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D73BF
                                              • __vbaChkstk.MSVBVM60(Container,00000000,?), ref: 004D73FD
                                              • __vbaVarLateMemCallLdRf.MSVBVM60(?,00000000,Controls,00000001,Container,00000000,?), ref: 004D742D
                                              • __vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004D743B
                                              • __vbaUnkVar.MSVBVM60(00000000), ref: 004D7445
                                              • __vbaObjIs.MSVBVM60(00000000), ref: 004D744C
                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004D7463
                                              • #685.MSVBVM60 ref: 004D7482
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004D748D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415A10,0000001C), ref: 004D74D8
                                              • __vbaFreeObj.MSVBVM60 ref: 004D7508
                                              • __vbaChkstk.MSVBVM60 ref: 004D7545
                                              • __vbaChkstk.MSVBVM60(Enabled), ref: 004D756D
                                              • __vbaVarLateMemCallLdRf.MSVBVM60(?,?,Controls,00000001,Enabled), ref: 004D759D
                                              • __vbaVarLateMemSt.MSVBVM60(00000000), ref: 004D75A7
                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000B,?), ref: 004D75B7
                                              • __vbaChkstk.MSVBVM60(0041799C), ref: 004D75DE
                                              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Controls,00000001,0041799C), ref: 004D760E
                                              • __vbaCheckTypeVar.MSVBVM60(00000000), ref: 004D7618
                                              • __vbaFreeVar.MSVBVM60 ref: 004D7628
                                              • __vbaChkstk.MSVBVM60 ref: 004D7656
                                              • __vbaVarLateMemCallLd.MSVBVM60(?,?,Controls,00000001), ref: 004D7686
                                              • __vbaCastObjVar.MSVBVM60(?,004170E0), ref: 004D7698
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004D76A3
                                              • __vbaFreeObj.MSVBVM60(?,00000000), ref: 004D76BC
                                              • __vbaFreeVar.MSVBVM60 ref: 004D76C5
                                              • __vbaFreeVar.MSVBVM60(004D7730), ref: 004D7729
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$FreeLate$Call$Chkstk$List$#591#685CheckMove$CastErrorHresultTypeZero
                                              • String ID: Container$Controls$Count$Enabled$Line$Menu$Parent
                                              • API String ID: 1154293800-33550366
                                              • Opcode ID: fc45be9891b7bc221095f9cbe9108b73b2bfc028dbf6585548a2a3c002dce11e
                                              • Instruction ID: e370a7dca09341451d1f61af4c578f58a83a05ee3e414fba0189c8d6888881e6
                                              • Opcode Fuzzy Hash: fc45be9891b7bc221095f9cbe9108b73b2bfc028dbf6585548a2a3c002dce11e
                                              • Instruction Fuzzy Hash: 56022674900218DFDB14CFA4DD88BAEBBB4FF48704F1081AAE509BB2A1DB749A45CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453560 Relevance: 96.7, APIs: 52, Strings: 3, Instructions: 463COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045357E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004535AE
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004535CF
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000000F0), ref: 00453608
                                              • __vbaFreeObj.MSVBVM60 ref: 00453625
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00453940
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417B14,0000009C), ref: 00453982
                                              • __vbaFreeObj.MSVBVM60 ref: 0045399D
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004539BE
                                              • __vbaStrCat.MSVBVM60(00416C88,Non-Registered Product), ref: 004539D1
                                              • __vbaStrMove.MSVBVM60 ref: 004539DC
                                              • __vbaStrCat.MSVBVM60(Maximum Frames = ,00000000), ref: 004539E8
                                              • __vbaStrMove.MSVBVM60 ref: 004539F3
                                              • __vbaStrI4.MSVBVM60(00000168,00000000), ref: 004539FF
                                              • __vbaStrMove.MSVBVM60 ref: 00453A0A
                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00453A11
                                              • __vbaStrMove.MSVBVM60 ref: 00453A1C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417B14,00000054), ref: 00453A49
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move$CheckHresult$Free$ChkstkError
                                              • String ID: Maximum Frames = $Non-Registered Product$Total Frames:
                                              • API String ID: 1522171417-1085494147
                                              • Opcode ID: cb4820c1cf6f12bc9cbc30a3acb5a99fa5629202d8aba61e8b769089c0512621
                                              • Instruction ID: adc4a0615db4791cc4d5dd9c9858be92e300463539b2bee9648867a6ee5f7da3
                                              • Opcode Fuzzy Hash: cb4820c1cf6f12bc9cbc30a3acb5a99fa5629202d8aba61e8b769089c0512621
                                              • Instruction Fuzzy Hash: 1A12F8B5900208EFDB04DFE4D948BEEBBB4FF48301F108569E546AB265DB749A48CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004AED70 Relevance: 82.5, APIs: 37, Strings: 10, Instructions: 217COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaVarDup.MSVBVM60(?,00000001), ref: 004AEE47
                                              • __vbaStrCat.MSVBVM60(00416C88,You must be running in High Color (16 bits) or True Color (24 or 32 bits) mode.,?,00000001), ref: 004AEE5D
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEE6A
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEE72
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEE79
                                              • __vbaStrCat.MSVBVM60(You can change your Color Settings by following these steps:,00000000,?,00000001), ref: 004AEE81
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEE88
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEE90
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEE97
                                              • __vbaStrCat.MSVBVM60(1. Click the Windows Start button.,00000000,?,00000001), ref: 004AEE9F
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEEA6
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEEAE
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEEB5
                                              • __vbaStrCat.MSVBVM60(2. Choose the Settings menu.,00000000,?,00000001), ref: 004AEEBD
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEEC4
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEECC
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEED3
                                              • __vbaStrCat.MSVBVM60(3. Choose the Control Panel sub-menu.,00000000,?,00000001), ref: 004AEEDB
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEEE2
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEEEA
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEEF1
                                              • __vbaStrCat.MSVBVM60(4. Double-click the Display icon in the Control Panel window.,00000000,?,00000001), ref: 004AEEF9
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEF00
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEF08
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEF0F
                                              • __vbaStrCat.MSVBVM60(5. Click the Settings tab on the Display Properties window.,00000000,?,00000001), ref: 004AEF17
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEF1E
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000,?,00000001), ref: 004AEF26
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004AEF2D
                                              Strings
                                              • 1. Click the Windows Start button., xrefs: 004AEE9A
                                              • 7. Click the OK button to change the Color Settings., xrefs: 004AEF4E
                                              • MBSS Light, xrefs: 004AEE33
                                              • You must be running in High Color (16 bits) or True Color (24 or 32 bits) mode., xrefs: 004AEE53
                                              • 6. Choose High Color or True Color from the Colors dropdown., xrefs: 004AEF30
                                              • You can change your Color Settings by following these steps:, xrefs: 004AEE7C
                                              • 3. Choose the Control Panel sub-menu., xrefs: 004AEED6
                                              • 4. Double-click the Display icon in the Control Panel window., xrefs: 004AEEF4
                                              • 5. Click the Settings tab on the Display Properties window., xrefs: 004AEF12
                                              • 2. Choose the Settings menu., xrefs: 004AEEB8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move
                                              • String ID: 1. Click the Windows Start button.$2. Choose the Settings menu.$3. Choose the Control Panel sub-menu.$4. Double-click the Display icon in the Control Panel window.$5. Click the Settings tab on the Display Properties window.$6. Choose High Color or True Color from the Colors dropdown.$7. Click the OK button to change the Color Settings.$MBSS Light$You can change your Color Settings by following these steps:$You must be running in High Color (16 bits) or True Color (24 or 32 bits) mode.
                                              • API String ID: 3922324654-742604537
                                              • Opcode ID: 5ef88aa684f92f88488642b801fe4b3cf5b060145f265fa4fb447ee0259475a0
                                              • Instruction ID: bdb6c5d05abab5d9dfd2723ec57953fb0129ee6e38ac4544dd9fb7e1ace6ec47
                                              • Opcode Fuzzy Hash: 5ef88aa684f92f88488642b801fe4b3cf5b060145f265fa4fb447ee0259475a0
                                              • Instruction Fuzzy Hash: 02810FB1D4021CAADB11DFE5DD81EEFBBB8FF88700F21416BE106A2140EA745A45CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043E8B0 Relevance: 77.5, APIs: 39, Strings: 5, Instructions: 484COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043E8CE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043E915
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0043E92A
                                                • Part of subcall function 004B39E0: __vbaChkstk.MSVBVM60(00000000,00408966,General\Template,?,?,?,?,00408966), ref: 004B39FE
                                                • Part of subcall function 004B39E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966,General\Template), ref: 004B3A2B
                                                • Part of subcall function 004B39E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,General\Template), ref: 004B3A3A
                                                • Part of subcall function 004B39E0: __vbaFreeStr.MSVBVM60(004B3F68), ref: 004B3F58
                                                • Part of subcall function 004B39E0: __vbaFreeStr.MSVBVM60 ref: 004B3F61
                                              • __vbaFreeObj.MSVBVM60(?,General\Template,?,?,?,?,00408966), ref: 0043E941
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0043E962
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000080), ref: 0043E9B3
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041375C,00000088), ref: 0043EA07
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041375C,00000108), ref: 0043EA5B
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043EA87
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000070), ref: 0043EAD2
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041375C,0000008C), ref: 0043EB5A
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043EB7C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041375C,00000054), ref: 0043EBC2
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0043EBFB
                                              • __vbaStrMove.MSVBVM60(Template,Path_Drive,00000001,Light), ref: 0043EC2D
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0043EC54
                                              • __vbaStrMove.MSVBVM60(Template,Path_Dir,00000001,Light), ref: 0043EC86
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043ECA7
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043ECC7
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004159A4,000000A8), ref: 0043ED15
                                              • __vbaLenBstr.MSVBVM60(?), ref: 0043ED61
                                              • #681.MSVBVM60(?,00000003,00004008,00000008), ref: 0043ED84
                                              • __vbaStrVarVal.MSVBVM60(?,?), ref: 0043ED92
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004159A4,000000AC), ref: 0043EDD7
                                              • __vbaFreeStr.MSVBVM60 ref: 0043EDF2
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043EE02
                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0043EE19
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00408966), ref: 0043EE3D
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00408966), ref: 0043EE5D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415640,000000A8), ref: 0043EEAB
                                              • __vbaLenBstr.MSVBVM60(?), ref: 0043EEF7
                                              • #681.MSVBVM60(?,00000003,00004008,00000008), ref: 0043EF1A
                                              • __vbaStrVarVal.MSVBVM60(?,?), ref: 0043EF28
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415640,000000AC), ref: 0043EF6D
                                              • __vbaFreeStr.MSVBVM60 ref: 0043EF88
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043EF98
                                              • __vbaFreeVarList.MSVBVM60(00000003,00000003,?,?), ref: 0043EFAF
                                              • __vbaFreeStr.MSVBVM60(0043F02E), ref: 0043F01E
                                              • __vbaFreeStr.MSVBVM60 ref: 0043F027
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CheckHresult$List$Chkstk$#681BstrErrorMove$AddrefCopy
                                              • String ID: General\Template$Light$Path_Dir$Path_Drive$Template
                                              • API String ID: 578669600-991487239
                                              • Opcode ID: 8449261e22f5f9414db9f91e7221c581172634b4bd080e346db6824f6258b1e0
                                              • Instruction ID: d005d92dc1c40b8b1887ea78550dc5646d17bdfcfb7fbf18210894b9b949f07b
                                              • Opcode Fuzzy Hash: 8449261e22f5f9414db9f91e7221c581172634b4bd080e346db6824f6258b1e0
                                              • Instruction Fuzzy Hash: 36221AB5900218EFDB14DFA4C948FDEBBB4FF48304F108599E54AAB290DB749A85CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B4820 Relevance: 76.8, APIs: 51, Instructions: 273COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004D7986,?,?), ref: 004B483E
                                              • __vbaStrCopy.MSVBVM60(6C2ED8B1,00000000,?,?,00408966), ref: 004B486B
                                              • __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B4877
                                              • __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B4883
                                              • __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B488F
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B489E
                                              • __vbaStrErrVarCopy.MSVBVM60(?,?,?,00408966), ref: 004B48AF
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 004B48BA
                                              • __vbaStrCmp.MSVBVM60(00000000,?), ref: 004B48F4
                                              • #681.MSVBVM60(?,0000000B,00004008,00004008), ref: 004B492B
                                              • __vbaStrVarMove.MSVBVM60(?), ref: 004B4935
                                              • __vbaStrMove.MSVBVM60 ref: 004B4940
                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000B,?), ref: 004B4953
                                              • __vbaLenBstr.MSVBVM60(00000000,?,?,00408966), ref: 004B496A
                                              • #648.MSVBVM60(0000000A), ref: 004B4991
                                              • __vbaFreeVar.MSVBVM60 ref: 004B499E
                                              • __vbaFileOpen.MSVBVM60(00000001,000000FF,?,?), ref: 004B49BA
                                              • #570.MSVBVM60(?), ref: 004B49CE
                                              • #621.MSVBVM60(0000000A,?,?), ref: 004B49EC
                                              • __vbaVarCat.MSVBVM60(?,00000008,0000000A), ref: 004B4A15
                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004B4A1C
                                              • __vbaStrMove.MSVBVM60 ref: 004B4A29
                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 004B4A39
                                              • __vbaFileClose.MSVBVM60(?,?,?,?,?,?,00408966), ref: 004B4A50
                                              • __vbaStrCat.MSVBVM60(?,0042C788,00000000,00000001,?,?,00408966), ref: 004B4A6E
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 004B4A79
                                              • __vbaStrCat.MSVBVM60(0042C790,00000000,?,?,00408966), ref: 004B4A85
                                              • __vbaStrMove.MSVBVM60(?,?,00408966), ref: 004B4A90
                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,?,00408966), ref: 004B4A99
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00408966), ref: 004B4AAC
                                              • __vbaInStr.MSVBVM60(00000000,0042C788,00000000,-00000001), ref: 004B4AE2
                                              • #631.MSVBVM60(00000000,00000000,00000003), ref: 004B4B04
                                              • __vbaStrMove.MSVBVM60 ref: 004B4B0F
                                              • __vbaFreeVar.MSVBVM60 ref: 004B4B18
                                              • __vbaStrCat.MSVBVM60(0042C798,?,?,00000001), ref: 004B4B34
                                              • __vbaStrMove.MSVBVM60 ref: 004B4B3F
                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 004B4B48
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4B54
                                              • __vbaStrCat.MSVBVM60(0042C798,?), ref: 004B4B7B
                                              • __vbaStrMove.MSVBVM60 ref: 004B4B86
                                              • __vbaLenBstr.MSVBVM60(00000000), ref: 004B4B8D
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4B9E
                                              • __vbaInStr.MSVBVM60(00000000,00416C88,?,00000000), ref: 004B4BBA
                                              • #631.MSVBVM60(?,00000000,00000003), ref: 004B4BF3
                                              • __vbaStrMove.MSVBVM60 ref: 004B4BFE
                                              • __vbaFreeVar.MSVBVM60 ref: 004B4C07
                                              • __vbaFreeVar.MSVBVM60(004B4C7C), ref: 004B4C51
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4C5A
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4C63
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4C6C
                                              • __vbaFreeStr.MSVBVM60 ref: 004B4C75
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$Copy$List$#631BstrFile$#570#621#648#681ChkstkCloseErrorOpen
                                              • String ID:
                                              • API String ID: 1051936162-0
                                              • Opcode ID: f52f647cb99b586493e3249dc88d3f39bb0647351ee870b8d080059f998e763e
                                              • Instruction ID: d4acb16b2362f941591e845306d60f51420269abc230978813acdfa9d1b82824
                                              • Opcode Fuzzy Hash: f52f647cb99b586493e3249dc88d3f39bb0647351ee870b8d080059f998e763e
                                              • Instruction Fuzzy Hash: 57C1D675900249EFDB04DFA0DE48BDEBBB8FB48305F108169E616B72A0DB745A49CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0049DC60 Relevance: 68.5, APIs: 27, Strings: 12, Instructions: 235COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0049DC7E
                                              • __vbaAryConstruct2.MSVBVM60(?,00423338,00000008,?,?,?,?,00408966), ref: 0049DCB0
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0049DCBF
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DCD4
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DCEC
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DD0A
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DD29
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DD48
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DD67
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DD86
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DDA5
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DDC4
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DDE3
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DE02
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DE21
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DE40
                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 0049DE5F
                                              • __vbaNew2.MSVBVM60(0040C57C,004E0710,?,?,?,?,00408966), ref: 0049DE7F
                                              • __vbaChkstk.MSVBVM60 ref: 0049DEAF
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041DD00,000006F8), ref: 0049DEF9
                                              • __vbaNew2.MSVBVM60(0040C57C,004E0710), ref: 0049DF2B
                                              • __vbaChkstk.MSVBVM60 ref: 0049DF73
                                              • __vbaChkstk.MSVBVM60 ref: 0049DF96
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041DCD0,000002B0), ref: 0049DFE0
                                              • __vbaCastObj.MSVBVM60(00000000,0041DD00), ref: 0049E006
                                              • __vbaObjSet.MSVBVM60(004E0710,00000000), ref: 0049E012
                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0049E030), ref: 0049E029
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Copy$Chkstk$CheckHresultNew2$CastConstruct2DestructError
                                              • String ID: - Foley & Van Dam$ - P. D. Grengs II$ > Fund. of Comp. Graphics$ > Original Matrix World Motion$ B-Splines, World Rotation$ Patrick D. Grengs II$ This product is dedicated to$ and Perspective Transforms:$ the memory of my parents. $Algorithms:$Dedication:$Software Engineer:
                                              • API String ID: 219166785-3157990599
                                              • Opcode ID: 5a953f9f69b1cc2398d809ecd9f2429a8275702d7d535c49b13149e1e4ca5e12
                                              • Instruction ID: 7a0c871e826872e43e4e19f6c4ab4892a7b47ae338cafce961322040380d82f2
                                              • Opcode Fuzzy Hash: 5a953f9f69b1cc2398d809ecd9f2429a8275702d7d535c49b13149e1e4ca5e12
                                              • Instruction Fuzzy Hash: 87B1C9B4A00208DFDB08DFA8D9587ADBBB1FB48305F20856DE616BB394C7B85945CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048EC00 Relevance: 66.7, APIs: 29, Strings: 9, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0048EC1E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0048EC65
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                                • Part of subcall function 004DE3D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004DE3D0: __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                                • Part of subcall function 004DE3D0: #561.MSVBVM60(00004008), ref: 004DE4B7
                                                • Part of subcall function 004DE3D0: __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE501
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                              • __vbaStrI4.MSVBVM60(00000000,DirectX,DX_ShowFPS,00000000,00000001,Light,?,?,?,?,00408966), ref: 0048EC8B
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00408966), ref: 0048EC96
                                              • __vbaVarDup.MSVBVM60 ref: 0048ED14
                                              • __vbaStrCat.MSVBVM60(00416C88,Display performance fps on screen? 1=Yes, 0=No), ref: 0048ED24
                                              • __vbaStrMove.MSVBVM60 ref: 0048ED2F
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000), ref: 0048ED3B
                                              • __vbaStrMove.MSVBVM60 ref: 0048ED46
                                              • __vbaStrCat.MSVBVM60(Note: Turning this On will automatically turn On,00000000), ref: 0048ED52
                                              • __vbaStrMove.MSVBVM60 ref: 0048ED5D
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000), ref: 0048ED69
                                              • __vbaStrMove.MSVBVM60 ref: 0048ED74
                                              • __vbaStrCat.MSVBVM60(logging to the MBSSPerf.log file (100 Frame threshold).,00000000), ref: 0048ED80
                                              • #596.MSVBVM60(00000008,?,00004008,0000000A,0000000A,0000000A,0000000A), ref: 0048EDB5
                                              • __vbaStrMove.MSVBVM60 ref: 0048EDC0
                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0048EDD8
                                              • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,00408966), ref: 0048EE01
                                              • #519.MSVBVM60(?), ref: 0048EE15
                                              • __vbaStrMove.MSVBVM60 ref: 0048EE20
                                              • __vbaLenBstr.MSVBVM60(00000000), ref: 0048EE27
                                              • __vbaFreeStr.MSVBVM60 ref: 0048EE40
                                              • #581.MSVBVM60(?), ref: 0048EE60
                                              • #681.MSVBVM60(?,0000000B,00000002,00000002), ref: 0048EEDF
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0048EEF1
                                              • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000002,00000002,?,DirectX,DX_ShowFPS,00000001,Light), ref: 0048EF33
                                              • #581.MSVBVM60(?), ref: 0048EF47
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0048EF81
                                              • __vbaFreeStr.MSVBVM60(0048F018), ref: 0048F011
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$Chkstk$CopyList$#581Error$#519#561#596#681Bstr
                                              • String ID: DX_ShowFPS$DX_WriteLog$DirectX$Display performance fps on screen? 1=Yes, 0=No$Light$MBSS Product Performance Display$Note: Turning this On will automatically turn On$d$logging to the MBSSPerf.log file (100 Frame threshold).
                                              • API String ID: 3866714603-2235226390
                                              • Opcode ID: d1bb1f22865809ffe94712aa151a8ec9c12c9b99a29c4d8adb8c22226efe7fa4
                                              • Instruction ID: 8ef3cbfb044f2de6fc57e31015770d5f0dbbc1c51db55d929188d90326f37c31
                                              • Opcode Fuzzy Hash: d1bb1f22865809ffe94712aa151a8ec9c12c9b99a29c4d8adb8c22226efe7fa4
                                              • Instruction Fuzzy Hash: ACB12CB5900208DFDB14DF94DA49BDEBBB4FF44700F1081AAE50ABB291DB745A88CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0045A970 Relevance: 63.4, APIs: 30, Strings: 6, Instructions: 399COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045A98E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0045A9D5
                                              • __vbaNew2.MSVBVM60(00409828,004E0160,?,?,?,?,00408966), ref: 0045A9F5
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0045AA21
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041628C,00000068), ref: 0045AA6B
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041628C,00000060), ref: 0045AAC7
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041628C,00000044), ref: 0045AB23
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417ED8,00000058), ref: 0045AB78
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041628C,00000020), ref: 0045ABCF
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0045ABF7
                                              • __vbaNew2.MSVBVM60(00409828,004E0160), ref: 0045AC17
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041628C,00000088), ref: 0045AC8F
                                              • __vbaNew2.MSVBVM60(00409828,004E0160), ref: 0045ACCF
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041628C,00000050), ref: 0045AD35
                                              • __vbaStrCopy.MSVBVM60 ref: 0045AD56
                                              • __vbaFreeStr.MSVBVM60 ref: 0045AD5F
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0045AD88
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0045ADD0
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00415658,000000A4), ref: 0045AE21
                                              • __vbaFreeObj.MSVBVM60 ref: 0045AE3C
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0045AE5D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00415658,000000A4), ref: 0045AEAE
                                              • __vbaFreeObj.MSVBVM60 ref: 0045AEC9
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0045AEFD
                                              • #681.MSVBVM60(?,0000000B,00000003,00000003), ref: 0045AF47
                                              • __vbaI4Var.MSVBVM60(?), ref: 0045AF51
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00415658,00000064), ref: 0045AF90
                                              • __vbaFreeObj.MSVBVM60 ref: 0045AFAB
                                              • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000003,?), ref: 0045AFC3
                                              • __vbaFreeObj.MSVBVM60(0045B011), ref: 0045B00A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Free$New2$AddrefChkstk$#681CopyErrorList
                                              • String ID: AVI$AVI Files|*.avi$Choose a filename to save AVI to...$Light$Video$VideoFilename
                                              • API String ID: 894580309-1458325011
                                              • Opcode ID: 4f28310206cc8487677476d39f432e3f3bcc579dbdde0a721fee81e0c4f37886
                                              • Instruction ID: 88c2bcee67b0c91855cfc7bfd15382c531e322c7e9eec40c13e0496e2f52e2e8
                                              • Opcode Fuzzy Hash: 4f28310206cc8487677476d39f432e3f3bcc579dbdde0a721fee81e0c4f37886
                                              • Instruction Fuzzy Hash: D1120774900218EFDB10DFA4CD88FDEBBB5BB48305F108599E60EAB291C7749A85CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0049D550 Relevance: 61.8, APIs: 41, Instructions: 304COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000,0002003F,?), ref: 0049D5D7
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0049D5EB
                                              • __vbaStrToUnicode.MSVBVM60(00408966,?), ref: 0049D5F6
                                              • __vbaFreeStr.MSVBVM60 ref: 0049D5FF
                                              • #606.MSVBVM60(00000400,?), ref: 0049D624
                                              • __vbaStrMove.MSVBVM60 ref: 0049D635
                                              • __vbaFreeVar.MSVBVM60 ref: 0049D63A
                                              • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0049D653
                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 0049D665
                                              • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 0049D673
                                              • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0049D681
                                              • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0049D68F
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000000), ref: 0049D69F
                                              • __vbaStrCopy.MSVBVM60 ref: 0049D6B1
                                              • #632.MSVBVM60(?,?,00000400,00000002), ref: 0049D6F7
                                              • __vbaStrVarVal.MSVBVM60(?,?), ref: 0049D705
                                              • #516.MSVBVM60(00000000), ref: 0049D70C
                                              • __vbaFreeStr.MSVBVM60 ref: 0049D722
                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0049D732
                                              • #617.MSVBVM60(00000002,00004008,000003FF), ref: 0049D763
                                              • #617.MSVBVM60(00000002,00004008,00000400), ref: 0049D791
                                              • __vbaStrVarMove.MSVBVM60(00000002), ref: 0049D79B
                                              • __vbaStrMove.MSVBVM60 ref: 0049D7A6
                                              • __vbaFreeVar.MSVBVM60 ref: 0049D7AB
                                              • __vbaLenBstr.MSVBVM60(?), ref: 0049D7C8
                                              • #632.MSVBVM60(?,00004008,?,00000002), ref: 0049D823
                                              • __vbaStrVarVal.MSVBVM60(?,?,?,00000002), ref: 0049D831
                                              • #516.MSVBVM60(00000000,?,00000002), ref: 0049D838
                                              • #573.MSVBVM60(?,?,?,00000002), ref: 0049D851
                                              • __vbaVarAdd.MSVBVM60(?,?,00000008,?,00000002), ref: 0049D869
                                              • __vbaStrVarMove.MSVBVM60(00000000,?,00000002), ref: 0049D870
                                              • __vbaStrMove.MSVBVM60(?,00000002), ref: 0049D87A
                                              • __vbaFreeStr.MSVBVM60(?,00000002), ref: 0049D87F
                                              • __vbaFreeVarList.MSVBVM60(00000005,00000002,?,00000002,?,?,?,00000002), ref: 0049D89E
                                              • __vbaStrCat.MSVBVM60(?,00422F00), ref: 0049D8C7
                                              • #650.MSVBVM60(00000002,0000000A,00000001,00000001,?,00422F00), ref: 0049D8E3
                                              • __vbaStrMove.MSVBVM60(?,00422F00), ref: 0049D8ED
                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A,?,00422F00), ref: 0049D8F9
                                              • __vbaSetSystemError.MSVBVM60(?), ref: 0049D920
                                              • __vbaFreeStr.MSVBVM60(0049D96A), ref: 0049D963
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$List$AnsiErrorSystemUnicode$#516#617#632$#573#606#650BstrCopy
                                              • String ID:
                                              • API String ID: 1065444-0
                                              • Opcode ID: a82e778dea0a777b75d9e3f976d739d341e6e8b57468416d6e6119e2db3aeaee
                                              • Instruction ID: a032f1739c5a84c5d63c59a920eb115fcbd485e33b23387b2a758f5fed772fa9
                                              • Opcode Fuzzy Hash: a82e778dea0a777b75d9e3f976d739d341e6e8b57468416d6e6119e2db3aeaee
                                              • Instruction Fuzzy Hash: 34C1D8B1C00219ABDB14DFE4DD88EDEBBB9FF48300F10415AE50AA7264DB745989CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B7970 Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 251COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,0043F175,?,?,?,?,00408966), ref: 004B798E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004B79BE
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,00000000,00408966), ref: 004B79DE
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004B7A2F
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000070), ref: 004B7A77
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004B7AAD
                                              • __vbaFreeObj.MSVBVM60 ref: 004B7AB6
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490), ref: 004B7AD6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004B7B27
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000070), ref: 004B7B6F
                                              • #591.MSVBVM60(00000009), ref: 004B7BAB
                                              • __vbaStrMove.MSVBVM60 ref: 004B7BB6
                                              • __vbaStrCmp.MSVBVM60(TextBox,00000000), ref: 004B7BC2
                                              • __vbaFreeStr.MSVBVM60 ref: 004B7BD6
                                              • __vbaFreeObj.MSVBVM60 ref: 004B7BDF
                                              • __vbaFreeVar.MSVBVM60 ref: 004B7BE8
                                              • __vbaLateMemCallLd.MSVBVM60(00000009,?,Locked,00000000), ref: 004B7C13
                                              • __vbaVarNot.MSVBVM60(?,00000000,?,?,00000000,00408966), ref: 004B7C21
                                              • __vbaBoolVarNull.MSVBVM60(00000000,?,?,00000000,00408966), ref: 004B7C28
                                              • __vbaFreeVar.MSVBVM60(?,?,00000000,00408966), ref: 004B7C35
                                              • __vbaChkstk.MSVBVM60 ref: 004B7C61
                                              • __vbaLateMemSt.MSVBVM60(?,SelStart), ref: 004B7C8B
                                              • __vbaLateMemCallLd.MSVBVM60(?,?,Text,00000000), ref: 004B7CAA
                                              • __vbaLenVar.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,00408966), ref: 004B7CB8
                                              • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,00000000,00408966), ref: 004B7CC5
                                              • __vbaLateMemSt.MSVBVM60(?,SelLength,?,?,?,?,?,?,00000000,00408966), ref: 004B7CEE
                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,00408966), ref: 004B7CF7
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004B7D0D
                                              • __vbaFreeObj.MSVBVM60(004B7D57), ref: 004B7D50
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CheckHresultLate$Chkstk$CallNew2$#591AddrefBoolErrorMoveNull
                                              • String ID: Locked$SelLength$SelStart$Text$TextBox
                                              • API String ID: 4188382032-1251759843
                                              • Opcode ID: 8895adda2b0277437bbc733ca29242b38f66ff9f7c77b09c2c2b814e222a420c
                                              • Instruction ID: 64472f6350c6610ecfd4856f620e08acb887dd8f2d795e66ba5dc537aa17ee9f
                                              • Opcode Fuzzy Hash: 8895adda2b0277437bbc733ca29242b38f66ff9f7c77b09c2c2b814e222a420c
                                              • Instruction Fuzzy Hash: 9FB105B4E00218DFDB14DFA4C988BDDBBB4FB48705F20815AE506B72A1DB785A85CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00463D50 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 374COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00463D6E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00463DB5
                                              • #681.MSVBVM60(?,0000000B,00000002,00000002), ref: 00463E1D
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00463E37
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00463E88
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00463EBD
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00463F0E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 00463F71
                                              • #581.MSVBVM60(?), ref: 00463F8D
                                              • __vbaFpI4.MSVBVM60 ref: 00463F99
                                              • __vbaI4Var.MSVBVM60(?,00000000), ref: 00463FA4
                                              • __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00463FB1
                                              • __vbaStrMove.MSVBVM60 ref: 00463FBC
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 00464001
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00464023
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00408966), ref: 0046403E
                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00464059
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00464098
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 004640E9
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046411E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0046416F
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 004641D2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$FreeList$#581#681ChkstkErrorMove
                                              • String ID: c
                                              • API String ID: 2543525275-112844655
                                              • Opcode ID: 55f557e174b257eb456805bd8b3b1d4b85242c7d185ee6eb05fb02dea3fae6d8
                                              • Instruction ID: d6cdcd253db59157d4007eb9f17bdd481c430a47be9063e3aa4d49d69acb8cb8
                                              • Opcode Fuzzy Hash: 55f557e174b257eb456805bd8b3b1d4b85242c7d185ee6eb05fb02dea3fae6d8
                                              • Instruction Fuzzy Hash: 95F1F8B5A00218EFDB14DFA4C948FDEBBB9BF48300F108599F64AA7250D7749A84CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00494160 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,004707E4,?), ref: 0049417E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004941AE
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00408966), ref: 004941D3
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000001E8), ref: 00494208
                                              • __vbaFreeObj.MSVBVM60 ref: 0049421D
                                              • __vbaUbound.MSVBVM60(00000001,00000000), ref: 00494232
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0049427F
                                              • __vbaChkstk.MSVBVM60 ref: 0049429B
                                              • __vbaStrI4.MSVBVM60(?), ref: 004942D1
                                              • __vbaStrMove.MSVBVM60 ref: 004942DC
                                              • __vbaStrCat.MSVBVM60( * ,00000000), ref: 004942E8
                                              • __vbaStrMove.MSVBVM60 ref: 004942F3
                                              • __vbaStrI4.MSVBVM60(00000006,00000000), ref: 00494313
                                              • __vbaStrMove.MSVBVM60 ref: 0049431E
                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00494325
                                              • __vbaStrMove.MSVBVM60 ref: 00494330
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000001EC), ref: 00494363
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move$CheckChkstkHresult$ErrorFreeUbound
                                              • String ID: * $General\Main$MBSS Light Properties
                                              • API String ID: 737784314-4282403689
                                              • Opcode ID: cde68e40bc225de62dfe773878a56576e68f0b0898308568bb134f040759320f
                                              • Instruction ID: 03afcba27abc3e0dd535eff147fd6c130ba2d6739425b4a2a8daaf62e63ce212
                                              • Opcode Fuzzy Hash: cde68e40bc225de62dfe773878a56576e68f0b0898308568bb134f040759320f
                                              • Instruction Fuzzy Hash: 09B1E6B5A00248EFCB04DFE4D988BDEBBB5FF48304F208169E506AB265D7749986CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B6420 Relevance: 49.1, APIs: 20, Strings: 8, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,004CEA10,?,?,?,00000000,00408966), ref: 004B643E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,004CEA10), ref: 004B646E
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 004B649B
                                                • Part of subcall function 004B5DC0: __vbaChkstk.MSVBVM60(?,00408966), ref: 004B5DDE
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E0B
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E17
                                                • Part of subcall function 004B5DC0: __vbaVarDup.MSVBVM60(?,?,?,?,00408966), ref: 004B5E23
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E2F
                                                • Part of subcall function 004B5DC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004B5E3E
                                                • Part of subcall function 004B5DC0: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B5ED5
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EE0
                                                • Part of subcall function 004B5DC0: #519.MSVBVM60(00000000), ref: 004B5EE7
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EF2
                                                • Part of subcall function 004B5DC0: __vbaFreeStr.MSVBVM60 ref: 004B5EFB
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,REG_SZ,00000000,0000003F,004E038C,?,?), ref: 004B5F22
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,00000000), ref: 004B5F34
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F3F
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B5F4B
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F56
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B5F61
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F6C
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B5F77
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966), ref: 004DE3EE
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE41B
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE427
                                                • Part of subcall function 004DE3D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966), ref: 004DE433
                                                • Part of subcall function 004DE3D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966), ref: 004DE442
                                                • Part of subcall function 004DE3D0: __vbaChkstk.MSVBVM60(004088C0,?), ref: 004DE469
                                                • Part of subcall function 004DE3D0: __vbaStrMove.MSVBVM60(?,?,004088C0,?), ref: 004DE499
                                                • Part of subcall function 004DE3D0: #561.MSVBVM60(00004008), ref: 004DE4B7
                                                • Part of subcall function 004DE3D0: __vbaI4Str.MSVBVM60(?), ref: 004DE4CF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60(004DE511), ref: 004DE4EF
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE4F8
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE501
                                                • Part of subcall function 004DE3D0: __vbaFreeStr.MSVBVM60 ref: 004DE50A
                                              • __vbaVarDup.MSVBVM60(General,TestRegWrite,00000000,00000001,Light,General,TestRegWrite,00000001,Light), ref: 004B6554
                                              • __vbaStrCat.MSVBVM60(00416C88,The Registry is read-only.), ref: 004B6564
                                              • __vbaStrMove.MSVBVM60 ref: 004B656F
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000), ref: 004B657B
                                              • __vbaStrMove.MSVBVM60 ref: 004B6586
                                              • __vbaStrCat.MSVBVM60(The Property settings cannot be saved.,00000000), ref: 004B6592
                                              • __vbaStrMove.MSVBVM60 ref: 004B659D
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000), ref: 004B65A9
                                              • __vbaStrMove.MSVBVM60 ref: 004B65B4
                                              • __vbaStrCat.MSVBVM60(You must change your Windows User Privileges so that programs ,00000000), ref: 004B65C0
                                              • __vbaStrMove.MSVBVM60 ref: 004B65CB
                                              • __vbaStrCat.MSVBVM60(00416C88,00000000), ref: 004B65D7
                                              • __vbaStrMove.MSVBVM60 ref: 004B65E2
                                              • __vbaStrCat.MSVBVM60(can write to the Registry. See your System Administrator for assistance.,00000000), ref: 004B65EE
                                              • #595.MSVBVM60(00000008,00000030,?,0000000A,0000000A), ref: 004B6610
                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004B6630
                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004B664B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move$CopyFree$Chkstk$Error$AnsiList$#519#561#595
                                              • String ID: General$Light$MBSS Light$TestRegWrite$The Property settings cannot be saved.$The Registry is read-only.$You must change your Windows User Privileges so that programs $can write to the Registry. See your System Administrator for assistance.
                                              • API String ID: 2001874785-3965380993
                                              • Opcode ID: b2849fd5e32739d0d8c3da7b3af280b7fc26a5d2b30559632a05333d05cef679
                                              • Instruction ID: c28030fa900ba14b7789dcec1301af731c10c40f9704cd1fd9d689e90d8515e1
                                              • Opcode Fuzzy Hash: b2849fd5e32739d0d8c3da7b3af280b7fc26a5d2b30559632a05333d05cef679
                                              • Instruction Fuzzy Hash: 51513DB5900208EFDB10DF90DE49BDEBBB8EB04704F20C16AE545B72A0DBB45A44CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B8010 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 291COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,00000001,?,00000000,00408966), ref: 004B802E
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000001,00000000,00000000,00408966), ref: 004B805E
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,00000001,00000000,00000000,00408966), ref: 004B8078
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000154), ref: 004B80C5
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004B8583
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,?,00000001,?,00000000), ref: 004B858F
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,?,?,00000001,?,00000000), ref: 004B859C
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000001,?,00000000), ref: 004B85BC
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,00000018,?,?,00000001,?,00000000), ref: 004B85CF
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,?,00000001,?,00000000), ref: 004B85D9
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,?,?,00000001,?,00000000), ref: 004B85E6
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020,?,00000001,?,00000000), ref: 004B861A
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(?,?,00000001,?,00000000), ref: 004B8626
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000001,?,00000000), ref: 004B862F
                                                • Part of subcall function 004B8540: __vbaSetSystemError.MSVBVM60(?,?,?,00000001,?,00000000), ref: 004B8640
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000084,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B814F
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,0000008C,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B81D9
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,000001C0,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B823D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,000000E0,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B829A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000264,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B830A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000188,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B836B
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B8396
                                              • __vbaObjSet.MSVBVM60(?,?,ScreenCapture.bmp,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B83E0
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041395C,00000040,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B841F
                                              • __vbaFreeObj.MSVBVM60(?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B843A
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000,00000001,Light), ref: 004B8450
                                              • __vbaUbound.MSVBVM60(00000001,00000000,ScreenCapture.bmp,?,?,004E01C4,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth,00000000), ref: 004B8484
                                              • __vbaRedim.MSVBVM60(00000080,00000001,004E01C8,00000011,00000001,-00000001,00000000,?,DirectX,DX_WinHeight,00000000,00000001,Light,?,DirectX,DX_WinWidth), ref: 004B84B5
                                              • __vbaVarDup.MSVBVM60 ref: 004B84D9
                                              • #529.MSVBVM60(?), ref: 004B84E3
                                              • __vbaFreeVar.MSVBVM60 ref: 004B84EC
                                              • __vbaFreeObj.MSVBVM60(004B8524), ref: 004B851D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$System$CheckHresult$Free$Addref$#529ChkstkNew2RedimUbound
                                              • String ID: DX_WinHeight$DX_WinWidth$DirectX$Light$ScreenCapture.bmp
                                              • API String ID: 754283486-445913445
                                              • Opcode ID: 301f692e181ce6f69ec421cfdefac7ed6cd0db0521df1ba3e5dbedcab21aee1b
                                              • Instruction ID: 33e1eb0581abbc8b1f2dc614453666a9076cb3eba85617398b16645a45a5a24f
                                              • Opcode Fuzzy Hash: 301f692e181ce6f69ec421cfdefac7ed6cd0db0521df1ba3e5dbedcab21aee1b
                                              • Instruction Fuzzy Hash: 49D108B0900218EFDB20DFA4CD48FDDB7B5BB48705F1081D9E249AB291CB795A85DF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004BD8F0 Relevance: 40.8, APIs: 27, Instructions: 295COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004BD90E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004BD93E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000050), ref: 004BD995
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckChkstkErrorHresult
                                              • String ID:
                                              • API String ID: 2338809411-0
                                              • Opcode ID: ddab84fb7159687b2a72a09076a39c663707e631de453d291da7795ecac2573b
                                              • Instruction ID: 9f2c553d66fae21b548e591901ca4731872708097a375bd8720e2cbc63397ddc
                                              • Opcode Fuzzy Hash: ddab84fb7159687b2a72a09076a39c663707e631de453d291da7795ecac2573b
                                              • Instruction Fuzzy Hash: 00D11775A00218EFDB14DF90C948BDEBBB4BF49300F1085D9E64ABB2A0DB755A84CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004638D0 Relevance: 39.3, APIs: 26, Instructions: 340COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004638EE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00463935
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0046396C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 004639A8
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004639D4
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00463A10
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 00463A58
                                              • #581.MSVBVM60(?), ref: 00463A6E
                                              • __vbaFpI4.MSVBVM60 ref: 00463A7A
                                              • __vbaStrI4.MSVBVM60(00000000,000000FF,00000000), ref: 00463A8C
                                              • __vbaStrMove.MSVBVM60 ref: 00463A97
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 00463ACA
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00463AE6
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00408966), ref: 00463B01
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00463B40
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00463B7C
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00463BA8
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00463BE4
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 00463C32
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$FreeList$#581ChkstkErrorMove
                                              • String ID:
                                              • API String ID: 545134609-0
                                              • Opcode ID: 91aba0ee49627d7dac5d04728d454a7bb3e68aeea6af44259474d9cc73284cd0
                                              • Instruction ID: 519ea330cf9240df59540bf353c44ead9e64f38b7915d2b45ae1c14ce8217a9c
                                              • Opcode Fuzzy Hash: 91aba0ee49627d7dac5d04728d454a7bb3e68aeea6af44259474d9cc73284cd0
                                              • Instruction Fuzzy Hash: 5EE1F7B5900248EFCB04DFE4D988BDEBBB9FF48701F108159F606AB260D774AA45CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004AF080 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 200COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,?,00408966), ref: 004AF09E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,?), ref: 004AF0CE
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,00000000,00408966,?), ref: 004AF0E5
                                              • __vbaLateMemCall.MSVBVM60(?,Clear,00000000,?,?,?,?,00000000,00408966,?), ref: 004AF0FD
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,00000000,00408966,?), ref: 004AF120
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004AF171
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041C528,00000058), ref: 004AF1B9
                                              • __vbaFreeObj.MSVBVM60 ref: 004AF1F0
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490), ref: 004AF227
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000018), ref: 004AF278
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$New2$AddrefCallChkstkErrorFreeLate
                                              • String ID: AddItem$Clear
                                              • API String ID: 355093465-1741942551
                                              • Opcode ID: 258b0e69e87d120206be1a7d50cd97f418bab720d97213e7d27442cd26aee958
                                              • Instruction ID: 4e8fa722780fbe4cf9ed7c0956f84da7fd3eacadf3fc5c492f65d547d42b845f
                                              • Opcode Fuzzy Hash: 258b0e69e87d120206be1a7d50cd97f418bab720d97213e7d27442cd26aee958
                                              • Instruction Fuzzy Hash: 2F9108B5D40248DFDB04DFE4D988BDDBBB5BB08305F20816AE50ABB294C7785A89CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004530F0 Relevance: 33.3, APIs: 22, Instructions: 334COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045310E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00453155
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004531A7
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 004531E3
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0045320A
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,41000000,42A00000), ref: 0045322F
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00453258
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00453294
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004532BB
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,42C60000), ref: 004532DD
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00453306
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00453342
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00453369
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,43B38000), ref: 0045338B
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004533B4
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 004533F0
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00453417
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,42C60000), ref: 00453439
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00453462
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0045349E
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004534C5
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,00000000,42700000), ref: 004534E7
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckFreeHresultList$ChkstkError
                                              • String ID:
                                              • API String ID: 1326250703-0
                                              • Opcode ID: c76df634ab260b97326fa41605c395ce2194b48da9b78272fda5b57e4c7d46c1
                                              • Instruction ID: 3809f70cb3aeb10f85047f170e53ac4d3c099c0d5baccb21e15ecad62479c70f
                                              • Opcode Fuzzy Hash: c76df634ab260b97326fa41605c395ce2194b48da9b78272fda5b57e4c7d46c1
                                              • Instruction Fuzzy Hash: 85E108B5910208EFDB04DFE4D988FEEBBB9BB48705F108119F605BB290D774AA44CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B88D0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 232COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,004A2D5D,?,00000000,?,00000000,00000000), ref: 004B88EE
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,00408966,004A2D5D), ref: 004B891E
                                              • _adj_fdivr_m64.MSVBVM60(?,00000000,?,?,00408966,004A2D5D), ref: 004B8965
                                              • _adj_fdivr_m64.MSVBVM60(00000000,?,?,00000000,?,?,00408966,004A2D5D), ref: 004B89C6
                                              • _CIsin.MSVBVM60(00000000,?,?,00000000,?,?,00408966,004A2D5D), ref: 004B89CB
                                              • __vbaFpI4.MSVBVM60(00000000,?,?,00000000,?,?,00408966,004A2D5D), ref: 004B8A1E
                                              • #681.MSVBVM60(?,0000400B,00000002,00000002), ref: 004B8A79
                                              • __vbaI4ErrVar.MSVBVM60(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004B8AB2
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 004B8ACB
                                              • __vbaFreeVarList.MSVBVM60(00000004,00000002,00000002,?,?), ref: 004B8AE3
                                              • __vbaNew2.MSVBVM60(0041000C,004E03A8,?,00000000,?,?,00408966,004A2D5D), ref: 004B8B4E
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004B8B88
                                              • __vbaNew2.MSVBVM60(0041000C,004E03A8), ref: 004B8BA1
                                              • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 004B8BDB
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004B8BFC
                                              • __vbaFreeObjList.MSVBVM60(00000003,?,00000000,00000000,?,00000000), ref: 004B8C1D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$ErrorFreeListNew2_adj_fdivr_m64$#681ChkstkIsinSystem
                                              • String ID: ]-Jn@$n@
                                              • API String ID: 1137441847-2947674860
                                              • Opcode ID: 4be87a633e27128e9d737373022e2923833f3a2ab18d94051cf6a2da5c8fc453
                                              • Instruction ID: 60ad69b41e6f79d9076482477ec0f7a05ea6554b4bfdb044f54ce977ebbbd07e
                                              • Opcode Fuzzy Hash: 4be87a633e27128e9d737373022e2923833f3a2ab18d94051cf6a2da5c8fc453
                                              • Instruction Fuzzy Hash: FAA14FB1900208EFDB00DF94DD88BDEBBB9FF48304F108199E5556B2A1CBB55A84CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043F570 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 170COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043F58E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043F5D5
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490), ref: 0043F646
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000014), ref: 0043F68E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416754,00000060), ref: 0043F6D0
                                              • __vbaStrCopy.MSVBVM60 ref: 0043F6EB
                                              • __vbaFreeStr.MSVBVM60 ref: 0043F6F4
                                              • __vbaFreeObj.MSVBVM60 ref: 0043F6FD
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041628C,0000008C), ref: 0043F743
                                              • __vbaChkstk.MSVBVM60(00000001,Light), ref: 0043F77B
                                              • __vbaStrMove.MSVBVM60(Video,DefaultDirectory,00000001,Light), ref: 0043F7AD
                                              • __vbaStrCopy.MSVBVM60 ref: 0043F7BB
                                              • __vbaFreeStr.MSVBVM60 ref: 0043F7C4
                                              • __vbaFreeVar.MSVBVM60 ref: 0043F7CD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CheckHresult$ChkstkCopy$ErrorMoveNew2
                                              • String ID: DefaultDirectory$Light$Video
                                              • API String ID: 1382491481-3300496858
                                              • Opcode ID: 6094f5d25eb9d2d0518de72934816d402681b5bb1f273d0d900a7f97f22555ec
                                              • Instruction ID: 32b088d8a1f7b0c525bd4ce88c228faf635b5abf4be61531580d8d35d718d3ed
                                              • Opcode Fuzzy Hash: 6094f5d25eb9d2d0518de72934816d402681b5bb1f273d0d900a7f97f22555ec
                                              • Instruction Fuzzy Hash: CE81E8B4900209EFDB14DF94C988BDDBBB5FF48304F208159E515AB3A0D775AA46CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D7870 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 133COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaStrCopy.MSVBVM60 ref: 004D78C2
                                              • __vbaStrCopy.MSVBVM60 ref: 004D78CA
                                              • __vbaStrCopy.MSVBVM60 ref: 004D78D2
                                              • __vbaStrCopy.MSVBVM60 ref: 004D78DA
                                              • __vbaStrCmp.MSVBVM60(00000000,?), ref: 004D78F9
                                              • #681.MSVBVM60(?,?,?,?), ref: 004D7921
                                              • __vbaStrVarMove.MSVBVM60(?), ref: 004D792B
                                              • __vbaStrMove.MSVBVM60 ref: 004D793C
                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000B,?), ref: 004D7948
                                                • Part of subcall function 004B4820: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,004D7986,?,?), ref: 004B483E
                                                • Part of subcall function 004B4820: __vbaStrCopy.MSVBVM60(6C2ED8B1,00000000,?,?,00408966), ref: 004B486B
                                                • Part of subcall function 004B4820: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B4877
                                                • Part of subcall function 004B4820: __vbaVarDup.MSVBVM60(?,?,00408966), ref: 004B4883
                                                • Part of subcall function 004B4820: __vbaStrCopy.MSVBVM60(?,?,00408966), ref: 004B488F
                                                • Part of subcall function 004B4820: __vbaOnError.MSVBVM60(000000FF,?,?,00408966), ref: 004B489E
                                                • Part of subcall function 004B4820: __vbaStrErrVarCopy.MSVBVM60(?,?,?,00408966), ref: 004B48AF
                                                • Part of subcall function 004B4820: __vbaStrMove.MSVBVM60(?,?,00408966), ref: 004B48BA
                                                • Part of subcall function 004B4820: __vbaStrCmp.MSVBVM60(00000000,?), ref: 004B48F4
                                                • Part of subcall function 004B4820: #681.MSVBVM60(?,0000000B,00004008,00004008), ref: 004B492B
                                                • Part of subcall function 004B4820: __vbaStrVarMove.MSVBVM60(?), ref: 004B4935
                                                • Part of subcall function 004B4820: __vbaStrMove.MSVBVM60 ref: 004B4940
                                                • Part of subcall function 004B4820: __vbaFreeVarList.MSVBVM60(00000002,0000000B,?), ref: 004B4953
                                                • Part of subcall function 004B4820: __vbaLenBstr.MSVBVM60(00000000,?,?,00408966), ref: 004B496A
                                                • Part of subcall function 004B4820: #648.MSVBVM60(0000000A), ref: 004B4991
                                                • Part of subcall function 004B4820: __vbaFreeVar.MSVBVM60 ref: 004B499E
                                              • __vbaStrMove.MSVBVM60(?,?), ref: 004D798B
                                                • Part of subcall function 004B5DC0: __vbaChkstk.MSVBVM60(?,00408966), ref: 004B5DDE
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E0B
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E17
                                                • Part of subcall function 004B5DC0: __vbaVarDup.MSVBVM60(?,?,?,?,00408966), ref: 004B5E23
                                                • Part of subcall function 004B5DC0: __vbaStrCopy.MSVBVM60(?,?,?,?,00408966), ref: 004B5E2F
                                                • Part of subcall function 004B5DC0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004B5E3E
                                                • Part of subcall function 004B5DC0: __vbaStrErrVarCopy.MSVBVM60(?), ref: 004B5ED5
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EE0
                                                • Part of subcall function 004B5DC0: #519.MSVBVM60(00000000), ref: 004B5EE7
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5EF2
                                                • Part of subcall function 004B5DC0: __vbaFreeStr.MSVBVM60 ref: 004B5EFB
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,REG_SZ,00000000,0000003F,004E038C,?,?), ref: 004B5F22
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,SOFTWARE\MBSS\,00000000,00000000), ref: 004B5F34
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F3F
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(00415654,00000000), ref: 004B5F4B
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F56
                                                • Part of subcall function 004B5DC0: __vbaStrCat.MSVBVM60(?,00000000), ref: 004B5F61
                                                • Part of subcall function 004B5DC0: __vbaStrMove.MSVBVM60 ref: 004B5F6C
                                                • Part of subcall function 004B5DC0: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004B5F77
                                              • __vbaFreeStr.MSVBVM60(?,?), ref: 004D79CB
                                              • __vbaFreeVar.MSVBVM60 ref: 004D79D4
                                              • __vbaFreeStr.MSVBVM60(004D7A0F), ref: 004D79FD
                                              • __vbaFreeStr.MSVBVM60 ref: 004D7A02
                                              • __vbaFreeStr.MSVBVM60 ref: 004D7A07
                                              • __vbaFreeStr.MSVBVM60 ref: 004D7A0C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Copy$Move$Free$#681AnsiChkstkErrorList$#519#648Bstr
                                              • String ID: Light
                                              • API String ID: 4060503250-2866508787
                                              • Opcode ID: 056a024aff27be61489c1c9686d1cdb9ca112ca9cf087a1e57626e891625c7b3
                                              • Instruction ID: aece768a43ab2130ca86d28926c58ed228e55c7090837068e7712352d2a304b7
                                              • Opcode Fuzzy Hash: 056a024aff27be61489c1c9686d1cdb9ca112ca9cf087a1e57626e891625c7b3
                                              • Instruction Fuzzy Hash: 7551F6B1D012099FCB04DFA8DA459EEFBB9FF48700F20812AE505B7264EA746A45CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00441480 Relevance: 27.1, APIs: 18, Instructions: 114COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaSetSystemError.MSVBVM60(00080001,00408966,?), ref: 004414E9
                                              • #525.MSVBVM60(00000400), ref: 004414F8
                                              • __vbaStrMove.MSVBVM60 ref: 00441509
                                              • __vbaStrToAnsi.MSVBVM60(?,?), ref: 00441513
                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00441526
                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00441530
                                              • __vbaFreeStr.MSVBVM60 ref: 00441548
                                              • #644.MSVBVM60(?), ref: 00441558
                                              • __vbaSetSystemError.MSVBVM60(00000000), ref: 00441564
                                              • #537.MSVBVM60(00000000,?,00000001), ref: 0044157A
                                              • __vbaStrMove.MSVBVM60 ref: 00441585
                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00441589
                                              • #617.MSVBVM60(?,00004008,-00000001), ref: 00441599
                                              • __vbaStrVarMove.MSVBVM60(?), ref: 004415A3
                                              • __vbaStrMove.MSVBVM60 ref: 004415AE
                                              • __vbaFreeStr.MSVBVM60 ref: 004415B3
                                              • __vbaFreeVar.MSVBVM60 ref: 004415BC
                                              • __vbaFreeStr.MSVBVM60(004415F5), ref: 004415EE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$FreeMove$ErrorSystem$#525#537#617#644AnsiUnicode
                                              • String ID:
                                              • API String ID: 1495029353-0
                                              • Opcode ID: 7f5dda5978e69b732b73f9b38d9e3aff73f6316fd09c3b61a9964ffee3f88acb
                                              • Instruction ID: efd5881ffbf82c3f60761fa2a19c0873a2ad2541adabea8c224be28d4e97029d
                                              • Opcode Fuzzy Hash: 7f5dda5978e69b732b73f9b38d9e3aff73f6316fd09c3b61a9964ffee3f88acb
                                              • Instruction Fuzzy Hash: 5941DDB5D00209ABCB04EFA5DD859EEBBB8FF48701F10856AF506B3260DB34AA45CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B5850 Relevance: 25.7, APIs: 17, Instructions: 206COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B5891
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000174), ref: 004B58C0
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 004B58EF
                                              • #581.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B58F5
                                              • __vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B590C
                                              • __vbaStrI4.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004B5919
                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B5924
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 004B594A
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B5956
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,00000174,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004B5985
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B5993
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B599F
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,0000009C), ref: 004B59C3
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000A4), ref: 004B59EA
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000AC), ref: 004B5A56
                                              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 004B5A5E
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,004B5A90), ref: 004B5A86
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Addref$FreeList$#581Move
                                              • String ID:
                                              • API String ID: 1777959136-0
                                              • Opcode ID: 163163bae12bc7d5e7fcacfd41a198460d30a6755ce2fb4db828b011a4340d21
                                              • Instruction ID: b70a177796e1c75c9f8706cb8510957d3127e430b5df8fba03e93614aaa94f84
                                              • Opcode Fuzzy Hash: 163163bae12bc7d5e7fcacfd41a198460d30a6755ce2fb4db828b011a4340d21
                                              • Instruction Fuzzy Hash: 7E613EB4A50708AFDB00DBA4DC89FEEB7B9FF88700F10851AF545B7290D674A8458B75
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00475C20 Relevance: 24.2, APIs: 16, Instructions: 211COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00475C3E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00475C85
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 00475CA6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00475CE2
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475D0E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00475D4A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000B8), ref: 00475D92
                                              • __vbaStrI2.MSVBVM60(?), ref: 00475DAB
                                              • __vbaStrMove.MSVBVM60 ref: 00475DB6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 00475DE9
                                              • __vbaFreeStr.MSVBVM60 ref: 00475DFE
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00475E16
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 00475E3A
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00475E54
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00475E6F
                                                • Part of subcall function 004AF970: __vbaChkstk.MSVBVM60(00000000,00408966), ref: 004AF98E
                                                • Part of subcall function 004AF970: __vbaAryConstruct2.MSVBVM60(?,0042C6F0,00000003,?,00000000,?,00000000,00408966), ref: 004AF9C0
                                                • Part of subcall function 004AF970: __vbaAryConstruct2.MSVBVM60(?,0042C70C,00000003,?,00000000,?,00000000,00408966), ref: 004AF9D1
                                                • Part of subcall function 004AF970: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966), ref: 004AF9E0
                                                • Part of subcall function 004AF970: __vbaNew2.MSVBVM60(0041000C,004E03A8,?,?,000000FF,000000FF), ref: 004AFA8D
                                                • Part of subcall function 004AF970: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,000000FF), ref: 004AFACA
                                              • __vbaFreeObjList.MSVBVM60(00000003,?,?,00000000,?,?), ref: 00475E90
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Free$ChkstkConstruct2ErrorList$MoveNew2
                                              • String ID:
                                              • API String ID: 1969354629-0
                                              • Opcode ID: 9c65d1e07c6849b1addb93065b00d02f03e9eb3e6f4ca3107ba2acb6c546a9ae
                                              • Instruction ID: 0b18d9d7fb7489b68b1b5c82c34a8982bae9abc7f821a7285027fa231c151380
                                              • Opcode Fuzzy Hash: 9c65d1e07c6849b1addb93065b00d02f03e9eb3e6f4ca3107ba2acb6c546a9ae
                                              • Instruction Fuzzy Hash: B191D7B5900608EFCB04DFA4D988EDEBBB9FF48304F108119F616AB264D774A945CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004420F0 Relevance: 24.2, APIs: 16, Instructions: 170COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0044214D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416C2C,000000D8), ref: 00442177
                                              • __vbaFreeObj.MSVBVM60 ref: 00442195
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004421B5
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416C2C,00000138), ref: 004421E0
                                              • __vbaPowerR8.MSVBVM60(00000000,40000000), ref: 00442214
                                              • #681.MSVBVM60(?,?,?,00000002), ref: 00442246
                                              • __vbaVarOr.MSVBVM60(?,?,00000003), ref: 0044225B
                                              • __vbaI4Var.MSVBVM60(00000000), ref: 00442262
                                              • __vbaFreeObj.MSVBVM60 ref: 0044226D
                                              • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000005,00000002,?), ref: 00442285
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004422AE
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416C2C,000000D8), ref: 004422D8
                                              • __vbaPowerR8.MSVBVM60(00000000,40000000), ref: 004422FE
                                              • __vbaFpI4.MSVBVM60 ref: 0044230A
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?,00000000,6C31CB0D), ref: 004B6862
                                                • Part of subcall function 004B67E0: #681.MSVBVM60(?,?,?,?), ref: 004B6899
                                                • Part of subcall function 004B67E0: __vbaI4Var.MSVBVM60(?), ref: 004B689F
                                                • Part of subcall function 004B67E0: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004B68BA
                                              • __vbaFreeObj.MSVBVM60(00000000,00000000,00000000), ref: 0044231F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$#681CheckHresult$ListPower
                                              • String ID:
                                              • API String ID: 2687751420-0
                                              • Opcode ID: ba1ec3ad4c24ee82f891141687c04745dfbde32e18158181d622de18bcf5765d
                                              • Instruction ID: 3086c6d7e2d25b15caffaa3173fe2d5df65397c02b729c0036a3023594035eff
                                              • Opcode Fuzzy Hash: ba1ec3ad4c24ee82f891141687c04745dfbde32e18158181d622de18bcf5765d
                                              • Instruction Fuzzy Hash: A56117B1900228AFDB109FA4CD88FEEBBB8FF48701F10456EF589B6150DB745A45CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D38F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,00408966), ref: 004D390E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,?), ref: 004D393E
                                              • __vbaNew2.MSVBVM60(0040B4E8,004E06E8,?,?,?,?,00408966,?), ref: 004D395E
                                              • __vbaChkstk.MSVBVM60 ref: 004D399D
                                              • __vbaChkstk.MSVBVM60 ref: 004D39C0
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B314,000002B0), ref: 004D3A0A
                                              • __vbaCastObj.MSVBVM60(00000000,0041B344), ref: 004D3A2A
                                              • __vbaObjSet.MSVBVM60(004E06E8,00000000), ref: 004D3A36
                                              • __vbaChkstk.MSVBVM60 ref: 004D3A5D
                                              • __vbaLateMemSt.MSVBVM60(00000001,FontBold), ref: 004D3A86
                                              • __vbaFreeVar.MSVBVM60 ref: 004D3A8F
                                              • __vbaObjIs.MSVBVM60(?,00000000), ref: 004D3AA4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Chkstk$CastCheckErrorFreeHresultLateNew2
                                              • String ID: FontBold
                                              • API String ID: 2513111362-948149611
                                              • Opcode ID: d0e428e3c7e7b12c7e92d9319cfcf177c1e27dc6cdb20af854930273039ec794
                                              • Instruction ID: 4e71ffa8206b2500c92f7fb745f9325c11891fa47a5161275a839a498b722c14
                                              • Opcode Fuzzy Hash: d0e428e3c7e7b12c7e92d9319cfcf177c1e27dc6cdb20af854930273039ec794
                                              • Instruction Fuzzy Hash: 2451D3B4A01349DFDB00DF98D998B9DBBB0FB48715F10816AE449AB390C7B89981CF55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004768A0 Relevance: 22.7, APIs: 15, Instructions: 178COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004768BE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00476905
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00476943
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0047695E
                                                • Part of subcall function 004BB960: __vbaChkstk.MSVBVM60(?,00408966), ref: 004BB97E
                                                • Part of subcall function 004BB960: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004BB9AE
                                                • Part of subcall function 004BB960: __vbaFpI4.MSVBVM60(?,?,?,?,00408966), ref: 004BBA2E
                                                • Part of subcall function 004BB960: __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,00408966), ref: 004BBA51
                                                • Part of subcall function 004BB960: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,0000001C), ref: 004BBAB7
                                                • Part of subcall function 004BB960: __vbaHresultCheckObj.MSVBVM60(00000000,?,0042CED0,00000050), ref: 004BBB10
                                                • Part of subcall function 004BB960: __vbaFreeObj.MSVBVM60 ref: 004BBB2B
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,000000FF), ref: 00476979
                                              • #516.MSVBVM60(00419D10,?,?,?,?,00408966), ref: 00476993
                                              • #516.MSVBVM60(0041974C,?,?,?,?,00408966), ref: 004769A9
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004769E6
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00476A01
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,000000FF,000000FF), ref: 00476A1E
                                              • #516.MSVBVM60(0041A810,?,?,?,?,00408966), ref: 00476A38
                                              • #516.MSVBVM60(0041AD40,?,?,?,?,00408966), ref: 00476A4E
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00476A8B
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00476AA6
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,000000FF,00000000), ref: 00476AC3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$#516Free$List$CheckChkstkErrorHresult$New2
                                              • String ID:
                                              • API String ID: 1702493518-0
                                              • Opcode ID: 1a584b9789f2d9bfd95e3d1bbf2da595706cc62f4c42b4907a929ddf4cc29b2e
                                              • Instruction ID: 80b4086b2e6b0de9313c58b13d6041e4053596beb103ea28d6ce06c4d8fed8c3
                                              • Opcode Fuzzy Hash: 1a584b9789f2d9bfd95e3d1bbf2da595706cc62f4c42b4907a929ddf4cc29b2e
                                              • Instruction Fuzzy Hash: 497160B5900208EFCB00DFA0C989BDE7BB9FF48710F24C159F515AB294D775AA84CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B0CE0 Relevance: 22.6, APIs: 15, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,004A75A6,?,00000000,?,00000000,00408966,Advanced), ref: 004B0CFE
                                              • __vbaStrCopy.MSVBVM60(00000000,6C31CB0D,?,?,00408966,004A75A6), ref: 004B0D2B
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,00408966,004A75A6), ref: 004B0D3A
                                              • __vbaVarDup.MSVBVM60 ref: 004B0D5B
                                              • __vbaStrCat.MSVBVM60(00413154,?,?,000000FF,00000000), ref: 004B0D72
                                              • __vbaStrMove.MSVBVM60 ref: 004B0D7D
                                              • #711.MSVBVM60(?,00000000), ref: 004B0D88
                                              • __vbaAryVar.MSVBVM60(00002008,?), ref: 004B0D97
                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 004B0DA8
                                              • __vbaFreeStr.MSVBVM60 ref: 004B0DB1
                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B0DC1
                                              • #519.MSVBVM60(00401660,?,?,00408966,004A75A6), ref: 004B0DE4
                                              • __vbaStrMove.MSVBVM60(?,?,00408966,004A75A6), ref: 004B0DEF
                                              • __vbaAryDestruct.MSVBVM60(00000000,?,004B0E42,?,?,00408966,004A75A6), ref: 004B0E32
                                              • __vbaFreeStr.MSVBVM60(?,?,00408966,004A75A6), ref: 004B0E3B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CopyMove$#519#711ChkstkDestructErrorList
                                              • String ID:
                                              • API String ID: 1730553215-0
                                              • Opcode ID: 25133043421b8f044b09ba5df46abce133a6abda44d2426255f697478874e725
                                              • Instruction ID: d1ead9cd4523a93389947e19ceea19ac0c2af69983507d60129cfd4d4accfea2
                                              • Opcode Fuzzy Hash: 25133043421b8f044b09ba5df46abce133a6abda44d2426255f697478874e725
                                              • Instruction Fuzzy Hash: FF311D75900249EFDB04DFD4DE48BDEBBB4FB08705F108169E506B72A0DB746A49CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B8540 Relevance: 21.1, APIs: 14, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaSetSystemError.MSVBVM60(?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004B8583
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000001,?,00000000), ref: 004B858F
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,00000001,?,00000000), ref: 004B859C
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000001,?,00000000), ref: 004B85BC
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000018,?,?,00000001,?,00000000), ref: 004B85CF
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000001,?,00000000), ref: 004B85D9
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,00000001,?,00000000), ref: 004B85E6
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020,?,00000001,?,00000000), ref: 004B861A
                                              • __vbaSetSystemError.MSVBVM60(?,?,00000001,?,00000000), ref: 004B8626
                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000001,?,00000000), ref: 004B862F
                                              • __vbaSetSystemError.MSVBVM60(?,?,?,00000001,?,00000000), ref: 004B8640
                                              • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020,?,00000001,?,00000000), ref: 004B867A
                                              • __vbaSetSystemError.MSVBVM60(?,?,?,00000001,?,00000000), ref: 004B8683
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,00000001,?,00000000), ref: 004B868B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: ErrorSystem__vba
                                              • String ID:
                                              • API String ID: 2404019520-0
                                              • Opcode ID: 99a320a17adc052320e80c3de8731d96eb511cbbf3eb696eeca8518a531d9242
                                              • Instruction ID: a09edb019fb7d12001168c9cace1b2ef625d3f45ac64fe3852ac094bc21ab167
                                              • Opcode Fuzzy Hash: 99a320a17adc052320e80c3de8731d96eb511cbbf3eb696eeca8518a531d9242
                                              • Instruction Fuzzy Hash: F64141B16083046FD604EF79DC45F6FBBEDEFC8744F00491EB54593241DA74A8458BA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B4090 Relevance: 21.1, APIs: 14, Instructions: 99COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,00000000,00408966,Advanced), ref: 004B40AE
                                              • __vbaStrCopy.MSVBVM60(00000000,6C31CB0D,?,00000000,00408966), ref: 004B40DB
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,00408966), ref: 004B40EA
                                              • __vbaFreeStr.MSVBVM60(004B421C), ref: 004B4215
                                                • Part of subcall function 004B0CE0: __vbaChkstk.MSVBVM60(?,00408966,004A75A6,?,00000000,?,00000000,00408966,Advanced), ref: 004B0CFE
                                                • Part of subcall function 004B0CE0: __vbaStrCopy.MSVBVM60(00000000,6C31CB0D,?,?,00408966,004A75A6), ref: 004B0D2B
                                                • Part of subcall function 004B0CE0: __vbaOnError.MSVBVM60(000000FF,?,?,00408966,004A75A6), ref: 004B0D3A
                                                • Part of subcall function 004B0CE0: __vbaVarDup.MSVBVM60 ref: 004B0D5B
                                                • Part of subcall function 004B0CE0: __vbaStrCat.MSVBVM60(00413154,?,?,000000FF,00000000), ref: 004B0D72
                                                • Part of subcall function 004B0CE0: __vbaStrMove.MSVBVM60 ref: 004B0D7D
                                                • Part of subcall function 004B0CE0: #711.MSVBVM60(?,00000000), ref: 004B0D88
                                                • Part of subcall function 004B0CE0: __vbaAryVar.MSVBVM60(00002008,?), ref: 004B0D97
                                                • Part of subcall function 004B0CE0: __vbaAryCopy.MSVBVM60(?,?), ref: 004B0DA8
                                                • Part of subcall function 004B0CE0: __vbaFreeStr.MSVBVM60 ref: 004B0DB1
                                                • Part of subcall function 004B0CE0: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004B0DC1
                                                • Part of subcall function 004B0CE0: #519.MSVBVM60(00401660,?,?,00408966,004A75A6), ref: 004B0DE4
                                                • Part of subcall function 004B0CE0: __vbaStrMove.MSVBVM60(?,?,00408966,004A75A6), ref: 004B0DEF
                                                • Part of subcall function 004B0CE0: __vbaAryDestruct.MSVBVM60(00000000,?,004B0E42,?,?,00408966,004A75A6), ref: 004B0E32
                                                • Part of subcall function 004B0CE0: __vbaFreeStr.MSVBVM60(?,?,00408966,004A75A6), ref: 004B0E3B
                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004B4142
                                              • #581.MSVBVM60(00000000), ref: 004B4149
                                              • __vbaFreeStr.MSVBVM60 ref: 004B415E
                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 004B4187
                                              • #581.MSVBVM60(00000000), ref: 004B418E
                                              • __vbaFreeStr.MSVBVM60 ref: 004B41A3
                                              • __vbaStrMove.MSVBVM60(?,00000002), ref: 004B41CC
                                              • #581.MSVBVM60(00000000), ref: 004B41D3
                                              • __vbaFpI4.MSVBVM60 ref: 004B41D9
                                              • __vbaFreeStr.MSVBVM60 ref: 004B41EE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$Move$#581Copy$ChkstkError$#519#711DestructList
                                              • String ID:
                                              • API String ID: 2980795151-0
                                              • Opcode ID: 27347c7ebb8c79a89e53a550b03b9c8d1de765c50772d571d9401e83c2c4f2fc
                                              • Instruction ID: 0686d83af028d9c46287cbd59a869f862e19d849de6a5cefd63ee11040005a55
                                              • Opcode Fuzzy Hash: 27347c7ebb8c79a89e53a550b03b9c8d1de765c50772d571d9401e83c2c4f2fc
                                              • Instruction Fuzzy Hash: DB411975D00208DFDB04DFA4DA98ADEBBB5FF48305F208159E401BB2A1DB75AA44CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004A0C50 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 469COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,?,004A2EC2), ref: 004A0C6E
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966), ref: 004A0C9E
                                              • _CIsqrt.MSVBVM60(?,?,?,00000000,00408966), ref: 004A0DB3
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,00000000,00408966), ref: 004A0DD9
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,00000000,00408966), ref: 004A0E02
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00408966), ref: 004A0E2B
                                              • _CIsqrt.MSVBVM60(?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 004A0F26
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004A0F4C
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A0F72
                                              • _adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A0F98
                                                • Part of subcall function 004A7D90: __vbaChkstk.MSVBVM60(00000000,00408966,00000002,?,?,?,?,?,?,?,00000000,00408966), ref: 004A7DAE
                                                • Part of subcall function 004A7D90: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966,00000002), ref: 004A7DDE
                                                • Part of subcall function 004A7D90: _CIcos.MSVBVM60(?,00000000,?,00000000,00408966,00000002), ref: 004A7DEE
                                                • Part of subcall function 004A7D90: _CIsin.MSVBVM60(?,00000000,?,00000000,00408966,00000002), ref: 004A7E00
                                                • Part of subcall function 004A7D90: _CIcos.MSVBVM60(?,00000000,?,00000000,00408966,00000002), ref: 004A7E12
                                                • Part of subcall function 004A7D90: _CIsqrt.MSVBVM60(?,00000000,?,00000000,00408966,00000002), ref: 004A7E43
                                                • Part of subcall function 004A7D90: _adj_fdiv_m64.MSVBVM60(?,?,?,00000000,?,00000000,00408966,00000002), ref: 004A7E65
                                                • Part of subcall function 004A7D90: _CIsqrt.MSVBVM60(?,?,?,00000000,?,00000000,00408966,00000002), ref: 004A7F9B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: _adj_fdiv_m64$Isqrt__vba$ChkstkErrorIcos$Isin
                                              • String ID: "
                                              • API String ID: 1873329766-123907689
                                              • Opcode ID: 04bedd19c6101f4a7e15ace28c76907ba8cea0788f6d745a42be7ab143759a53
                                              • Instruction ID: 51963cc11289f7554f34d694bfa090ccf8daecb83e1f261a15c524263a024b3c
                                              • Opcode Fuzzy Hash: 04bedd19c6101f4a7e15ace28c76907ba8cea0788f6d745a42be7ab143759a53
                                              • Instruction Fuzzy Hash: 6C22E071A0060DEBCB14DF94DD84BEDBBB5FB88304F1080ADE185AB2A1CBB559A5CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00440C20 Relevance: 19.6, APIs: 13, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaStrCopy.MSVBVM60 ref: 00440C6C
                                              • __vbaLenBstr.MSVBVM60(?), ref: 00440C7B
                                              • #631.MSVBVM60(?,?,?), ref: 00440CBC
                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00440CC7
                                              • __vbaFreeVar.MSVBVM60(?,?), ref: 00440CCC
                                              • __vbaStrCmp.MSVBVM60(004167A8,?,?,?), ref: 00440CDB
                                              • __vbaStrCmp.MSVBVM60(00413928,?,?,?), ref: 00440CEE
                                              • __vbaStrCat.MSVBVM60(?,?,?,?), ref: 00440D0D
                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00440D18
                                              • __vbaStrCopy.MSVBVM60 ref: 00440D32
                                              • __vbaFreeStr.MSVBVM60(00440D6E), ref: 00440D61
                                              • __vbaFreeStr.MSVBVM60 ref: 00440D66
                                              • __vbaFreeStr.MSVBVM60 ref: 00440D6B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$CopyMove$#631Bstr
                                              • String ID:
                                              • API String ID: 3958399317-0
                                              • Opcode ID: 6a100462292dfc5e72b925728b859631ddfbeeb0d5ba025779c3ad8eae64014a
                                              • Instruction ID: 920b9dfdbeaf8f262006f351cb3e6fb28726a6866845fad3483154f21558dcf3
                                              • Opcode Fuzzy Hash: 6a100462292dfc5e72b925728b859631ddfbeeb0d5ba025779c3ad8eae64014a
                                              • Instruction Fuzzy Hash: 4A411AB5D002199FDB04DFA4D985AEEBBB8FB48704F10812AE902B7294DB786945CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044E570 Relevance: 18.2, APIs: 12, Instructions: 187COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0044E58E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0044E5D5
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 0044E5F6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0044E632
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0044E65E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0044E69A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000B8), ref: 0044E6E2
                                              • __vbaStrI2.MSVBVM60(?), ref: 0044E6FB
                                              • __vbaStrMove.MSVBVM60 ref: 0044E706
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 0044E739
                                              • __vbaFreeStr.MSVBVM60 ref: 0044E74E
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0044E766
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Free$ChkstkErrorListMove
                                              • String ID:
                                              • API String ID: 910494052-0
                                              • Opcode ID: 81c6c80ca14e3f8e6cb97a0bc79c77a3acb4948111f60fac79aef95231f68ac1
                                              • Instruction ID: b7dd5bcc288c0b032027b534ea208fade659ca1e9dc5904fec096769b092f49d
                                              • Opcode Fuzzy Hash: 81c6c80ca14e3f8e6cb97a0bc79c77a3acb4948111f60fac79aef95231f68ac1
                                              • Instruction Fuzzy Hash: 588118B5900208EFDB04DFA5C988BDEBBB5FF48304F208159F616AB2A0D7789985CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00443050 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0044306E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004430B5
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004430D6
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004430F3
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004170F0,000000E0), ref: 0044312C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,00000094), ref: 00443177
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00443193
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,00408966), ref: 004431B7
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,00408966), ref: 004431D4
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004170F0,000000E0), ref: 0044320D
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,0000008C), ref: 00443258
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00443274
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$FreeList$ChkstkError
                                              • String ID:
                                              • API String ID: 1188558583-0
                                              • Opcode ID: 740e5d34c527910a11698d432c0238cb0972263049487cbe4724e5900e82ed2a
                                              • Instruction ID: b73a055e50071e036415af2fff63ca9008c37c0122e8ea0d95976b8d6b6973bb
                                              • Opcode Fuzzy Hash: 740e5d34c527910a11698d432c0238cb0972263049487cbe4724e5900e82ed2a
                                              • Instruction Fuzzy Hash: 2A7107B5900248EFDB04DFA4D988FDEBBB5BF48701F108119F606AB2A0D7749A85CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0044E810 Relevance: 18.2, APIs: 12, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0044E82E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0044E875
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 0044E896
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0044E8D2
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0044E8FE
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0044E93A
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 0044E982
                                              • #581.MSVBVM60(?), ref: 0044E998
                                              • __vbaFpI2.MSVBVM60 ref: 0044E99E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000BC), ref: 0044E9D1
                                              • __vbaFreeStr.MSVBVM60 ref: 0044E9E6
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0044E9FE
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Free$#581ChkstkErrorList
                                              • String ID:
                                              • API String ID: 2111255068-0
                                              • Opcode ID: ecf8b34fdb6c11c78881e1168dd0ec740d423cb067ef21e24958145662fc1d5c
                                              • Instruction ID: e14778b7b8632e739b895bedfdb4c887fbeea9f4a8fd533ac0d2b0d98de4489c
                                              • Opcode Fuzzy Hash: ecf8b34fdb6c11c78881e1168dd0ec740d423cb067ef21e24958145662fc1d5c
                                              • Instruction Fuzzy Hash: 8161C5B5900208EFDB04DFA5D988BDEBBB9BF48700F208159F516AB2A0D774A945CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046D0B0 Relevance: 18.2, APIs: 12, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046D0CE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046D115
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 0046D136
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0046D172
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046D19E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 0046D1DA
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 0046D222
                                              • #581.MSVBVM60(?), ref: 0046D238
                                              • __vbaFpI2.MSVBVM60 ref: 0046D23E
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417DF0,000000BC), ref: 0046D271
                                              • __vbaFreeStr.MSVBVM60 ref: 0046D286
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0046D29E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$Free$#581ChkstkErrorList
                                              • String ID:
                                              • API String ID: 2111255068-0
                                              • Opcode ID: 715a7e0760ae5b6022c9553b175968396658a902a5038a647535e08624280ed2
                                              • Instruction ID: b7b2aeb8db1dcf9c67c6addb3775bc37215c3f2d1c0d5f9bf06892bfd3825e42
                                              • Opcode Fuzzy Hash: 715a7e0760ae5b6022c9553b175968396658a902a5038a647535e08624280ed2
                                              • Instruction Fuzzy Hash: 1961C6B5E00208EFDB04DFA4D988BDEBBB9BF48700F108159F516AB290D774A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F150 Relevance: 18.2, APIs: 12, Instructions: 166COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046F16E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046F1B5
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0046F1D6
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000000F0), ref: 0046F20F
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046F235
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000000F0), ref: 0046F26E
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0046F2AB
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,00408966), ref: 0046F2DB
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000000F0), ref: 0046F314
                                              • __vbaStrMove.MSVBVM60(?), ref: 0046F335
                                              • __vbaFreeStr.MSVBVM60 ref: 0046F34E
                                              • __vbaFreeObj.MSVBVM60 ref: 0046F357
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckFreeHresult$ChkstkErrorListMove
                                              • String ID:
                                              • API String ID: 298878014-0
                                              • Opcode ID: 5eb1e972951d7f485f0ccaa2f361aa6149207816eb6f5345a4bcdadda32d524d
                                              • Instruction ID: 8843184180abd2441c98230351b381ce7f75bdd5a04d641dffd48dbf17df8469
                                              • Opcode Fuzzy Hash: 5eb1e972951d7f485f0ccaa2f361aa6149207816eb6f5345a4bcdadda32d524d
                                              • Instruction Fuzzy Hash: F5612D75900209EFCB04DFA4D988BEEBBB5FF48705F108129F546AB2A0DB749985CF94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00463020 Relevance: 16.6, APIs: 11, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046303E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00463085
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004630DE
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004630F9
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,00000000), ref: 00463114
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046313D
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00463158
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,00000000,000000FF), ref: 00463175
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046319B
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 004631B6
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,00000000,00000000), ref: 004631D3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$FreeList$ChkstkError
                                              • String ID:
                                              • API String ID: 1109679634-0
                                              • Opcode ID: 3957812b30a2ce7494fdf985208258203b8ba3f6c5ffe6193ae43bec42933063
                                              • Instruction ID: 5767a874f7719be25a3136a617a840e94f7041b2dad7cf34b262fba6c6d80756
                                              • Opcode Fuzzy Hash: 3957812b30a2ce7494fdf985208258203b8ba3f6c5ffe6193ae43bec42933063
                                              • Instruction Fuzzy Hash: 7D512AB5900248EFCB04DF94C989BDEBBB8FF48314F14811AF505BB294D779AA44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00477CA0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00477CBE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00477D05
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041AD1C,00000108), ref: 00477D42
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041AD1C,000002E8), ref: 00477D89
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041AD1C,00000108), ref: 00477DCB
                                              • _adj_fdiv_m32i.MSVBVM60 ref: 00477DFD
                                              • _adj_fdiv_m32i.MSVBVM60 ref: 00477E50
                                              Strings
                                              • MBSS Light is a Shareware product., xrefs: 00477D58
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$_adj_fdiv_m32i$ChkstkError
                                              • String ID: MBSS Light is a Shareware product.
                                              • API String ID: 662598385-130526311
                                              • Opcode ID: bdf872bc1307f323e75f9f030344fcbf7105e48152ed339cb188dc97adaf768c
                                              • Instruction ID: 754ea0c073d016f7ffffad010bcc2c764f65018c3c2a9721c7db38767168f87f
                                              • Opcode Fuzzy Hash: bdf872bc1307f323e75f9f030344fcbf7105e48152ed339cb188dc97adaf768c
                                              • Instruction Fuzzy Hash: 12617DB4904248EFCB00DF94D988BEDBBB5FF48744F208559F549AB294C7B89981CF98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0049E050 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • #631.MSVBVM60( 1 9999 4 2000 3600 4500 0 100 3 75 90 3600 0,00000001,?), ref: 0049E0C4
                                              • __vbaStrMove.MSVBVM60 ref: 0049E0D5
                                              • #519.MSVBVM60(00000000), ref: 0049E0D8
                                              • __vbaStrMove.MSVBVM60 ref: 0049E0E3
                                              • #581.MSVBVM60(00000000), ref: 0049E0E6
                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0049E0F9
                                              • __vbaFreeVar.MSVBVM60 ref: 0049E105
                                              Strings
                                              • 1 9999 4 2000 3600 4500 0 100 3 75 90 3600 0, xrefs: 0049E0B1
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$FreeMove$#519#581#631List
                                              • String ID: 1 9999 4 2000 3600 4500 0 100 3 75 90 3600 0
                                              • API String ID: 3822643037-3383193830
                                              • Opcode ID: f5dfe268776ea695fadced3b16307f2ad8914f3726c7bb767820b087e907aad1
                                              • Instruction ID: c7571440d4033c6e67be7a4ac47fffaefa82ae31c9e7f62c0336227b9e97f9d3
                                              • Opcode Fuzzy Hash: f5dfe268776ea695fadced3b16307f2ad8914f3726c7bb767820b087e907aad1
                                              • Instruction Fuzzy Hash: D921B7B4D00209AFCB40DFA8D949AEEBFF8EB08705F10816AE509F7260EB745545CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004C2070 Relevance: 13.5, APIs: 9, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,004B0FD4), ref: 004C208E
                                              • __vbaVarDup.MSVBVM60(00000000,?,?,?,00408966), ref: 004C20BB
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00408966), ref: 004C20CA
                                              • __vbaStrErrVarCopy.MSVBVM60(00000001,00413154,00415A24,00000001,000000FF,00000000,?,?,?,00408966), ref: 004C20EB
                                              • __vbaStrMove.MSVBVM60(?,?,?,00408966), ref: 004C20F6
                                              • #712.MSVBVM60(00000000,?,?,?,00408966), ref: 004C20FD
                                              • __vbaStrMove.MSVBVM60(?,?,?,00408966), ref: 004C2108
                                              • __vbaFreeStr.MSVBVM60(?,?,?,00408966), ref: 004C2111
                                              • __vbaFreeVar.MSVBVM60(004C2145,?,?,?,00408966), ref: 004C213E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$FreeMove$#712ChkstkCopyError
                                              • String ID:
                                              • API String ID: 648967275-0
                                              • Opcode ID: fa5c1cdbf1d7b9b2a0db81d397ceeb081f0517d38c5e2654232a1304da01074d
                                              • Instruction ID: c710a4c459ab50816c87433b5cb493dce6829b9b51b5c926aff71d1cc92391d4
                                              • Opcode Fuzzy Hash: fa5c1cdbf1d7b9b2a0db81d397ceeb081f0517d38c5e2654232a1304da01074d
                                              • Instruction Fuzzy Hash: 00111C74941248EBDB00DF94DE49BDEBBB4EB04705F204269F512B22E0DBB81A48CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004758B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00408966), ref: 00475909
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416C3C,00000050,?,?,?,?,?,?,?,?,?,00408966), ref: 0047592A
                                              • __vbaObjSetAddref.MSVBVM60(?,00403BD8,?,?,?,?,?,?,?,?,?,00408966), ref: 00475935
                                              • __vbaStrCmp.MSVBVM60(Preview,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00475944
                                              • __vbaFreeStr.MSVBVM60(?,00000001,?,?,?,?,?,?,?,?,?,00408966), ref: 0047595E
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 0047596E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$AddrefCheckHresultList
                                              • String ID: Preview
                                              • API String ID: 1312646064-1983387308
                                              • Opcode ID: e67a1331c8495d1c1001fe34033b14b302b444b019e64d0835fb527f1b95e654
                                              • Instruction ID: a5ecb03abae21a2412205f88a184a3391df97192bb6a9bcfa9df25549bc203ac
                                              • Opcode Fuzzy Hash: e67a1331c8495d1c1001fe34033b14b302b444b019e64d0835fb527f1b95e654
                                              • Instruction Fuzzy Hash: E0212FB1900219AFCB009FA4CD89EEEBB7CFB48705F10812EF646E7191D77855458BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004D3000 Relevance: 12.2, APIs: 8, Instructions: 192COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$_adj_fdiv_m32_adj_fdiv_m64_adj_fdivr_m64
                                              • String ID:
                                              • API String ID: 239501889-0
                                              • Opcode ID: 1bd63ae950c8e65839f0e2761d037e77d3e571887dd17ead017b4581817ca43b
                                              • Instruction ID: 8e73bf2b2a064de504fbdab9b10f10a2cc8d273ab12bb8e330fe4706a8aa6844
                                              • Opcode Fuzzy Hash: 1bd63ae950c8e65839f0e2761d037e77d3e571887dd17ead017b4581817ca43b
                                              • Instruction Fuzzy Hash: BA81D170504206DFC704CF64EA8861A7BF5FB88311F41457AF9946B3A5CB34A9A6CF4A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043E490 Relevance: 12.1, APIs: 8, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043E4AE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043E4F5
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0043E516
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0043E533
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004159A4,000000A8), ref: 0043E56C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00415640,000000AC), ref: 0043E5AE
                                              • __vbaFreeStr.MSVBVM60 ref: 0043E5C3
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043E5D3
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckFreeHresult$ChkstkErrorList
                                              • String ID:
                                              • API String ID: 2426861696-0
                                              • Opcode ID: 85be70998311c61500d04e10be8998e342f59cbe0949af5aa0936ac5b9660f70
                                              • Instruction ID: 4769b84976400701bf93393dab8923ff504394c92331480223a4fee4fe256acb
                                              • Opcode Fuzzy Hash: 85be70998311c61500d04e10be8998e342f59cbe0949af5aa0936ac5b9660f70
                                              • Instruction Fuzzy Hash: 18411AB5901208EFCB04DF94D988FDEBBB4FF48304F108119F546AB2A0D7749A44CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B7810 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004B782E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004B785E
                                              • __vbaNew2.MSVBVM60(0040AD70,004E076C,?,?,?,?,00408966), ref: 004B787E
                                              • __vbaChkstk.MSVBVM60 ref: 004B78BD
                                              • __vbaChkstk.MSVBVM60 ref: 004B78E0
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041FD84,000002B0), ref: 004B792A
                                              • __vbaCastObj.MSVBVM60(00000000,0041FDB4), ref: 004B794A
                                              • __vbaObjSet.MSVBVM60(004E076C,00000000), ref: 004B7956
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Chkstk$CastCheckErrorHresultNew2
                                              • String ID:
                                              • API String ID: 2314876889-0
                                              • Opcode ID: cac6ff0ed3e34126378f9d035348ac51a6557b72a86054c613b5a6863437a9b0
                                              • Instruction ID: eea30e6703c13c98183ab20b289614ff1425fca82de63f20748235ae1b048014
                                              • Opcode Fuzzy Hash: cac6ff0ed3e34126378f9d035348ac51a6557b72a86054c613b5a6863437a9b0
                                              • Instruction Fuzzy Hash: F841C5B4A00348DFDB00DF94DA89B9DBBB0FB48714F10816AE509B7391C7B86985CF59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F800 Relevance: 12.1, APIs: 8, Instructions: 80COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046F81E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046F865
                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,?,00408966), ref: 0046F886
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0046F894
                                              • __vbaObjSet.MSVBVM60(?,?,004170E0), ref: 0046F8B4
                                              • __vbaCastObj.MSVBVM60(00000000), ref: 0046F8BB
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046F8C6
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,00408966), ref: 004D390E
                                                • Part of subcall function 004D38F0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,?), ref: 004D393E
                                                • Part of subcall function 004D38F0: __vbaNew2.MSVBVM60(0040B4E8,004E06E8,?,?,?,?,00408966,?), ref: 004D395E
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D399D
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D39C0
                                                • Part of subcall function 004D38F0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B314,000002B0), ref: 004D3A0A
                                                • Part of subcall function 004D38F0: __vbaCastObj.MSVBVM60(00000000,0041B344), ref: 004D3A2A
                                                • Part of subcall function 004D38F0: __vbaObjSet.MSVBVM60(004E06E8,00000000), ref: 004D3A36
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D3A5D
                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,00000000,?,?), ref: 0046F8EB
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Chkstk$CastError$AddrefCheckFreeHresultListNew2
                                              • String ID:
                                              • API String ID: 3436864022-0
                                              • Opcode ID: 984b4fa79a4605265f601fb2aa021c4b2270568796024e11f0249cf06847c48b
                                              • Instruction ID: b6bce11c4d5766da6488f9780875b4704e9130f9ae931703297872dde6996e03
                                              • Opcode Fuzzy Hash: 984b4fa79a4605265f601fb2aa021c4b2270568796024e11f0249cf06847c48b
                                              • Instruction Fuzzy Hash: 73311AB6910208AFCB00DF94C988FDEBBB8FF48700F108219F516B7290D778A644CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00443410 Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0044342E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00443475
                                              • __vbaCastObj.MSVBVM60(00000000,00415410,?,?,?,?,00408966), ref: 00443489
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00443494
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004434B3
                                              • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,00408966), ref: 004434BA
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 004434C5
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,00408966), ref: 004D390E
                                                • Part of subcall function 004D38F0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,?), ref: 004D393E
                                                • Part of subcall function 004D38F0: __vbaNew2.MSVBVM60(0040B4E8,004E06E8,?,?,?,?,00408966,?), ref: 004D395E
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D399D
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D39C0
                                                • Part of subcall function 004D38F0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B314,000002B0), ref: 004D3A0A
                                                • Part of subcall function 004D38F0: __vbaCastObj.MSVBVM60(00000000,0041B344), ref: 004D3A2A
                                                • Part of subcall function 004D38F0: __vbaObjSet.MSVBVM60(004E06E8,00000000), ref: 004D3A36
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D3A5D
                                              • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,00408966), ref: 004434E6
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Chkstk$Cast$Error$CheckFreeHresultListNew2
                                              • String ID:
                                              • API String ID: 316154030-0
                                              • Opcode ID: 41b4ab7bd3d36a7107575344c783b0a0bc2a950916d449ede547283d1218dacd
                                              • Instruction ID: a6a52a467bcc9f7985bb5289c75f8db77a19143c2e0cab548822999ed8f9fa8b
                                              • Opcode Fuzzy Hash: 41b4ab7bd3d36a7107575344c783b0a0bc2a950916d449ede547283d1218dacd
                                              • Instruction Fuzzy Hash: DE310BB5900248EFDB00DFA4C949BDEBBB8FB48715F108559F515AB290C778A644CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004860D0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004860EE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00486135
                                              • __vbaCastObj.MSVBVM60(00000000,00415410,?,?,?,?,00408966), ref: 00486149
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00486154
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00486173
                                              • __vbaCastObj.MSVBVM60(00000000,?,?,?,?,00408966), ref: 0048617A
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00486185
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,00408966), ref: 004D390E
                                                • Part of subcall function 004D38F0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,?), ref: 004D393E
                                                • Part of subcall function 004D38F0: __vbaNew2.MSVBVM60(0040B4E8,004E06E8,?,?,?,?,00408966,?), ref: 004D395E
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D399D
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D39C0
                                                • Part of subcall function 004D38F0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041B314,000002B0), ref: 004D3A0A
                                                • Part of subcall function 004D38F0: __vbaCastObj.MSVBVM60(00000000,0041B344), ref: 004D3A2A
                                                • Part of subcall function 004D38F0: __vbaObjSet.MSVBVM60(004E06E8,00000000), ref: 004D3A36
                                                • Part of subcall function 004D38F0: __vbaChkstk.MSVBVM60 ref: 004D3A5D
                                              • __vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,00408966), ref: 004861A6
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Chkstk$Cast$Error$CheckFreeHresultListNew2
                                              • String ID:
                                              • API String ID: 316154030-0
                                              • Opcode ID: 4a7a070b97295630709df2e7e27bec023ae2dd051f9e0d7310656cc64d7c4fe5
                                              • Instruction ID: 1f8fb8cd3dd79ae62ec351549873f94eae3dae43afc513035a0f06349e15ff51
                                              • Opcode Fuzzy Hash: 4a7a070b97295630709df2e7e27bec023ae2dd051f9e0d7310656cc64d7c4fe5
                                              • Instruction Fuzzy Hash: 83215EB6900248EFCB00EFA4C949FDE7BB8FB48710F108559F515B7291C778A644CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00495D60 Relevance: 10.6, APIs: 7, Instructions: 122COMMON
                                              Download Yara Rule
                                              APIs
                                              • _adj_fdivr_m64.MSVBVM60 ref: 00495DAF
                                              • #681.MSVBVM60(?,?,?,?), ref: 00495DFA
                                              • __vbaI4Var.MSVBVM60(00000000), ref: 00495E04
                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000005,00000000), ref: 00495E1B
                                              • _adj_fdiv_m64.MSVBVM60 ref: 00495EB7
                                              • _adj_fdiv_m32i.MSVBVM60(?), ref: 00495ED5
                                              • __vbaFpI4.MSVBVM60(?), ref: 00495EE2
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$#681FreeList_adj_fdiv_m32i_adj_fdiv_m64_adj_fdivr_m64
                                              • String ID:
                                              • API String ID: 1769687968-0
                                              • Opcode ID: 4d21f8410db30ae6c1e51669e7b969a02a809ec1348e3f7f5088fbb0544dcb30
                                              • Instruction ID: d2426d375b46329b5700a9f1e1c9937dc5e46597c4fb990547db50fc8ffd914a
                                              • Opcode Fuzzy Hash: 4d21f8410db30ae6c1e51669e7b969a02a809ec1348e3f7f5088fbb0544dcb30
                                              • Instruction Fuzzy Hash: 1441B271900608EBCF05DFA4DE40B9EBBB9FB44714F21823AE915AB2A1D7355E41CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00453CE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00453D3F
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00453D51
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004170F0,000000E0,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00453D74
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416C3C,0000008C,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00453DA1
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00408966), ref: 00453DB1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckHresult$FreeList
                                              • String ID: X$@
                                              • API String ID: 2772417511-450496044
                                              • Opcode ID: 76b6c5ff9b3d910db166df94fead06772bcea6300427b5c49b0d4de852bbb837
                                              • Instruction ID: 62941f6cf13359069587f2b6fc25821875e2565aaf3e4897f6a61a59ed872884
                                              • Opcode Fuzzy Hash: 76b6c5ff9b3d910db166df94fead06772bcea6300427b5c49b0d4de852bbb837
                                              • Instruction Fuzzy Hash: 18216F71900219AFDB109FA4CD49FEEBBB8FF48700F10852AF985E7281D77895458BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00443D40 Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00443D5E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00443DA5
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416960,00000058), ref: 00443DDC
                                              • __vbaStrToAnsi.MSVBVM60(?,00000000,00000001,00001F40), ref: 00443E00
                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00443E10
                                              • __vbaStrToUnicode.MSVBVM60(004E028C,?), ref: 00443E1F
                                              • __vbaFreeStr.MSVBVM60 ref: 00443E28
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$AnsiCheckChkstkFreeHresultSystemUnicode
                                              • String ID:
                                              • API String ID: 356994374-0
                                              • Opcode ID: 70efd6695d66aae407b7532be82d0bc727604fdb66bd5f341aafd2d6feeeee19
                                              • Instruction ID: d81615f96778b14c2d5dd0bf2f2200b5d0427c24ed5b6644d3e07b8819c3ce4e
                                              • Opcode Fuzzy Hash: 70efd6695d66aae407b7532be82d0bc727604fdb66bd5f341aafd2d6feeeee19
                                              • Instruction Fuzzy Hash: 50313EB5900608EFDB10DFA4C949BDD7BB4FB48705F208159F515BB290C778AA40CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00464480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046449E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004644E5
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 00464506
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 00464521
                                                • Part of subcall function 004B0E60: __vbaObjSetAddref.MSVBVM60(?,?), ref: 004B0EA1
                                                • Part of subcall function 004B0E60: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A0), ref: 004B0EE5
                                                • Part of subcall function 004B0E60: #581.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B0EEF
                                                • Part of subcall function 004B0E60: __vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00408966), ref: 004B0F06
                                                • Part of subcall function 004B0E60: __vbaFpI4.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B0F0C
                                                • Part of subcall function 004B0E60: __vbaFpI4.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B0F12
                                                • Part of subcall function 004B0E60: __vbaStrI4.MSVBVM60(00000000,00000000), ref: 004B0F1B
                                                • Part of subcall function 004B0E60: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00408966), ref: 004B0F26
                                                • Part of subcall function 004B0E60: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415658,000000A4), ref: 004B0F50
                                                • Part of subcall function 004B0E60: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004B10AE
                                                • Part of subcall function 004B0E60: __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004B10BC
                                                • Part of subcall function 004B0E60: __vbaFreeObj.MSVBVM60(004B10E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004B10E1
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,00000000,00000000,42C80000), ref: 00464543
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$AddrefCheckHresultList$#581ChkstkErrorMove
                                              • String ID: pEF
                                              • API String ID: 2697544761-3103911591
                                              • Opcode ID: 87b19508945ca9339a8c9aefa37214c35c4e157b1ca75755193c62de3aa13cec
                                              • Instruction ID: e7a3dc0ed354448576743a6d0bf7a50e4c6e34713a2b2c2a54f5682e50c1704b
                                              • Opcode Fuzzy Hash: 87b19508945ca9339a8c9aefa37214c35c4e157b1ca75755193c62de3aa13cec
                                              • Instruction Fuzzy Hash: 02212AB5900208EFDB00DF94C989BDEBBB8FB48714F108259F515BB290D778AA448BA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00452860 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045287E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004528C5
                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0045292C
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417188,00000040), ref: 00452968
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0045298F
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000), ref: 004529AC
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CheckChkstkErrorFreeHresultList
                                              • String ID:
                                              • API String ID: 3165652009-0
                                              • Opcode ID: 05ffc25d5f3640efa27c592ecb58f0d9c24fdece83851fc1fd27b707fd69b6a0
                                              • Instruction ID: 91109c9a9d69c2bc1b3be59df3909d684d76ebc950f6e60cd1783d7d9458d845
                                              • Opcode Fuzzy Hash: 05ffc25d5f3640efa27c592ecb58f0d9c24fdece83851fc1fd27b707fd69b6a0
                                              • Instruction Fuzzy Hash: E841E8B5900248EFCB04DFA4D988BDEBBB4FF49704F10815AF915AB394D778AA44CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00454840 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045485E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004548A5
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,00408966), ref: 004548D5
                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004548FB
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000010), ref: 00454928
                                              • __vbaFreeObj.MSVBVM60 ref: 0045493D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2
                                              • String ID:
                                              • API String ID: 1239236342-0
                                              • Opcode ID: dd285ffa283e791f615c82f4b07e663de9d893d5cb73777d96ab4cf0e9a3a635
                                              • Instruction ID: 6ad76add72d7e863a102ba707d2640397d046e25ae22d4a0c1477137ca4b6ca2
                                              • Opcode Fuzzy Hash: dd285ffa283e791f615c82f4b07e663de9d893d5cb73777d96ab4cf0e9a3a635
                                              • Instruction Fuzzy Hash: 7B312BB4900248EFCB10DF98C949BDDBBB4FB48315F208119E515BB2A0C7789A85CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0047BC40 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0047BC5E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0047BCA5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0047BCF4
                                                • Part of subcall function 004D7E80: __vbaChkstk.MSVBVM60(?,00408966,00000030,?,?,?,?,00408966), ref: 004D7E9E
                                                • Part of subcall function 004D7E80: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000030), ref: 004D7ECE
                                                • Part of subcall function 004D7E80: __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,00408966,00000030), ref: 004D7F58
                                                • Part of subcall function 004D7E80: __vbaLateMemCallLd.MSVBVM60(?,?,ScaleLeft,00000000,00000003), ref: 004D7FDD
                                                • Part of subcall function 004D7E80: __vbaVarSub.MSVBVM60(?,00000000,?,?,?,00408966), ref: 004D7FEE
                                                • Part of subcall function 004D7E80: __vbaVarPow.MSVBVM60(?,?,00000000,?,?,?,00408966), ref: 004D8003
                                                • Part of subcall function 004D7E80: __vbaLateMemCallLd.MSVBVM60(?,?,ScaleTop,00000000,?,00000000,?,?,?,00408966), ref: 004D8026
                                                • Part of subcall function 004D7E80: __vbaVarSub.MSVBVM60(?,00000000), ref: 004D8037
                                              • __vbaFreeObj.MSVBVM60(?,00401020,00B08040,00000028,00000007,0000003C,00000030,?,?,?,?,00408966), ref: 0047BD18
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0047BD2D
                                                • Part of subcall function 004D9F70: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,?,?,00408966), ref: 004D9F8E
                                                • Part of subcall function 004D9F70: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,?), ref: 004D9FBE
                                                • Part of subcall function 004D9F70: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966,?), ref: 004D9FD8
                                                • Part of subcall function 004D9F70: __vbaLateMemCallLd.MSVBVM60(?,?,ScaleWidth,00000000,?,?,?,?,?,00408966,?), ref: 004D9FF7
                                                • Part of subcall function 004D9F70: __vbaI4Var.MSVBVM60(00000000,?,?,?,00408966,?), ref: 004DA001
                                                • Part of subcall function 004D9F70: __vbaFreeVar.MSVBVM60(?,?,?,00408966,?), ref: 004DA00D
                                                • Part of subcall function 004D9F70: __vbaLateMemCallLd.MSVBVM60(?,?,ScaleHeight,00000000,?,?,?,00408966,?), ref: 004DA02C
                                                • Part of subcall function 004D9F70: __vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?), ref: 004DA036
                                                • Part of subcall function 004D9F70: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 004DA042
                                                • Part of subcall function 004D9F70: __vbaChkstk.MSVBVM60 ref: 004DA062
                                                • Part of subcall function 004D9F70: __vbaLateMemSt.MSVBVM60(?,DrawMode), ref: 004DA08C
                                                • Part of subcall function 004D9F70: __vbaChkstk.MSVBVM60 ref: 004DA0AC
                                                • Part of subcall function 004D9F70: __vbaLateMemSt.MSVBVM60(?,DrawWidth), ref: 004DA0D6
                                              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00408966), ref: 0047BD3F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Late$Chkstk$AddrefCallFree$Error
                                              • String ID:
                                              • API String ID: 4181897965-0
                                              • Opcode ID: 88a1e7f6ce520a5a8b2e59483d836e3dece9fe1dd4123cbd5b965c39ae492b9d
                                              • Instruction ID: 17722324404bb24752581c620a4ac27b8749ab4885692fc9188146f4ef0e18a8
                                              • Opcode Fuzzy Hash: 88a1e7f6ce520a5a8b2e59483d836e3dece9fe1dd4123cbd5b965c39ae492b9d
                                              • Instruction Fuzzy Hash: 38314B75900208EBDB04DF94CA59BDEBBB4FF08744F108159F9057B290C7B9AB44CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00445C80 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00445C9E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00445CE5
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,00408966), ref: 00445D05
                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00445D2B
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000010), ref: 00445D58
                                              • __vbaFreeObj.MSVBVM60 ref: 00445D6D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2
                                              • String ID:
                                              • API String ID: 1239236342-0
                                              • Opcode ID: 66a445d8010275ecac358059363e2710d1e3953c69d00f0276f68a3ac9638e7d
                                              • Instruction ID: 8fb04ef8a41784d63f75183df227d34e7d60c7734966525d8a3893fec10f83dd
                                              • Opcode Fuzzy Hash: 66a445d8010275ecac358059363e2710d1e3953c69d00f0276f68a3ac9638e7d
                                              • Instruction Fuzzy Hash: EB312BB4900608EFDB10DF94C949BDDBBB4FF08715F20811AE415B72A1C778AA45CF68
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043CD40 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043CD5E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043CDA5
                                              • __vbaNew2.MSVBVM60(0041396C,004E1490,?,?,?,?,00408966), ref: 0043CDC5
                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0043CDEB
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041395C,00000010), ref: 0043CE18
                                              • __vbaFreeObj.MSVBVM60 ref: 0043CE2D
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2
                                              • String ID:
                                              • API String ID: 1239236342-0
                                              • Opcode ID: 54f94c116dc2a096c8008ec89caca979610dfa0d0144a098c09573aa24c82b6a
                                              • Instruction ID: a397309027723aba7428bc4ea077ddad2aac80d38d20f25f27db0b836573c8c7
                                              • Opcode Fuzzy Hash: 54f94c116dc2a096c8008ec89caca979610dfa0d0144a098c09573aa24c82b6a
                                              • Instruction Fuzzy Hash: 56310AB5900208EFCB10DF98C989BDDBBB4FB08714F208119E515B7290C778AA45CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043F470 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043F48E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043F4D5
                                              • __vbaCastObj.MSVBVM60(?,00415D18,?,?,?,?,00408966), ref: 0043F4EB
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0043F4F6
                                                • Part of subcall function 004D6FD0: __vbaChkstk.MSVBVM60(?,00408966,?,?,?,0043F2D7,?,000000FF,?,?,?,00408966), ref: 004D6FEE
                                                • Part of subcall function 004D6FD0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004D701E
                                                • Part of subcall function 004D6FD0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000058), ref: 004D7070
                                                • Part of subcall function 004D6FD0: __vbaSetSystemError.MSVBVM60(00000000,000000FC,004D6D10), ref: 004D70A7
                                              • __vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0043F50A
                                              • __vbaSetSystemError.MSVBVM60(00000000,000000FC,00000000,?,?,?,?,00408966), ref: 0043F52B
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$ChkstkSystem$CastCheckFreeHresult
                                              • String ID:
                                              • API String ID: 1506218230-0
                                              • Opcode ID: dbdc06ca17fe0c8486c667d164a1c133af41194a942ad241d966d995c2de3c50
                                              • Instruction ID: 514b89ccd0791bc0d335c0cda5915cce285d82abb9d5ecfbb7994a79276af148
                                              • Opcode Fuzzy Hash: dbdc06ca17fe0c8486c667d164a1c133af41194a942ad241d966d995c2de3c50
                                              • Instruction Fuzzy Hash: DE2151B5500248EFCB00EF94CD49BDE7BB8FB48700F208259F515AB2D1C7789A44CB99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0048F040 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,J@,0041DCD0,00000058,?,?,?,?,?,?,?,00408966), ref: 0048F0B3
                                              • __vbaHresultCheckObj.MSVBVM60(00000000,J@,0041DCD0,00000058,?,?,?,?,?,?,?,00408966), ref: 0048F0D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: CheckHresult__vba
                                              • String ID: www.mathsavers.com$www.mathsavers.com/faq.htm$J@
                                              • API String ID: 2812612143-2881780844
                                              • Opcode ID: a4f6d65076decb424b0e3a807786f798312f168005cbcfdf5cfd1167502d0479
                                              • Instruction ID: 9b0bd21b832a58b807b37629a1572ccf5ddebcec33ecdabf41bd42b68f0cf4e6
                                              • Opcode Fuzzy Hash: a4f6d65076decb424b0e3a807786f798312f168005cbcfdf5cfd1167502d0479
                                              • Instruction Fuzzy Hash: EF21D171900904EFCB10EF98CD45A9EBBB8EF44711F20851AF941A7281C3789985CBD4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00476C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              • #516.MSVBVM60(0041974C,?,?,?,?,00408966), ref: 00476C9E
                                              • #516.MSVBVM60(00419D10,?,?,?,?,00408966), ref: 00476CAD
                                              • #516.MSVBVM60(0041AD40,?,?,?,?,00408966), ref: 00476CCA
                                              • #516.MSVBVM60(0041A810,?,?,?,?,00408966), ref: 00476CD9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: #516
                                              • String ID: (>@
                                              • API String ID: 3095685788-4261844135
                                              • Opcode ID: 8fb4318a84d35086e334610a0e360311b2b6a93c6a0216763dec7a9ddc6e473c
                                              • Instruction ID: 2a1dfec766b42ca17eb6447bf2d979e85eafccc2da5b3994924813861849dc39
                                              • Opcode Fuzzy Hash: 8fb4318a84d35086e334610a0e360311b2b6a93c6a0216763dec7a9ddc6e473c
                                              • Instruction Fuzzy Hash: 74217175A00645AFCB10EFA4D845B9EB7B5FB44720F10C57EE88597280D7B89DC4CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0043F050 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0043F06E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0043F0B5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0043F0CA
                                                • Part of subcall function 004B3170: __vbaChkstk.MSVBVM60(00000000,00408966,General\Template,?,?,?,?,00408966), ref: 004B318E
                                                • Part of subcall function 004B3170: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966,General\Template), ref: 004B31BB
                                                • Part of subcall function 004B3170: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,General\Template), ref: 004B31CA
                                                • Part of subcall function 004B3170: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,00000000,00408966,General\Template), ref: 004B31E4
                                                • Part of subcall function 004B3170: __vbaLateMemCallLd.MSVBVM60(?,?,WindowState,00000000), ref: 004B3217
                                                • Part of subcall function 004B3170: __vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00408966,General\Template), ref: 004B3228
                                                • Part of subcall function 004B3170: __vbaFreeVar.MSVBVM60(?,?,00000000,00408966,General\Template), ref: 004B3238
                                                • Part of subcall function 004B3170: __vbaChkstk.MSVBVM60(00000001,Light), ref: 004B3270
                                                • Part of subcall function 004B3170: __vbaLateMemCallLd.MSVBVM60(?,?,WindowState,00000000,?,WindowState,00000001,Light), ref: 004B3336
                                                • Part of subcall function 004B3170: __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,00408966,General\Template), ref: 004B3347
                                                • Part of subcall function 004B3170: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,00408966,General\Template), ref: 004B3357
                                              • __vbaFreeObj.MSVBVM60(?,General\Template,?,?,?,?,00408966), ref: 0043F0E1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$ChkstkFree$AddrefCallErrorLate$Copy
                                              • String ID: General\Template
                                              • API String ID: 3915633062-398307301
                                              • Opcode ID: 8bc965b90fc5104012629074ef8955a5920d1e05597b79b77fbd1a3fdcfd00a0
                                              • Instruction ID: 170e9ca5438a2b0330a0bea592a70b91e3a9d4a1285ee39ae54e0980708426fb
                                              • Opcode Fuzzy Hash: 8bc965b90fc5104012629074ef8955a5920d1e05597b79b77fbd1a3fdcfd00a0
                                              • Instruction Fuzzy Hash: C1112AB5900608EFCB00DF98CA49BDDBBB8FB08744F208259F91577291C779AB44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00443C60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 00443C7E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 00443CC5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 00443CDA
                                                • Part of subcall function 004B3170: __vbaChkstk.MSVBVM60(00000000,00408966,General\Template,?,?,?,?,00408966), ref: 004B318E
                                                • Part of subcall function 004B3170: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00408966,General\Template), ref: 004B31BB
                                                • Part of subcall function 004B3170: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,General\Template), ref: 004B31CA
                                                • Part of subcall function 004B3170: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,00000000,00408966,General\Template), ref: 004B31E4
                                                • Part of subcall function 004B3170: __vbaLateMemCallLd.MSVBVM60(?,?,WindowState,00000000), ref: 004B3217
                                                • Part of subcall function 004B3170: __vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00408966,General\Template), ref: 004B3228
                                                • Part of subcall function 004B3170: __vbaFreeVar.MSVBVM60(?,?,00000000,00408966,General\Template), ref: 004B3238
                                                • Part of subcall function 004B3170: __vbaChkstk.MSVBVM60(00000001,Light), ref: 004B3270
                                                • Part of subcall function 004B3170: __vbaLateMemCallLd.MSVBVM60(?,?,WindowState,00000000,?,WindowState,00000001,Light), ref: 004B3336
                                                • Part of subcall function 004B3170: __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,00408966,General\Template), ref: 004B3347
                                                • Part of subcall function 004B3170: __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00000000,00408966,General\Template), ref: 004B3357
                                              • __vbaFreeObj.MSVBVM60(?,General\Advanced,?,?,?,?,00408966), ref: 00443CF1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$ChkstkFree$AddrefCallErrorLate$Copy
                                              • String ID: General\Advanced
                                              • API String ID: 3915633062-1012127767
                                              • Opcode ID: c8ba34d0ca07689c4543654930f85946d0373c9675643e0443a5261897ffda7a
                                              • Instruction ID: e79de6b3a77bdd1aabdc2ad9ff6e9a23036439475b1858fc6c9b5f95d99b881e
                                              • Opcode Fuzzy Hash: c8ba34d0ca07689c4543654930f85946d0373c9675643e0443a5261897ffda7a
                                              • Instruction Fuzzy Hash: 001130B5900208EFDB00DF98CA49BDDBBB8FB08704F208159F91577290C7B8AB44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004864B0 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 004864CE
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004864FE
                                              • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0048651F
                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0048653A
                                                • Part of subcall function 004AB8B0: __vbaChkstk.MSVBVM60(?,00408966,00000000,?,?,?,00000000,00408966), ref: 004AB8CE
                                                • Part of subcall function 004AB8B0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000000), ref: 004AB8FE
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000048), ref: 004AB9FB
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415B7C,00000190), ref: 004ABA60
                                                • Part of subcall function 004AB8B0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00415D18,00000048), ref: 004ABABD
                                              • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,?,000000FF,3F800000,00000000), ref: 0048655C
                                                • Part of subcall function 00495F20: __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 00495F3E
                                                • Part of subcall function 00495F20: __vbaOnError.MSVBVM60(00000001,?,?,?,00000000,00408966,00000000), ref: 00495F6E
                                                • Part of subcall function 00495F20: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,00408966,00000000), ref: 00495FDA
                                                • Part of subcall function 00495F20: __vbaSetSystemError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00495FEE
                                                • Part of subcall function 00495F20: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 00496013
                                                • Part of subcall function 00495F20: __vbaChkstk.MSVBVM60(00000001,Light,General,UseCountPreview,00000001,Light,General,UseCountPreview,00000000,00000001,Light), ref: 00496216
                                                • Part of subcall function 004D60B0: __vbaAryDestruct.MSVBVM60(00000000,?,004D69E1,00000000,3F800000,Advanced,Adv_SpfxCycle,00000000), ref: 004D69D1
                                                • Part of subcall function 004D60B0: __vbaFreeStr.MSVBVM60 ref: 004D69DA
                                                • Part of subcall function 004A1D90: __vbaChkstk.MSVBVM60(00000000,00408966,00000000,?,?,?,00000000,00408966), ref: 004A1DAE
                                                • Part of subcall function 004A1D90: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,00000000), ref: 004A1DDE
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,0000000A,0000270F,00000000,0000000A,000003E7,CyclePropsSetMinMaxRange,?,?,?,00000000,00408966,00000000), ref: 004A1E49
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,00000168,00000000,00000000,461C3C00,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1EA1
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1ED9
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000001,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F11
                                                • Part of subcall function 004A1D90: __vbaFpI4.MSVBVM60(00000000,0000270F,00000000,?,?,?,00000000,00408966,00000000), ref: 004A1F49
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$Chkstk$CheckHresult$FreeSystem$DestructList
                                              • String ID:
                                              • API String ID: 3218873121-0
                                              • Opcode ID: dfe560fb8516d67b0877f02624ec4bed1eac72e15f02a21579a4a1149c3281e4
                                              • Instruction ID: 04d51c86c718f2235a285420b5858ab5878d78248f82d4d8d7cad2e3d40ed98f
                                              • Opcode Fuzzy Hash: dfe560fb8516d67b0877f02624ec4bed1eac72e15f02a21579a4a1149c3281e4
                                              • Instruction Fuzzy Hash: 7E213DB5801208EBDB00EF94D949BDEBBB8BB08714F20815EE50577295C7B95A448FA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00456570 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0045658E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 004565BE
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00408966), ref: 004565E6
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00408966), ref: 00456620
                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00408966), ref: 0045665A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$System$Chkstk
                                              • String ID:
                                              • API String ID: 1207130036-0
                                              • Opcode ID: 786bf9aa7bbbee5df7facbd652870d0fb69dac4a910c1ce39fe4772b8417afdd
                                              • Instruction ID: 7f82faf451a3e1ebee79398ee0c241a0ec5c2126ffe8c949166ac320ef77dacb
                                              • Opcode Fuzzy Hash: 786bf9aa7bbbee5df7facbd652870d0fb69dac4a910c1ce39fe4772b8417afdd
                                              • Instruction Fuzzy Hash: 2E213DB0801248DFEB00DF94DA8C7AEBBB4FB04309F11816ED5506B2D1C7BE1A88CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B08F0 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,004A2F06,000000FF,000000FF), ref: 004B090E
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,00408966), ref: 004B093E
                                              • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00408966), ref: 004B0980
                                              • #598.MSVBVM60(?,00000000,?,00000000,00408966), ref: 004B0993
                                              • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,00408966), ref: 004B09A8
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$System$#598Chkstk
                                              • String ID:
                                              • API String ID: 2064105516-0
                                              • Opcode ID: d8897a84e2250e1b0022d265c13e81dc769603e7cb0ff06750532fef31202c42
                                              • Instruction ID: 4e2d5457b4d5d2ce359edd583d72499ddec5b949caf4198e2e39d3c5fac2217f
                                              • Opcode Fuzzy Hash: d8897a84e2250e1b0022d265c13e81dc769603e7cb0ff06750532fef31202c42
                                              • Instruction Fuzzy Hash: 61215BB4901348DFDB00DFA8DA48B8DBBB4FB48719F10816AE405B7791C7795A84CFA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004AD450 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Free$#593#594
                                              • String ID:
                                              • API String ID: 485026543-0
                                              • Opcode ID: f034791e733b7712de13f2bc9429520c21c62072c7f5d019accbc9dd25d6fd62
                                              • Instruction ID: 0513677415db07406a0b13068e15d744e390e88c6f55e635eca3db6fc39136dc
                                              • Opcode Fuzzy Hash: f034791e733b7712de13f2bc9429520c21c62072c7f5d019accbc9dd25d6fd62
                                              • Instruction Fuzzy Hash: 68015E71D00249DBC710DFA4DA45B9DBBB8FB18700F114169D446B36A0D7796E058B69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00485810 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,00408966), ref: 00485850
                                              • __vbaVarCopy.MSVBVM60(?,?,?,?,?,?,?,?,00408966), ref: 0048585C
                                              • __vbaFreeVar.MSVBVM60(00485871,?,?,?,?,?,?,?,?,00408966), ref: 0048586A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$CopyFree
                                              • String ID: 0G@
                                              • API String ID: 1165857907-315532496
                                              • Opcode ID: 014eb5a3489e467e5673e3683a92bb253d4d0f0ec6a9100e8a81eb5f1ae241e5
                                              • Instruction ID: aa3b974b7ce2c34c2e5782a8034fff6fda52aeb1c5d0e087753fcdc9f037fbb1
                                              • Opcode Fuzzy Hash: 014eb5a3489e467e5673e3683a92bb253d4d0f0ec6a9100e8a81eb5f1ae241e5
                                              • Instruction Fuzzy Hash: A9F03770800249AFCB00EF65CB49ADDBBF8FF58704F1080AAE845B3660D7746A05CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046FC60 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046FC7E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046FCC5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0046FCDA
                                                • Part of subcall function 004B6EA0: __vbaChkstk.MSVBVM60(?,00408966,00000000,?,?,?,?,00408966), ref: 004B6EBE
                                                • Part of subcall function 004B6EA0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000000), ref: 004B6EEE
                                              • __vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0046FCF5
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$ChkstkError$AddrefFree
                                              • String ID:
                                              • API String ID: 2169701057-0
                                              • Opcode ID: 2b9d4444c353a52caebe283f32f7802e070801f2ab1008ba9a4182f8bbb2efd4
                                              • Instruction ID: 2f8c45c2fb0bf57ef6b9c856a120cdbc3a28f024ff455e9a41dce827a8237902
                                              • Opcode Fuzzy Hash: 2b9d4444c353a52caebe283f32f7802e070801f2ab1008ba9a4182f8bbb2efd4
                                              • Instruction Fuzzy Hash: 781112B5900608EFCB00DF94C945BDDBBF8FF48744F608159F415AB290D779AA44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046FD40 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046FD5E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046FDA5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0046FDBA
                                                • Part of subcall function 004B71B0: __vbaChkstk.MSVBVM60(?,00408966,00000000,?,?,?,?,00408966), ref: 004B71CE
                                                • Part of subcall function 004B71B0: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966,00000000), ref: 004B71FE
                                                • Part of subcall function 004B71B0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000004,00000001,0000000C,00000000,?,?,?,?,00408966,00000000), ref: 004B721E
                                                • Part of subcall function 004B71B0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000004,00000001,0000000C,00000000), ref: 004B7241
                                                • Part of subcall function 004B71B0: __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000C,00000000), ref: 004B7264
                                              • __vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,00408966), ref: 0046FDD5
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Redim$ChkstkError$AddrefFree
                                              • String ID:
                                              • API String ID: 3082796732-0
                                              • Opcode ID: 81e6262d1ba896d4aba23329ee2a0aac336c2e0d8a1d07a8e994ed593623e8c0
                                              • Instruction ID: 61a63d8dc8377a9226791a8321c850b58221546aa84eb89dc4c197c22d71caaa
                                              • Opcode Fuzzy Hash: 81e6262d1ba896d4aba23329ee2a0aac336c2e0d8a1d07a8e994ed593623e8c0
                                              • Instruction Fuzzy Hash: 01110075900208EFCB00DF98CA45BDDBBF8FF48744F208159F415AB290D779AA44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0046F080 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(?,00408966), ref: 0046F09E
                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00408966), ref: 0046F0E5
                                              • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00408966), ref: 0046F0FA
                                                • Part of subcall function 004BE490: __vbaChkstk.MSVBVM60(00000000,00408966,?,?,?,?,?,00408966), ref: 004BE4AE
                                                • Part of subcall function 004BE490: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,?), ref: 004BE4DE
                                                • Part of subcall function 004BE490: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,00000000,00408966,?), ref: 004BE4F5
                                                • Part of subcall function 004BE490: __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,00408966,?), ref: 004BE516
                                                • Part of subcall function 004BE490: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041392C,000000F0), ref: 004BE54F
                                                • Part of subcall function 004BE490: __vbaFreeObj.MSVBVM60 ref: 004BE571
                                                • Part of subcall function 004BE490: __vbaStrR4.MSVBVM60(?,?,00000000), ref: 004BE58D
                                                • Part of subcall function 004BE490: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004BE598
                                                • Part of subcall function 004BE490: __vbaStrCat.MSVBVM60( - ,00000000,?,?,00000000), ref: 004BE5A4
                                                • Part of subcall function 004BE490: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004BE5AF
                                                • Part of subcall function 004BE490: __vbaStrR4.MSVBVM60(?,?,00000001,00000000,?,?,00000000), ref: 004BE5C5
                                                • Part of subcall function 004BE490: __vbaStrMove.MSVBVM60(?,?,00000001,00000000,?,?,00000000), ref: 004BE5D0
                                                • Part of subcall function 004BE490: __vbaStrCat.MSVBVM60(00000000,?,?,00000001,00000000,?,?,00000000), ref: 004BE5D7
                                                • Part of subcall function 004BE490: __vbaStrMove.MSVBVM60(?,?,00000001,00000000,?,?,00000000), ref: 004BE5E2
                                              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00408966), ref: 0046F10C
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Move$AddrefChkstkErrorFree$CheckHresult
                                              • String ID:
                                              • API String ID: 2724776081-0
                                              • Opcode ID: 30cdb184e87978f74a8f5fac51a18efdbe05a01a0f18cfdf62c40f808c4dd516
                                              • Instruction ID: 8a270707ad6b195ca4f5b845d782a8d50d77f8d1d96cd824dd36c4a1b44b948a
                                              • Opcode Fuzzy Hash: 30cdb184e87978f74a8f5fac51a18efdbe05a01a0f18cfdf62c40f808c4dd516
                                              • Instruction Fuzzy Hash: 8511FAB5900608EFCB00DF98CA49BDEBBB8FB48744F208159F91577290D779AB44CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004B6CE0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • __vbaChkstk.MSVBVM60(00000000,00408966,000000FF,?,00000001,?,00000000,00408966), ref: 004B6CFE
                                              • __vbaOnError.MSVBVM60(000000FF,?,00000001,?,00000000,00408966,000000FF), ref: 004B6D2E
                                              • __vbaFreeVar.MSVBVM60(004B6D85,?,00000001,?,00000000,00408966,000000FF), ref: 004B6D7E
                                                • Part of subcall function 004B4230: __vbaChkstk.MSVBVM60(00000000,00408966,004B4001), ref: 004B424E
                                                • Part of subcall function 004B4230: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00408966,004B4001), ref: 004B427E
                                                • Part of subcall function 004B4230: __vbaStrMove.MSVBVM60(80000001,Control Panel\Desktop,ScreenSaveUsePassword,?,?,?,00000000,00408966,004B4001), ref: 004B42A4
                                                • Part of subcall function 004B4230: #581.MSVBVM60(00000000,?,?,?,00000000,00408966,004B4001), ref: 004B42AB
                                                • Part of subcall function 004B4230: __vbaFreeStr.MSVBVM60 ref: 004B42DA
                                              • __vbaSetSystemError.MSVBVM60(00000061,00000000,00000000,00000000,?,00000001,?,00000000,00408966,000000FF), ref: 004B6D70
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000009.00000002.2230834417.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230949361.00000000004E5000.00000004.00000001.01000000.00000009.sdmpDownload File
                                              • Associated: 00000009.00000002.2230998534.00000000004E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_400000_MBSS Light.jbxd
                                              Similarity
                                              • API ID: __vba$Error$ChkstkFree$#581MoveSystem
                                              • String ID:
                                              • API String ID: 1143639551-0
                                              • Opcode ID: aab33e71c86131c8bb8beb824a1af3c0c6f2b02bcf77ea565a47d137e88f4663
                                              • Instruction ID: e2357a2893c05ffed917bea2c1ea5185d2a5f843119b9b1144c374f0624996e0
                                              • Opcode Fuzzy Hash: aab33e71c86131c8bb8beb824a1af3c0c6f2b02bcf77ea565a47d137e88f4663
                                              • Instruction Fuzzy Hash: B90140B0900658EFDB00EF94DA09BEEBBB8EB04B44F10805AF104761D1D7BC5A44CBAA
                                              Uniqueness

                                              Uniqueness Score: -1.00%