Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MbYnGuRGnm.exe

Overview

General Information

Sample name:MbYnGuRGnm.exe
renamed because original name is a hash value
Original sample name:e57ce68c59b39ce145bbeec16942a48068fcaa26f6ff7d7a2c16b0d947d17873.exe
Analysis ID:1410994
MD5:f671843cfde5c734ce07aa5a35e32934
SHA1:717d3b853415bd2f1645f7edcd0944b438e3d01a
SHA256:e57ce68c59b39ce145bbeec16942a48068fcaa26f6ff7d7a2c16b0d947d17873
Tags:exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • MbYnGuRGnm.exe (PID: 7532 cmdline: C:\Users\user\Desktop\MbYnGuRGnm.exe MD5: F671843CFDE5C734CE07AA5A35E32934)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: MbYnGuRGnm.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: MbYnGuRGnm.exeReversingLabs: Detection: 28%
Source: MbYnGuRGnm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: MbYnGuRGnm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
Source: MbYnGuRGnm.exe, 00000000.00000002.1282798108.0000000000618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MbYnGuRGnm.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052EE
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004070400_2_00407040
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004068690_2_00406869
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00404B2B0_2_00404B2B
Source: MbYnGuRGnm.exe, 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameavoke besully.exe: vs MbYnGuRGnm.exe
Source: MbYnGuRGnm.exeBinary or memory string: OriginalFilenameavoke besully.exe: vs MbYnGuRGnm.exe
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeSection loaded: wintypes.dllJump to behavior
Source: MbYnGuRGnm.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045AF
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeFile created: C:\Users\user\AppData\Local\Temp\nsxB483.tmpJump to behavior
Source: MbYnGuRGnm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: MbYnGuRGnm.exeReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeFile read: C:\Users\user\Desktop\MbYnGuRGnm.exeJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: MbYnGuRGnm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeAPI coverage: 8.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeAPI call chain: ExitProcess graph end nodegraph_0-2868
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\MbYnGuRGnm.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Access Token Manipulation		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory4
System Information Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MbYnGuRGnm.exe29%ReversingLabsWin32.Trojan.Generic
MbYnGuRGnm.exe100%AviraTR/Crypt.XPACK.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorMbYnGuRGnm.exe, 00000000.00000002.1282798108.0000000000618000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorMbYnGuRGnm.exefalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1410994
      Start date and time:2024-03-18 14:37:55 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 3m 55s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:13
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:MbYnGuRGnm.exe
      renamed because original name is a hash value
      Original Sample Name:e57ce68c59b39ce145bbeec16942a48068fcaa26f6ff7d7a2c16b0d947d17873.exe
      Detection:MAL
      Classification:mal56.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 9
      • Number of non-executed functions: 41
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: MbYnGuRGnm.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):3.5147110484087873
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:MbYnGuRGnm.exe
      File size:334'336 bytes
      MD5:f671843cfde5c734ce07aa5a35e32934
      SHA1:717d3b853415bd2f1645f7edcd0944b438e3d01a
      SHA256:e57ce68c59b39ce145bbeec16942a48068fcaa26f6ff7d7a2c16b0d947d17873
      SHA512:eabc7f59785597c900b89bd38e3875cbad0793f59ae287317b9c6815717449d7dd714503d846e884b7abd5b1e1a2cec9728b22e327f8bff326f1099d36f37ebc
      SSDEEP:3072:14lLpkXGED6iNuVIJMyeLZGofkUQmk6gWX8PsjpWDe/hz:epkXGU5KsUv
      TLSH:16642A51BF04D652C41D1BF6CAFBA43983B24CA1150199336721BE6F3DBEF82B8295B4
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....c.W.................d...........2............@

      File Icon

      Icon Hash:074b5b564e1e3e6c

      Static PE Info

      General

      Entrypoint:0x4032a0
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x5795639D [Mon Jul 25 00:55:57 2016 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

      Entrypoint Preview

      Instruction
      sub esp, 000002D4h
      push ebx
      push esi
      push edi
      push 00000020h
      pop edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+14h], ebx
      mov dword ptr [esp+10h], 0040A2E0h
      mov dword ptr [esp+1Ch], ebx
      call dword ptr [004080B0h]
      call dword ptr [004080ACh]
      cmp ax, 00000006h
      je 00007EFC4CBE4203h
      push ebx
      call 00007EFC4CBE7344h
      cmp eax, ebx
      je 00007EFC4CBE41F9h
      push 00000C00h
      call eax
      mov esi, 004082B8h
      push esi
      call 00007EFC4CBE72BEh
      push esi
      call dword ptr [0040815Ch]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], 00000000h
      jne 00007EFC4CBE41DCh
      push ebp
      push 00000009h
      call 00007EFC4CBE7316h
      push 00000007h
      call 00007EFC4CBE730Fh
      mov dword ptr [00434EE4h], eax
      call dword ptr [0040803Ch]
      push ebx
      call dword ptr [004082A4h]
      mov dword ptr [00434F98h], eax
      push ebx
      lea eax, dword ptr [esp+34h]
      push 000002B4h
      push eax
      push ebx
      push 0042B208h
      call dword ptr [00408188h]
      push 0040A2C8h
      push 00433EE0h
      call 00007EFC4CBE6EF8h
      call dword ptr [004080A8h]
      mov ebp, 0043F000h
      push eax
      push ebp
      call 00007EFC4CBE6EE6h
      push ebx
      call dword ptr [00408174h]
      add word ptr [eax], 0000h

      Rich Headers

      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x495b0.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x70000x64004219bc0ba21196c40804cc23644c3170False0.671484375data6.484635885032963IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x20000x1600c55888d8b5fea0b52e7bde578e8da071False0.5363991477272727data5.421327062358691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .data0xa0000x2b0000x6002aa587c909999ca52be17d0f1ffbd186False0.5188802083333334data4.039551377217298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x350000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x580000x495b00x49600771d7595b9749a41377500ec346a9449False0.1746067131601363data3.0539009359011295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x583880x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.15141876497914017
      RT_ICON0x9a3b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3052904564315353
      RT_ICON0x9c9580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.36186679174484054
      RT_ICON0x9da000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.4984008528784648
      RT_ICON0x9e8a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.41352459016393445
      RT_ICON0x9f2300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5482851985559567
      RT_ICON0x9fad80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5
      RT_ICON0xa01a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.40390173410404623
      RT_ICON0xa07080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.49379432624113473
      RT_DIALOG0xa0b700x100dataEnglishUnited States0.5234375
      RT_DIALOG0xa0c700x11cdataEnglishUnited States0.6056338028169014
      RT_DIALOG0xa0d900xc4dataEnglishUnited States0.5918367346938775
      RT_DIALOG0xa0e580x60dataEnglishUnited States0.7291666666666666
      RT_GROUP_ICON0xa0eb80x84dataEnglishUnited States0.6666666666666666
      RT_VERSION0xa0f400x244dataEnglishUnited States0.5310344827586206
      RT_MANIFEST0xa11880x422XML 1.0 document, ASCII text, with very long lines (1058), with no line terminatorsEnglishUnited States0.5122873345935728

      Imports

      DLLImport
      KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
      USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
      ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:38:43
      Start date:18/03/2024
      Path:C:\Users\user\Desktop\MbYnGuRGnm.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\MbYnGuRGnm.exe
      Imagebase:0x400000
      File size:334'336 bytes
      MD5 hash:F671843CFDE5C734CE07AA5A35E32934
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:5.8%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:20.4%
        Total number of Nodes:1306
        Total number of Limit Nodes:17
        execution_graph 3304 402840 3332 402bbf 3304->3332 3306 402864 3309 405c00 2 API calls 3306->3309 3307 40284e 3307->3306 3308 402bbf 18 API calls 3307->3308 3308->3306 3310 40286a 3309->3310 3338 405c25 GetFileAttributesW CreateFileW 3310->3338 3312 402877 3313 402883 GlobalAlloc 3312->3313 3314 40291a 3312->3314 3317 402911 CloseHandle 3313->3317 3318 40289c 3313->3318 3315 402922 DeleteFileW 3314->3315 3316 402935 3314->3316 3315->3316 3317->3314 3339 403258 SetFilePointer 3318->3339 3320 4028a2 3321 403242 ReadFile 3320->3321 3322 4028ab GlobalAlloc 3321->3322 3323 4028bb 3322->3323 3324 4028ef 3322->3324 3325 403027 32 API calls 3323->3325 3326 405cd7 WriteFile 3324->3326 3330 4028c8 3325->3330 3327 4028fb GlobalFree 3326->3327 3328 403027 32 API calls 3327->3328 3331 40290e 3328->3331 3329 4028e6 GlobalFree 3329->3324 3330->3329 3331->3317 3333 402bcb 3332->3333 3334 406072 18 API calls 3333->3334 3335 402bec 3334->3335 3336 402bf8 3335->3336 3337 4062e4 5 API calls 3335->3337 3336->3307 3337->3336 3338->3312 3339->3320 3340 401cc0 3346 402ba2 3340->3346 3342 401cc7 3343 402ba2 18 API calls 3342->3343 3344 401ccf GetDlgItem 3343->3344 3345 402531 3344->3345 3347 406072 18 API calls 3346->3347 3348 402bb6 3347->3348 3348->3342 3349 4029c0 3350 402ba2 18 API calls 3349->3350 3351 4029c6 3350->3351 3352 4029d4 3351->3352 3353 4029f9 3351->3353 3355 40281e 3351->3355 3352->3355 3357 405f97 wsprintfW 3352->3357 3354 406072 18 API calls 3353->3354 3353->3355 3354->3355 3357->3355 3358 401fc3 3359 401fd5 3358->3359 3360 402087 3358->3360 3361 402bbf 18 API calls 3359->3361 3362 401423 25 API calls 3360->3362 3363 401fdc 3361->3363 3369 4021e1 3362->3369 3364 402bbf 18 API calls 3363->3364 3365 401fe5 3364->3365 3366 401ffb LoadLibraryExW 3365->3366 3367 401fed GetModuleHandleW 3365->3367 3366->3360 3368 40200c 3366->3368 3367->3366 3367->3368 3378 406499 WideCharToMultiByte 3368->3378 3372 402056 3374 4051af 25 API calls 3372->3374 3373 40201d 3376 40202d 3373->3376 3381 401423 3373->3381 3374->3376 3376->3369 3377 402079 FreeLibrary 3376->3377 3377->3369 3379 4064c3 GetProcAddress 3378->3379 3380 402017 3378->3380 3379->3380 3380->3372 3380->3373 3382 4051af 25 API calls 3381->3382 3383 401431 3382->3383 3383->3376 3384 4016c4 3385 402bbf 18 API calls 3384->3385 3386 4016ca GetFullPathNameW 3385->3386 3387 401706 3386->3387 3388 4016e4 3386->3388 3389 40171b GetShortPathNameW 3387->3389 3390 402a4c 3387->3390 3388->3387 3391 406393 2 API calls 3388->3391 3389->3390 3392 4016f6 3391->3392 3392->3387 3394 406050 lstrcpynW 3392->3394 3394->3387 3395 4014cb 3396 4051af 25 API calls 3395->3396 3397 4014d2 3396->3397 3398 40194e 3399 402bbf 18 API calls 3398->3399 3400 401955 lstrlenW 3399->3400 3401 402531 3400->3401 3402 4027ce 3403 4027d6 3402->3403 3404 4027da FindNextFileW 3403->3404 3406 4027ec 3403->3406 3405 402833 3404->3405 3404->3406 3408 406050 lstrcpynW 3405->3408 3408->3406 3409 401754 3410 402bbf 18 API calls 3409->3410 3411 40175b 3410->3411 3412 405c54 2 API calls 3411->3412 3413 401762 3412->3413 3413->3413 3414 401d56 GetDC GetDeviceCaps 3415 402ba2 18 API calls 3414->3415 3416 401d74 MulDiv ReleaseDC 3415->3416 3417 402ba2 18 API calls 3416->3417 3418 401d93 3417->3418 3419 406072 18 API calls 3418->3419 3420 401dcc CreateFontIndirectW 3419->3420 3421 402531 3420->3421 3422 401a57 3423 402ba2 18 API calls 3422->3423 3424 401a5d 3423->3424 3425 402ba2 18 API calls 3424->3425 3426 401a05 3425->3426 3427 403857 3428 403862 3427->3428 3429 403866 3428->3429 3430 403869 GlobalAlloc 3428->3430 3430->3429 3431 4014d7 3432 402ba2 18 API calls 3431->3432 3433 4014dd Sleep 3432->3433 3435 402a4c 3433->3435 3436 40155b 3437 4029f2 3436->3437 3440 405f97 wsprintfW 3437->3440 3439 4029f7 3440->3439 3441 401ddc 3442 402ba2 18 API calls 3441->3442 3443 401de2 3442->3443 3444 402ba2 18 API calls 3443->3444 3445 401deb 3444->3445 3446 401df2 ShowWindow 3445->3446 3447 401dfd EnableWindow 3445->3447 3448 402a4c 3446->3448 3447->3448 3449 401bdf 3450 402ba2 18 API calls 3449->3450 3451 401be6 3450->3451 3452 402ba2 18 API calls 3451->3452 3453 401bf0 3452->3453 3454 401c00 3453->3454 3456 402bbf 18 API calls 3453->3456 3455 401c10 3454->3455 3457 402bbf 18 API calls 3454->3457 3458 401c1b 3455->3458 3459 401c5f 3455->3459 3456->3454 3457->3455 3460 402ba2 18 API calls 3458->3460 3461 402bbf 18 API calls 3459->3461 3462 401c20 3460->3462 3463 401c64 3461->3463 3464 402ba2 18 API calls 3462->3464 3465 402bbf 18 API calls 3463->3465 3467 401c29 3464->3467 3466 401c6d FindWindowExW 3465->3466 3470 401c8f 3466->3470 3468 401c31 SendMessageTimeoutW 3467->3468 3469 401c4f SendMessageW 3467->3469 3468->3470 3469->3470 3471 4022df 3472 402bbf 18 API calls 3471->3472 3473 4022ee 3472->3473 3474 402bbf 18 API calls 3473->3474 3475 4022f7 3474->3475 3476 402bbf 18 API calls 3475->3476 3477 402301 GetPrivateProfileStringW 3476->3477 3478 401960 3479 402ba2 18 API calls 3478->3479 3480 401967 3479->3480 3481 402ba2 18 API calls 3480->3481 3482 401971 3481->3482 3483 402bbf 18 API calls 3482->3483 3484 40197a 3483->3484 3485 40198e lstrlenW 3484->3485 3487 4019ca 3484->3487 3486 401998 3485->3486 3486->3487 3491 406050 lstrcpynW 3486->3491 3489 4019b3 3489->3487 3490 4019c0 lstrlenW 3489->3490 3490->3487 3491->3489 3492 404262 lstrlenW 3493 404281 3492->3493 3494 404283 WideCharToMultiByte 3492->3494 3493->3494 3495 401662 3496 402bbf 18 API calls 3495->3496 3497 401668 3496->3497 3498 406393 2 API calls 3497->3498 3499 40166e 3498->3499 3500 4019e4 3501 402bbf 18 API calls 3500->3501 3502 4019eb 3501->3502 3503 402bbf 18 API calls 3502->3503 3504 4019f4 3503->3504 3505 4019fb lstrcmpiW 3504->3505 3506 401a0d lstrcmpW 3504->3506 3507 401a01 3505->3507 3506->3507 3508 4025e5 3509 402ba2 18 API calls 3508->3509 3518 4025f4 3509->3518 3510 40272d 3511 40263a ReadFile 3511->3510 3511->3518 3512 405ca8 ReadFile 3512->3518 3514 40267a MultiByteToWideChar 3514->3518 3515 40272f 3530 405f97 wsprintfW 3515->3530 3517 4026a0 SetFilePointer MultiByteToWideChar 3517->3518 3518->3510 3518->3511 3518->3512 3518->3514 3518->3515 3518->3517 3519 402740 3518->3519 3521 405d06 SetFilePointer 3518->3521 3519->3510 3520 402761 SetFilePointer 3519->3520 3520->3510 3522 405d22 3521->3522 3527 405d3e 3521->3527 3523 405ca8 ReadFile 3522->3523 3524 405d2e 3523->3524 3525 405d47 SetFilePointer 3524->3525 3526 405d6f SetFilePointer 3524->3526 3524->3527 3525->3526 3528 405d52 3525->3528 3526->3527 3527->3518 3529 405cd7 WriteFile 3528->3529 3529->3527 3530->3510 3531 401e66 3532 402bbf 18 API calls 3531->3532 3533 401e6c 3532->3533 3534 4051af 25 API calls 3533->3534 3535 401e76 3534->3535 3536 405730 2 API calls 3535->3536 3537 401e7c 3536->3537 3538 401edb CloseHandle 3537->3538 3539 401e8c WaitForSingleObject 3537->3539 3540 40281e 3537->3540 3538->3540 3541 401e9e 3539->3541 3542 401eb0 GetExitCodeProcess 3541->3542 3545 406466 2 API calls 3541->3545 3543 401ec2 3542->3543 3544 401ecd 3542->3544 3548 405f97 wsprintfW 3543->3548 3544->3538 3546 401ea5 WaitForSingleObject 3545->3546 3546->3541 3548->3544 3549 401767 3550 402bbf 18 API calls 3549->3550 3551 40176e 3550->3551 3552 401796 3551->3552 3553 40178e 3551->3553 3588 406050 lstrcpynW 3552->3588 3587 406050 lstrcpynW 3553->3587 3556 401794 3560 4062e4 5 API calls 3556->3560 3557 4017a1 3558 405a04 3 API calls 3557->3558 3559 4017a7 lstrcatW 3558->3559 3559->3556 3570 4017b3 3560->3570 3561 406393 2 API calls 3561->3570 3562 405c00 2 API calls 3562->3570 3564 4017c5 CompareFileTime 3564->3570 3565 401885 3566 4051af 25 API calls 3565->3566 3568 40188f 3566->3568 3567 4051af 25 API calls 3569 401871 3567->3569 3571 403027 32 API calls 3568->3571 3570->3561 3570->3562 3570->3564 3570->3565 3575 406072 18 API calls 3570->3575 3579 406050 lstrcpynW 3570->3579 3584 405795 MessageBoxIndirectW 3570->3584 3585 40185c 3570->3585 3589 405c25 GetFileAttributesW CreateFileW 3570->3589 3572 4018a2 3571->3572 3573 4018b6 SetFileTime 3572->3573 3574 4018c8 CloseHandle 3572->3574 3573->3574 3574->3569 3576 4018d9 3574->3576 3575->3570 3577 4018f1 3576->3577 3578 4018de 3576->3578 3581 406072 18 API calls 3577->3581 3580 406072 18 API calls 3578->3580 3579->3570 3582 4018e6 lstrcatW 3580->3582 3583 4018f9 3581->3583 3582->3583 3586 405795 MessageBoxIndirectW 3583->3586 3584->3570 3585->3567 3585->3569 3586->3569 3587->3556 3588->3557 3589->3570 3590 404568 3591 404578 3590->3591 3592 40459e 3590->3592 3597 404114 3591->3597 3600 40417b 3592->3600 3596 404585 SetDlgItemTextW 3596->3592 3598 406072 18 API calls 3597->3598 3599 40411f SetDlgItemTextW 3598->3599 3599->3596 3601 404193 GetWindowLongW 3600->3601 3611 40421c 3600->3611 3602 4041a4 3601->3602 3601->3611 3603 4041b3 GetSysColor 3602->3603 3604 4041b6 3602->3604 3603->3604 3605 4041c6 SetBkMode 3604->3605 3606 4041bc SetTextColor 3604->3606 3607 4041e4 3605->3607 3608 4041de GetSysColor 3605->3608 3606->3605 3609 4041f5 3607->3609 3610 4041eb SetBkColor 3607->3610 3608->3607 3609->3611 3612 404208 DeleteObject 3609->3612 3613 40420f CreateBrushIndirect 3609->3613 3610->3609 3612->3613 3613->3611 3614 401ee9 3615 402bbf 18 API calls 3614->3615 3616 401ef0 3615->3616 3617 406393 2 API calls 3616->3617 3618 401ef6 3617->3618 3620 401f07 3618->3620 3621 405f97 wsprintfW 3618->3621 3621->3620 3622 4021ea 3623 402bbf 18 API calls 3622->3623 3624 4021f0 3623->3624 3625 402bbf 18 API calls 3624->3625 3626 4021f9 3625->3626 3627 402bbf 18 API calls 3626->3627 3628 402202 3627->3628 3629 406393 2 API calls 3628->3629 3630 40220b 3629->3630 3631 40221c lstrlenW lstrlenW 3630->3631 3632 40220f 3630->3632 3634 4051af 25 API calls 3631->3634 3633 4051af 25 API calls 3632->3633 3636 402217 3632->3636 3633->3636 3635 40225a SHFileOperationW 3634->3635 3635->3632 3635->3636 3637 40156b 3638 401584 3637->3638 3639 40157b ShowWindow 3637->3639 3640 401592 ShowWindow 3638->3640 3641 402a4c 3638->3641 3639->3638 3640->3641 3642 40226e 3643 402275 3642->3643 3647 402288 3642->3647 3644 406072 18 API calls 3643->3644 3645 402282 3644->3645 3646 405795 MessageBoxIndirectW 3645->3646 3646->3647 3648 4052ee 3649 405498 3648->3649 3650 40530f GetDlgItem GetDlgItem GetDlgItem 3648->3650 3652 4054a1 GetDlgItem CreateThread CloseHandle 3649->3652 3653 4054c9 3649->3653 3693 404149 SendMessageW 3650->3693 3652->3653 3655 4054e0 ShowWindow ShowWindow 3653->3655 3656 405519 3653->3656 3657 4054f4 3653->3657 3654 40537f 3660 405386 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3654->3660 3695 404149 SendMessageW 3655->3695 3659 40417b 8 API calls 3656->3659 3658 405554 3657->3658 3662 405508 3657->3662 3663 40552e ShowWindow 3657->3663 3658->3656 3669 405562 SendMessageW 3658->3669 3664 405527 3659->3664 3667 4053f4 3660->3667 3668 4053d8 SendMessageW SendMessageW 3660->3668 3696 4040ed 3662->3696 3665 405540 3663->3665 3666 40554e 3663->3666 3671 4051af 25 API calls 3665->3671 3672 4040ed SendMessageW 3666->3672 3673 405407 3667->3673 3674 4053f9 SendMessageW 3667->3674 3668->3667 3669->3664 3675 40557b CreatePopupMenu 3669->3675 3671->3666 3672->3658 3677 404114 19 API calls 3673->3677 3674->3673 3676 406072 18 API calls 3675->3676 3678 40558b AppendMenuW 3676->3678 3679 405417 3677->3679 3680 4055a8 GetWindowRect 3678->3680 3681 4055bb TrackPopupMenu 3678->3681 3682 405420 ShowWindow 3679->3682 3683 405454 GetDlgItem SendMessageW 3679->3683 3680->3681 3681->3664 3685 4055d6 3681->3685 3686 405443 3682->3686 3687 405436 ShowWindow 3682->3687 3683->3664 3684 40547b SendMessageW SendMessageW 3683->3684 3684->3664 3688 4055f2 SendMessageW 3685->3688 3694 404149 SendMessageW 3686->3694 3687->3686 3688->3688 3689 40560f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3688->3689 3691 405634 SendMessageW 3689->3691 3691->3691 3692 40565d GlobalUnlock SetClipboardData CloseClipboard 3691->3692 3692->3664 3693->3654 3694->3683 3695->3657 3697 4040f4 3696->3697 3698 4040fa SendMessageW 3696->3698 3697->3698 3698->3656 3699 4014f1 SetForegroundWindow 3700 402a4c 3699->3700 3701 401673 3702 402bbf 18 API calls 3701->3702 3703 40167a 3702->3703 3704 402bbf 18 API calls 3703->3704 3705 401683 3704->3705 3706 402bbf 18 API calls 3705->3706 3707 40168c MoveFileW 3706->3707 3708 401698 3707->3708 3709 40169f 3707->3709 3710 401423 25 API calls 3708->3710 3711 406393 2 API calls 3709->3711 3713 4021e1 3709->3713 3710->3713 3712 4016ae 3711->3712 3712->3713 3714 405ef1 38 API calls 3712->3714 3714->3708 3715 401cfa GetDlgItem GetClientRect 3716 402bbf 18 API calls 3715->3716 3717 401d2c LoadImageW SendMessageW 3716->3717 3718 401d4a DeleteObject 3717->3718 3719 402a4c 3717->3719 3718->3719 3720 40237b 3721 402381 3720->3721 3722 402bbf 18 API calls 3721->3722 3723 402393 3722->3723 3724 402bbf 18 API calls 3723->3724 3725 40239d RegCreateKeyExW 3724->3725 3726 402a4c 3725->3726 3727 4023c7 3725->3727 3728 4023e2 3727->3728 3729 402bbf 18 API calls 3727->3729 3730 4023ee 3728->3730 3732 402ba2 18 API calls 3728->3732 3731 4023d8 lstrlenW 3729->3731 3733 402409 RegSetValueExW 3730->3733 3734 403027 32 API calls 3730->3734 3731->3728 3732->3730 3735 40241f RegCloseKey 3733->3735 3734->3733 3735->3726 3737 4027fb 3738 402bbf 18 API calls 3737->3738 3739 402802 FindFirstFileW 3738->3739 3740 40282a 3739->3740 3744 402815 3739->3744 3741 402833 3740->3741 3745 405f97 wsprintfW 3740->3745 3746 406050 lstrcpynW 3741->3746 3745->3741 3746->3744 3747 4014ff 3748 401507 3747->3748 3750 40151a 3747->3750 3749 402ba2 18 API calls 3748->3749 3749->3750 3751 401000 3752 401037 BeginPaint GetClientRect 3751->3752 3754 40100c DefWindowProcW 3751->3754 3755 4010f3 3752->3755 3756 401179 3754->3756 3757 401073 CreateBrushIndirect FillRect DeleteObject 3755->3757 3758 4010fc 3755->3758 3757->3755 3759 401102 CreateFontIndirectW 3758->3759 3760 401167 EndPaint 3758->3760 3759->3760 3761 401112 6 API calls 3759->3761 3760->3756 3761->3760 3762 402d04 3763 402d16 SetTimer 3762->3763 3764 402d2f 3762->3764 3763->3764 3765 402d84 3764->3765 3766 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3764->3766 3766->3765 3767 401904 3768 40193b 3767->3768 3769 402bbf 18 API calls 3768->3769 3770 401940 3769->3770 3771 405841 69 API calls 3770->3771 3772 401949 3771->3772 3773 404905 3774 404931 3773->3774 3775 404915 3773->3775 3777 404964 3774->3777 3778 404937 SHGetPathFromIDListW 3774->3778 3784 405779 GetDlgItemTextW 3775->3784 3780 40494e SendMessageW 3778->3780 3781 404947 3778->3781 3779 404922 SendMessageW 3779->3774 3780->3777 3782 40140b 2 API calls 3781->3782 3782->3780 3784->3779 3785 402786 3786 40278d 3785->3786 3787 4029f7 3785->3787 3788 402ba2 18 API calls 3786->3788 3789 402798 3788->3789 3790 40279f SetFilePointer 3789->3790 3790->3787 3791 4027af 3790->3791 3793 405f97 wsprintfW 3791->3793 3793->3787 3794 401907 3795 402bbf 18 API calls 3794->3795 3796 40190e 3795->3796 3797 405795 MessageBoxIndirectW 3796->3797 3798 401917 3797->3798 3799 401e08 3800 402bbf 18 API calls 3799->3800 3801 401e0e 3800->3801 3802 402bbf 18 API calls 3801->3802 3803 401e17 3802->3803 3804 402bbf 18 API calls 3803->3804 3805 401e20 3804->3805 3806 402bbf 18 API calls 3805->3806 3807 401e29 3806->3807 3808 401423 25 API calls 3807->3808 3809 401e30 ShellExecuteW 3808->3809 3810 401e61 3809->3810 3816 401a15 3817 402bbf 18 API calls 3816->3817 3818 401a1e ExpandEnvironmentStringsW 3817->3818 3819 401a32 3818->3819 3821 401a45 3818->3821 3820 401a37 lstrcmpW 3819->3820 3819->3821 3820->3821 3822 402515 3823 402bbf 18 API calls 3822->3823 3824 40251c 3823->3824 3827 405c25 GetFileAttributesW CreateFileW 3824->3827 3826 402528 3827->3826 3828 402095 3829 402bbf 18 API calls 3828->3829 3830 40209c 3829->3830 3831 402bbf 18 API calls 3830->3831 3832 4020a6 3831->3832 3833 402bbf 18 API calls 3832->3833 3834 4020b0 3833->3834 3835 402bbf 18 API calls 3834->3835 3836 4020ba 3835->3836 3837 402bbf 18 API calls 3836->3837 3839 4020c4 3837->3839 3838 402103 CoCreateInstance 3843 402122 3838->3843 3839->3838 3840 402bbf 18 API calls 3839->3840 3840->3838 3841 401423 25 API calls 3842 4021e1 3841->3842 3843->3841 3843->3842 3844 401b16 3845 402bbf 18 API calls 3844->3845 3846 401b1d 3845->3846 3847 402ba2 18 API calls 3846->3847 3848 401b26 wsprintfW 3847->3848 3849 402a4c 3848->3849 3850 40159b 3851 402bbf 18 API calls 3850->3851 3852 4015a2 SetFileAttributesW 3851->3852 3853 4015b4 3852->3853 3854 401f1d 3855 402bbf 18 API calls 3854->3855 3856 401f24 3855->3856 3857 40642a 5 API calls 3856->3857 3858 401f33 3857->3858 3859 401f4f GlobalAlloc 3858->3859 3862 401fb7 3858->3862 3860 401f63 3859->3860 3859->3862 3861 40642a 5 API calls 3860->3861 3863 401f6a 3861->3863 3864 40642a 5 API calls 3863->3864 3865 401f74 3864->3865 3865->3862 3869 405f97 wsprintfW 3865->3869 3867 401fa9 3870 405f97 wsprintfW 3867->3870 3869->3867 3870->3862 3871 40229d 3872 4022a5 3871->3872 3873 4022ab 3871->3873 3874 402bbf 18 API calls 3872->3874 3875 4022b9 3873->3875 3877 402bbf 18 API calls 3873->3877 3874->3873 3876 4022c7 3875->3876 3878 402bbf 18 API calls 3875->3878 3879 402bbf 18 API calls 3876->3879 3877->3875 3878->3876 3880 4022d0 WritePrivateProfileStringW 3879->3880 3881 40149e 3882 402288 3881->3882 3883 4014ac PostQuitMessage 3881->3883 3883->3882 3884 40249e 3894 402cc9 3884->3894 3886 4024a8 3887 402ba2 18 API calls 3886->3887 3888 4024b1 3887->3888 3889 4024d5 RegEnumValueW 3888->3889 3890 4024c9 RegEnumKeyW 3888->3890 3891 40281e 3888->3891 3889->3891 3892 4024ee RegCloseKey 3889->3892 3890->3892 3892->3891 3895 402bbf 18 API calls 3894->3895 3896 402ce2 3895->3896 3897 402cf0 RegOpenKeyExW 3896->3897 3897->3886 3898 40231f 3899 402324 3898->3899 3900 40234f 3898->3900 3901 402cc9 19 API calls 3899->3901 3902 402bbf 18 API calls 3900->3902 3903 40232b 3901->3903 3904 402356 3902->3904 3905 402bbf 18 API calls 3903->3905 3908 40236c 3903->3908 3909 402bff RegOpenKeyExW 3904->3909 3906 40233c RegDeleteValueW RegCloseKey 3905->3906 3906->3908 3916 402c2a 3909->3916 3918 402c76 3909->3918 3910 402c50 RegEnumKeyW 3911 402c62 RegCloseKey 3910->3911 3910->3916 3913 40642a 5 API calls 3911->3913 3912 402c87 RegCloseKey 3912->3918 3915 402c72 3913->3915 3914 402bff 5 API calls 3914->3916 3917 402ca2 RegDeleteKeyW 3915->3917 3915->3918 3916->3910 3916->3911 3916->3912 3916->3914 3917->3918 3918->3908 2820 4032a0 SetErrorMode GetVersion 2821 4032d5 2820->2821 2822 4032db 2820->2822 2823 40642a 5 API calls 2821->2823 2911 4063ba GetSystemDirectoryW 2822->2911 2823->2822 2825 4032f1 lstrlenA 2825->2822 2826 403301 2825->2826 2914 40642a GetModuleHandleA 2826->2914 2829 40642a 5 API calls 2830 403310 #17 OleInitialize SHGetFileInfoW 2829->2830 2920 406050 lstrcpynW 2830->2920 2832 40334d GetCommandLineW 2921 406050 lstrcpynW 2832->2921 2834 40335f GetModuleHandleW 2835 403377 2834->2835 2922 405a31 2835->2922 2838 4034b0 GetTempPathW 2926 40326f 2838->2926 2840 4034c8 2841 403522 DeleteFileW 2840->2841 2842 4034cc GetWindowsDirectoryW lstrcatW 2840->2842 2936 402dee GetTickCount GetModuleFileNameW 2841->2936 2843 40326f 12 API calls 2842->2843 2846 4034e8 2843->2846 2844 405a31 CharNextW 2847 40339f 2844->2847 2846->2841 2848 4034ec GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2846->2848 2847->2844 2851 40349b 2847->2851 2853 403499 2847->2853 2852 40326f 12 API calls 2848->2852 2849 4035ed 2966 4037bf 2849->2966 2977 406050 lstrcpynW 2851->2977 2860 40351a 2852->2860 2853->2838 2854 4035d9 2995 403899 2854->2995 2857 405a31 CharNextW 2874 403555 2857->2874 2860->2841 2860->2849 2861 4035e9 2861->2849 2862 403723 2865 4037a7 2862->2865 2866 40372b GetCurrentProcess OpenProcessToken 2862->2866 2863 403603 2973 405795 2863->2973 2867 4037b1 2865->2867 2868 4037b5 ExitProcess 2865->2868 2872 403743 LookupPrivilegeValueW AdjustTokenPrivileges 2866->2872 2873 403777 2866->2873 2867->2868 2869 4035b3 2978 405b0c 2869->2978 2870 403619 3051 405718 2870->3051 2872->2873 2877 40642a 5 API calls 2873->2877 2874->2869 2874->2870 2880 40377e 2877->2880 2881 403793 ExitWindowsEx 2880->2881 2885 4037a0 2880->2885 2881->2865 2881->2885 2882 4035c3 2993 406050 lstrcpynW 2882->2993 2883 40363a lstrcatW lstrcmpiW 2883->2849 2887 403656 2883->2887 2884 40362f lstrcatW 2884->2883 3089 40140b 2885->3089 2890 403662 2887->2890 2891 40365b 2887->2891 2889 4035ce 2994 406050 lstrcpynW 2889->2994 3059 4056fb CreateDirectoryW 2890->3059 3054 40567e CreateDirectoryW 2891->3054 2896 403667 SetCurrentDirectoryW 2897 403682 2896->2897 2898 403677 2896->2898 3063 406050 lstrcpynW 2897->3063 3062 406050 lstrcpynW 2898->3062 2903 4036ce CopyFileW 2908 403690 2903->2908 2904 403717 2905 405ef1 38 API calls 2904->2905 2905->2861 2907 406072 18 API calls 2907->2908 2908->2904 2908->2907 2910 403702 CloseHandle 2908->2910 3064 406072 2908->3064 3082 405ef1 MoveFileExW 2908->3082 3086 405730 CreateProcessW 2908->3086 2910->2908 2912 4063dc wsprintfW LoadLibraryExW 2911->2912 2912->2825 2915 406450 GetProcAddress 2914->2915 2916 406446 2914->2916 2918 403309 2915->2918 2917 4063ba 3 API calls 2916->2917 2919 40644c 2917->2919 2918->2829 2919->2915 2919->2918 2920->2832 2921->2834 2923 405a37 2922->2923 2924 403386 CharNextW 2923->2924 2925 405a3e CharNextW 2923->2925 2924->2838 2924->2847 2925->2923 3092 4062e4 2926->3092 2928 403285 2928->2840 2929 40327b 2929->2928 3101 405a04 lstrlenW CharPrevW 2929->3101 2932 4056fb 2 API calls 2933 403293 2932->2933 3104 405c54 2933->3104 3108 405c25 GetFileAttributesW CreateFileW 2936->3108 2938 402e2e 2939 402e3e 2938->2939 3109 406050 lstrcpynW 2938->3109 2939->2849 2939->2854 2939->2857 2941 402e54 3110 405a50 lstrlenW 2941->3110 2945 402e65 GetFileSize 2950 402e7c 2945->2950 2963 402f61 2945->2963 2946 402d8a 6 API calls 2947 402f6a 2946->2947 2947->2939 2949 402f9a GlobalAlloc 2947->2949 3129 403258 SetFilePointer 2947->3129 3130 403258 SetFilePointer 2949->3130 2950->2939 2951 402fcd 2950->2951 2962 402f34 2950->2962 2950->2963 3115 403242 2950->3115 2955 402d8a 6 API calls 2951->2955 2954 402fb5 3131 403027 2954->3131 2958 402fd4 2955->2958 2956 402f83 2959 403242 ReadFile 2956->2959 2958->2939 2961 402f8e 2959->2961 2961->2939 2961->2949 2962->2950 3118 402d8a 2962->3118 2963->2946 2965 402ffe SetFilePointer 2965->2958 2967 4037d7 2966->2967 2968 4037c9 FindCloseChangeNotification 2966->2968 3171 403804 2967->3171 2968->2967 2974 4057aa 2973->2974 2975 403611 ExitProcess 2974->2975 2976 4057be MessageBoxIndirectW 2974->2976 2976->2975 2977->2853 3229 406050 lstrcpynW 2978->3229 2980 405b1d 3230 405aaf CharNextW CharNextW 2980->3230 2983 4035bf 2983->2849 2983->2882 2984 4062e4 5 API calls 2985 405b33 2984->2985 2985->2983 2991 405b4a 2985->2991 2986 405b64 lstrlenW 2987 405b6f 2986->2987 2986->2991 2988 405a04 3 API calls 2987->2988 2990 405b74 GetFileAttributesW 2988->2990 2989 406393 2 API calls 2989->2991 2990->2983 2991->2983 2991->2986 2991->2989 2992 405a50 2 API calls 2991->2992 2992->2986 2993->2889 2994->2854 2996 40642a 5 API calls 2995->2996 2997 4038ad 2996->2997 2998 4038b3 2997->2998 2999 4038c5 2997->2999 3236 405f97 wsprintfW 2998->3236 3237 405f1d RegOpenKeyExW 2999->3237 3003 403914 lstrcatW 3004 4038c3 3003->3004 3242 403b6f 3004->3242 3005 405f1d 3 API calls 3005->3003 3008 405b0c 18 API calls 3009 403946 3008->3009 3010 4039da 3009->3010 3013 405f1d 3 API calls 3009->3013 3011 405b0c 18 API calls 3010->3011 3012 4039e0 3011->3012 3015 4039f0 LoadImageW 3012->3015 3016 406072 18 API calls 3012->3016 3014 403978 3013->3014 3014->3010 3019 403999 lstrlenW 3014->3019 3023 405a31 CharNextW 3014->3023 3017 403a96 3015->3017 3018 403a17 RegisterClassW 3015->3018 3016->3015 3022 40140b 2 API calls 3017->3022 3020 403aa0 3018->3020 3021 403a4d SystemParametersInfoW CreateWindowExW 3018->3021 3024 4039a7 lstrcmpiW 3019->3024 3025 4039cd 3019->3025 3020->2861 3021->3017 3026 403a9c 3022->3026 3027 403996 3023->3027 3024->3025 3028 4039b7 GetFileAttributesW 3024->3028 3029 405a04 3 API calls 3025->3029 3026->3020 3031 403b6f 19 API calls 3026->3031 3027->3019 3030 4039c3 3028->3030 3032 4039d3 3029->3032 3030->3025 3033 405a50 2 API calls 3030->3033 3034 403aad 3031->3034 3251 406050 lstrcpynW 3032->3251 3033->3025 3036 403ab9 ShowWindow 3034->3036 3037 403b3c 3034->3037 3039 4063ba 3 API calls 3036->3039 3252 405282 OleInitialize 3037->3252 3040 403ad1 3039->3040 3042 403adf GetClassInfoW 3040->3042 3044 4063ba 3 API calls 3040->3044 3041 403b42 3043 403b5e 3041->3043 3048 403b46 3041->3048 3046 403af3 GetClassInfoW RegisterClassW 3042->3046 3047 403b09 DialogBoxParamW 3042->3047 3045 40140b 2 API calls 3043->3045 3044->3042 3045->3020 3046->3047 3049 40140b 2 API calls 3047->3049 3048->3020 3050 40140b 2 API calls 3048->3050 3049->3020 3050->3020 3052 40642a 5 API calls 3051->3052 3053 40361e lstrcatW 3052->3053 3053->2883 3053->2884 3055 403660 3054->3055 3056 4056cf GetLastError 3054->3056 3055->2896 3056->3055 3057 4056de SetFileSecurityW 3056->3057 3057->3055 3058 4056f4 GetLastError 3057->3058 3058->3055 3060 40570b 3059->3060 3061 40570f GetLastError 3059->3061 3060->2896 3061->3060 3062->2897 3063->2908 3067 40607f 3064->3067 3065 4062ca 3066 4036c1 DeleteFileW 3065->3066 3269 406050 lstrcpynW 3065->3269 3066->2903 3066->2908 3067->3065 3069 406132 GetVersion 3067->3069 3070 406298 lstrlenW 3067->3070 3073 406072 10 API calls 3067->3073 3074 405f1d 3 API calls 3067->3074 3075 4061ad GetSystemDirectoryW 3067->3075 3076 4061c0 GetWindowsDirectoryW 3067->3076 3077 4062e4 5 API calls 3067->3077 3078 4061f4 SHGetSpecialFolderLocation 3067->3078 3079 406072 10 API calls 3067->3079 3080 406239 lstrcatW 3067->3080 3267 405f97 wsprintfW 3067->3267 3268 406050 lstrcpynW 3067->3268 3069->3067 3070->3067 3073->3070 3074->3067 3075->3067 3076->3067 3077->3067 3078->3067 3081 40620c SHGetPathFromIDListW CoTaskMemFree 3078->3081 3079->3067 3080->3067 3081->3067 3083 405f05 3082->3083 3085 405f12 3082->3085 3270 405d7f lstrcpyW 3083->3270 3085->2908 3087 405763 CloseHandle 3086->3087 3088 40576f 3086->3088 3087->3088 3088->2908 3090 401389 2 API calls 3089->3090 3091 401420 3090->3091 3091->2865 3098 4062f1 3092->3098 3093 40636c CharPrevW 3095 406367 3093->3095 3094 40635a CharNextW 3094->3095 3094->3098 3095->3093 3096 40638d 3095->3096 3096->2929 3097 405a31 CharNextW 3097->3098 3098->3094 3098->3095 3098->3097 3099 406346 CharNextW 3098->3099 3100 406355 CharNextW 3098->3100 3099->3098 3100->3094 3102 405a20 lstrcatW 3101->3102 3103 40328d 3101->3103 3102->3103 3103->2932 3105 405c61 GetTickCount GetTempFileNameW 3104->3105 3106 40329e 3105->3106 3107 405c97 3105->3107 3106->2840 3107->3105 3107->3106 3108->2938 3109->2941 3111 405a5e 3110->3111 3112 402e5a 3111->3112 3113 405a64 CharPrevW 3111->3113 3114 406050 lstrcpynW 3112->3114 3113->3111 3113->3112 3114->2945 3151 405ca8 ReadFile 3115->3151 3119 402d93 3118->3119 3120 402dab 3118->3120 3121 402da3 3119->3121 3122 402d9c DestroyWindow 3119->3122 3123 402db3 3120->3123 3124 402dbb GetTickCount 3120->3124 3121->2962 3122->3121 3153 406466 3123->3153 3126 402dc9 CreateDialogParamW ShowWindow 3124->3126 3127 402dec 3124->3127 3126->3127 3127->2962 3129->2956 3130->2954 3132 403040 3131->3132 3133 40306e 3132->3133 3157 403258 SetFilePointer 3132->3157 3134 403242 ReadFile 3133->3134 3136 403079 3134->3136 3137 4031db 3136->3137 3138 40308b GetTickCount 3136->3138 3140 402fc1 3136->3140 3139 40321d 3137->3139 3144 4031df 3137->3144 3138->3140 3147 4030da 3138->3147 3141 403242 ReadFile 3139->3141 3140->2939 3140->2965 3141->3140 3142 403242 ReadFile 3142->3147 3143 403242 ReadFile 3143->3144 3144->3140 3144->3143 3145 405cd7 WriteFile 3144->3145 3145->3144 3146 403130 GetTickCount 3146->3147 3147->3140 3147->3142 3147->3146 3148 403155 MulDiv wsprintfW 3147->3148 3169 405cd7 WriteFile 3147->3169 3158 4051af 3148->3158 3152 403255 3151->3152 3152->2950 3154 406483 PeekMessageW 3153->3154 3155 402db9 3154->3155 3156 406479 DispatchMessageW 3154->3156 3155->2962 3156->3154 3157->3133 3159 4051ca 3158->3159 3168 40526c 3158->3168 3160 4051e6 lstrlenW 3159->3160 3161 406072 18 API calls 3159->3161 3162 4051f4 lstrlenW 3160->3162 3163 40520f 3160->3163 3161->3160 3164 405206 lstrcatW 3162->3164 3162->3168 3165 405222 3163->3165 3166 405215 SetWindowTextW 3163->3166 3164->3163 3167 405228 SendMessageW SendMessageW SendMessageW 3165->3167 3165->3168 3166->3165 3167->3168 3168->3147 3170 405cf5 3169->3170 3170->3147 3172 403812 3171->3172 3173 4037dc 3172->3173 3174 403817 FreeLibrary GlobalFree 3172->3174 3175 405841 3173->3175 3174->3173 3174->3174 3176 405b0c 18 API calls 3175->3176 3177 405861 3176->3177 3178 405880 3177->3178 3179 405869 DeleteFileW 3177->3179 3181 4059ab 3178->3181 3213 406050 lstrcpynW 3178->3213 3180 4035f2 OleUninitialize 3179->3180 3180->2862 3180->2863 3181->3180 3184 4059a0 3181->3184 3183 4058a6 3185 4058b9 3183->3185 3186 4058ac lstrcatW 3183->3186 3184->3181 3223 406393 FindFirstFileW 3184->3223 3188 405a50 2 API calls 3185->3188 3187 4058bf 3186->3187 3190 4058cf lstrcatW 3187->3190 3192 4058da lstrlenW FindFirstFileW 3187->3192 3188->3187 3190->3192 3192->3184 3211 4058fc 3192->3211 3193 405a04 3 API calls 3194 4059cf 3193->3194 3196 4057f9 5 API calls 3194->3196 3195 405983 FindNextFileW 3199 405999 FindClose 3195->3199 3195->3211 3198 4059db 3196->3198 3200 4059f5 3198->3200 3201 4059df 3198->3201 3199->3184 3203 4051af 25 API calls 3200->3203 3201->3180 3204 4051af 25 API calls 3201->3204 3203->3180 3206 4059ec 3204->3206 3205 405841 62 API calls 3205->3211 3207 405ef1 38 API calls 3206->3207 3209 4059f3 3207->3209 3208 4051af 25 API calls 3208->3195 3209->3180 3210 4051af 25 API calls 3210->3211 3211->3195 3211->3205 3211->3208 3211->3210 3212 405ef1 38 API calls 3211->3212 3214 406050 lstrcpynW 3211->3214 3215 4057f9 3211->3215 3212->3211 3213->3183 3214->3211 3226 405c00 GetFileAttributesW 3215->3226 3218 405814 RemoveDirectoryW 3221 405822 3218->3221 3219 40581c DeleteFileW 3219->3221 3220 405826 3220->3211 3221->3220 3222 405832 SetFileAttributesW 3221->3222 3222->3220 3224 4059c5 3223->3224 3225 4063a9 FindClose 3223->3225 3224->3180 3224->3193 3225->3224 3227 405c12 SetFileAttributesW 3226->3227 3228 405805 3226->3228 3227->3228 3228->3218 3228->3219 3228->3220 3229->2980 3231 405acc 3230->3231 3232 405ade 3230->3232 3231->3232 3233 405ad9 CharNextW 3231->3233 3234 405b02 3232->3234 3235 405a31 CharNextW 3232->3235 3233->3234 3234->2983 3234->2984 3235->3232 3236->3004 3238 4038f5 3237->3238 3239 405f51 RegQueryValueExW 3237->3239 3238->3003 3238->3005 3240 405f72 RegCloseKey 3239->3240 3240->3238 3243 403b83 3242->3243 3259 405f97 wsprintfW 3243->3259 3245 403bf4 3246 406072 18 API calls 3245->3246 3247 403c00 SetWindowTextW 3246->3247 3248 403924 3247->3248 3249 403c1c 3247->3249 3248->3008 3249->3248 3250 406072 18 API calls 3249->3250 3250->3249 3251->3010 3260 404160 3252->3260 3254 4052cc 3255 404160 SendMessageW 3254->3255 3257 4052de OleUninitialize 3255->3257 3256 4052a5 3256->3254 3263 401389 3256->3263 3257->3041 3259->3245 3261 404178 3260->3261 3262 404169 SendMessageW 3260->3262 3261->3256 3262->3261 3265 401390 3263->3265 3264 4013fe 3264->3256 3265->3264 3266 4013cb MulDiv SendMessageW 3265->3266 3266->3265 3267->3067 3268->3067 3269->3066 3271 405da7 3270->3271 3272 405dcd GetShortPathNameW 3270->3272 3297 405c25 GetFileAttributesW CreateFileW 3271->3297 3274 405de2 3272->3274 3275 405eec 3272->3275 3274->3275 3277 405dea wsprintfA 3274->3277 3275->3085 3276 405db1 CloseHandle GetShortPathNameW 3276->3275 3278 405dc5 3276->3278 3279 406072 18 API calls 3277->3279 3278->3272 3278->3275 3280 405e12 3279->3280 3298 405c25 GetFileAttributesW CreateFileW 3280->3298 3282 405e1f 3282->3275 3283 405e2e GetFileSize GlobalAlloc 3282->3283 3284 405e50 3283->3284 3285 405ee5 CloseHandle 3283->3285 3286 405ca8 ReadFile 3284->3286 3285->3275 3287 405e58 3286->3287 3287->3285 3299 405b8a lstrlenA 3287->3299 3290 405e83 3292 405b8a 4 API calls 3290->3292 3291 405e6f lstrcpyA 3294 405e91 3291->3294 3292->3294 3293 405ec8 SetFilePointer 3295 405cd7 WriteFile 3293->3295 3294->3293 3296 405ede GlobalFree 3295->3296 3296->3285 3297->3276 3298->3282 3300 405bcb lstrlenA 3299->3300 3301 405bd3 3300->3301 3302 405ba4 lstrcmpiA 3300->3302 3301->3290 3301->3291 3302->3301 3303 405bc2 CharNextA 3302->3303 3303->3300 3919 405123 3920 405133 3919->3920 3921 405147 3919->3921 3922 405139 3920->3922 3931 405190 3920->3931 3923 40514f IsWindowVisible 3921->3923 3929 405166 3921->3929 3925 404160 SendMessageW 3922->3925 3926 40515c 3923->3926 3923->3931 3924 405195 CallWindowProcW 3927 405143 3924->3927 3925->3927 3932 404a79 SendMessageW 3926->3932 3929->3924 3937 404af9 3929->3937 3931->3924 3933 404ad8 SendMessageW 3932->3933 3934 404a9c GetMessagePos ScreenToClient SendMessageW 3932->3934 3935 404ad0 3933->3935 3934->3935 3936 404ad5 3934->3936 3935->3929 3936->3933 3946 406050 lstrcpynW 3937->3946 3939 404b0c 3947 405f97 wsprintfW 3939->3947 3941 404b16 3942 40140b 2 API calls 3941->3942 3943 404b1f 3942->3943 3948 406050 lstrcpynW 3943->3948 3945 404b26 3945->3931 3946->3939 3947->3941 3948->3945 3949 401ca3 3950 402ba2 18 API calls 3949->3950 3951 401ca9 IsWindow 3950->3951 3952 401a05 3951->3952 3953 402a27 SendMessageW 3954 402a41 InvalidateRect 3953->3954 3955 402a4c 3953->3955 3954->3955 3956 404228 lstrcpynW lstrlenW 3957 40242a 3958 402cc9 19 API calls 3957->3958 3959 402434 3958->3959 3960 402bbf 18 API calls 3959->3960 3961 40243d 3960->3961 3962 402448 RegQueryValueExW 3961->3962 3967 40281e 3961->3967 3963 40246e RegCloseKey 3962->3963 3964 402468 3962->3964 3963->3967 3964->3963 3968 405f97 wsprintfW 3964->3968 3968->3963 3969 404b2b GetDlgItem GetDlgItem 3970 404b7d 7 API calls 3969->3970 3978 404d96 3969->3978 3971 404c20 DeleteObject 3970->3971 3972 404c13 SendMessageW 3970->3972 3973 404c29 3971->3973 3972->3971 3975 404c60 3973->3975 3977 406072 18 API calls 3973->3977 3974 404e7a 3976 404f26 3974->3976 3980 404d89 3974->3980 3986 404ed3 SendMessageW 3974->3986 3979 404114 19 API calls 3975->3979 3981 404f30 SendMessageW 3976->3981 3982 404f38 3976->3982 3983 404c42 SendMessageW SendMessageW 3977->3983 3978->3974 3989 404a79 5 API calls 3978->3989 4001 404e07 3978->4001 3984 404c74 3979->3984 3987 40417b 8 API calls 3980->3987 3981->3982 3993 404f51 3982->3993 3994 404f4a ImageList_Destroy 3982->3994 3998 404f61 3982->3998 3983->3973 3985 404114 19 API calls 3984->3985 4002 404c82 3985->4002 3986->3980 3991 404ee8 SendMessageW 3986->3991 3992 40511c 3987->3992 3988 404e6c SendMessageW 3988->3974 3989->4001 3990 4050d0 3990->3980 3999 4050e2 ShowWindow GetDlgItem ShowWindow 3990->3999 3997 404efb 3991->3997 3995 404f5a GlobalFree 3993->3995 3993->3998 3994->3993 3995->3998 3996 404d57 GetWindowLongW SetWindowLongW 4000 404d70 3996->4000 4007 404f0c SendMessageW 3997->4007 3998->3990 4013 404af9 4 API calls 3998->4013 4014 404f9c 3998->4014 3999->3980 4003 404d76 ShowWindow 4000->4003 4004 404d8e 4000->4004 4001->3974 4001->3988 4002->3996 4006 404cd2 SendMessageW 4002->4006 4008 404d51 4002->4008 4011 404d0e SendMessageW 4002->4011 4012 404d1f SendMessageW 4002->4012 4020 404149 SendMessageW 4003->4020 4021 404149 SendMessageW 4004->4021 4006->4002 4007->3976 4008->3996 4008->4000 4009 404fe0 4015 4050a6 InvalidateRect 4009->4015 4019 405054 SendMessageW SendMessageW 4009->4019 4011->4002 4012->4002 4013->4014 4014->4009 4016 404fca SendMessageW 4014->4016 4015->3990 4017 4050bc 4015->4017 4016->4009 4022 404a34 4017->4022 4019->4009 4020->3980 4021->3978 4025 40496b 4022->4025 4024 404a49 4024->3990 4028 404984 4025->4028 4026 406072 18 API calls 4027 4049e8 4026->4027 4029 406072 18 API calls 4027->4029 4028->4026 4030 4049f3 4029->4030 4031 406072 18 API calls 4030->4031 4032 404a09 lstrlenW wsprintfW SetDlgItemTextW 4031->4032 4032->4024 4033 40172d 4034 402bbf 18 API calls 4033->4034 4035 401734 SearchPathW 4034->4035 4036 40174f 4035->4036 4037 4045af 4038 4045db 4037->4038 4039 4045ec 4037->4039 4098 405779 GetDlgItemTextW 4038->4098 4040 4045f8 GetDlgItem 4039->4040 4048 404657 4039->4048 4043 40460c 4040->4043 4042 4045e6 4045 4062e4 5 API calls 4042->4045 4046 404620 SetWindowTextW 4043->4046 4051 405aaf 4 API calls 4043->4051 4044 40473b 4047 4048ea 4044->4047 4100 405779 GetDlgItemTextW 4044->4100 4045->4039 4052 404114 19 API calls 4046->4052 4050 40417b 8 API calls 4047->4050 4048->4044 4048->4047 4053 406072 18 API calls 4048->4053 4055 4048fe 4050->4055 4056 404616 4051->4056 4057 40463c 4052->4057 4058 4046cb SHBrowseForFolderW 4053->4058 4054 40476b 4059 405b0c 18 API calls 4054->4059 4056->4046 4063 405a04 3 API calls 4056->4063 4060 404114 19 API calls 4057->4060 4058->4044 4061 4046e3 CoTaskMemFree 4058->4061 4062 404771 4059->4062 4064 40464a 4060->4064 4065 405a04 3 API calls 4061->4065 4101 406050 lstrcpynW 4062->4101 4063->4046 4099 404149 SendMessageW 4064->4099 4067 4046f0 4065->4067 4070 404727 SetDlgItemTextW 4067->4070 4074 406072 18 API calls 4067->4074 4069 404650 4072 40642a 5 API calls 4069->4072 4070->4044 4071 404788 4073 40642a 5 API calls 4071->4073 4072->4048 4081 40478f 4073->4081 4075 40470f lstrcmpiW 4074->4075 4075->4070 4077 404720 lstrcatW 4075->4077 4076 4047d0 4102 406050 lstrcpynW 4076->4102 4077->4070 4079 4047d7 4080 405aaf 4 API calls 4079->4080 4082 4047dd GetDiskFreeSpaceW 4080->4082 4081->4076 4085 405a50 2 API calls 4081->4085 4087 404828 4081->4087 4084 404801 MulDiv 4082->4084 4082->4087 4084->4087 4085->4081 4086 404899 4089 4048bc 4086->4089 4091 40140b 2 API calls 4086->4091 4087->4086 4088 404a34 21 API calls 4087->4088 4090 404886 4088->4090 4103 404136 EnableWindow 4089->4103 4092 40489b SetDlgItemTextW 4090->4092 4093 40488b 4090->4093 4091->4089 4092->4086 4095 40496b 21 API calls 4093->4095 4095->4086 4096 4048d8 4096->4047 4104 404544 4096->4104 4098->4042 4099->4069 4100->4054 4101->4071 4102->4079 4103->4096 4105 404552 4104->4105 4106 404557 SendMessageW 4104->4106 4105->4106 4106->4047 4107 4042b1 4108 4042c9 4107->4108 4111 4043e3 4107->4111 4112 404114 19 API calls 4108->4112 4109 40444d 4110 404457 GetDlgItem 4109->4110 4113 40451f 4109->4113 4115 404471 4110->4115 4116 4044e0 4110->4116 4111->4109 4111->4113 4117 40441e GetDlgItem SendMessageW 4111->4117 4118 404330 4112->4118 4114 40417b 8 API calls 4113->4114 4120 40451a 4114->4120 4115->4116 4121 404497 6 API calls 4115->4121 4116->4113 4122 4044f2 4116->4122 4138 404136 EnableWindow 4117->4138 4119 404114 19 API calls 4118->4119 4124 40433d CheckDlgButton 4119->4124 4121->4116 4125 404508 4122->4125 4126 4044f8 SendMessageW 4122->4126 4136 404136 EnableWindow 4124->4136 4125->4120 4129 40450e SendMessageW 4125->4129 4126->4125 4127 404448 4130 404544 SendMessageW 4127->4130 4129->4120 4130->4109 4131 40435b GetDlgItem 4137 404149 SendMessageW 4131->4137 4133 404371 SendMessageW 4134 404397 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4133->4134 4135 40438e GetSysColor 4133->4135 4134->4120 4135->4134 4136->4131 4137->4133 4138->4127 4139 4027b4 4140 4027ba 4139->4140 4141 4027c2 FindClose 4140->4141 4142 402a4c 4140->4142 4141->4142 4143 401b37 4144 401b44 4143->4144 4145 401b88 4143->4145 4146 401bcd 4144->4146 4152 401b5b 4144->4152 4147 401bb2 GlobalAlloc 4145->4147 4148 401b8d 4145->4148 4149 406072 18 API calls 4146->4149 4159 402288 4146->4159 4150 406072 18 API calls 4147->4150 4148->4159 4164 406050 lstrcpynW 4148->4164 4151 402282 4149->4151 4150->4146 4157 405795 MessageBoxIndirectW 4151->4157 4162 406050 lstrcpynW 4152->4162 4155 401b9f GlobalFree 4155->4159 4156 401b6a 4163 406050 lstrcpynW 4156->4163 4157->4159 4160 401b79 4165 406050 lstrcpynW 4160->4165 4162->4156 4163->4160 4164->4155 4165->4159 4166 402537 4167 402562 4166->4167 4168 40254b 4166->4168 4170 402596 4167->4170 4171 402567 4167->4171 4169 402ba2 18 API calls 4168->4169 4178 402552 4169->4178 4173 402bbf 18 API calls 4170->4173 4172 402bbf 18 API calls 4171->4172 4175 40256e WideCharToMultiByte lstrlenA 4172->4175 4174 40259d lstrlenW 4173->4174 4174->4178 4175->4178 4176 4025ca 4177 4025e0 4176->4177 4179 405cd7 WriteFile 4176->4179 4178->4176 4178->4177 4180 405d06 5 API calls 4178->4180 4179->4177 4180->4176 4181 4014b8 4182 4014be 4181->4182 4183 401389 2 API calls 4182->4183 4184 4014c6 4183->4184 4191 4015b9 4192 402bbf 18 API calls 4191->4192 4193 4015c0 4192->4193 4194 405aaf 4 API calls 4193->4194 4206 4015c9 4194->4206 4195 401629 4197 40165b 4195->4197 4198 40162e 4195->4198 4196 405a31 CharNextW 4196->4206 4200 401423 25 API calls 4197->4200 4199 401423 25 API calls 4198->4199 4201 401635 4199->4201 4208 401653 4200->4208 4210 406050 lstrcpynW 4201->4210 4203 4056fb 2 API calls 4203->4206 4204 405718 5 API calls 4204->4206 4205 401642 SetCurrentDirectoryW 4205->4208 4206->4195 4206->4196 4206->4203 4206->4204 4207 40160f GetFileAttributesW 4206->4207 4209 40567e 4 API calls 4206->4209 4207->4206 4209->4206 4210->4205 4211 40293b 4212 402ba2 18 API calls 4211->4212 4213 402941 4212->4213 4214 402964 4213->4214 4215 40297d 4213->4215 4223 40281e 4213->4223 4220 402969 4214->4220 4221 40297a 4214->4221 4216 402993 4215->4216 4217 402987 4215->4217 4219 406072 18 API calls 4216->4219 4218 402ba2 18 API calls 4217->4218 4218->4223 4219->4223 4225 406050 lstrcpynW 4220->4225 4226 405f97 wsprintfW 4221->4226 4225->4223 4226->4223 4227 403c3c 4228 403c54 4227->4228 4229 403d8f 4227->4229 4228->4229 4230 403c60 4228->4230 4231 403da0 GetDlgItem GetDlgItem 4229->4231 4232 403de0 4229->4232 4235 403c6b SetWindowPos 4230->4235 4236 403c7e 4230->4236 4233 404114 19 API calls 4231->4233 4234 403e3a 4232->4234 4244 401389 2 API calls 4232->4244 4239 403dca SetClassLongW 4233->4239 4240 404160 SendMessageW 4234->4240 4245 403d8a 4234->4245 4235->4236 4237 403c83 ShowWindow 4236->4237 4238 403c9b 4236->4238 4237->4238 4241 403ca3 DestroyWindow 4238->4241 4242 403cbd 4238->4242 4243 40140b 2 API calls 4239->4243 4265 403e4c 4240->4265 4246 40409d 4241->4246 4247 403cc2 SetWindowLongW 4242->4247 4248 403cd3 4242->4248 4243->4232 4249 403e12 4244->4249 4246->4245 4258 4040ce ShowWindow 4246->4258 4247->4245 4251 403d4a 4248->4251 4252 403cdf GetDlgItem 4248->4252 4249->4234 4253 403e16 SendMessageW 4249->4253 4250 40409f DestroyWindow EndDialog 4250->4246 4257 40417b 8 API calls 4251->4257 4255 403cf2 SendMessageW IsWindowEnabled 4252->4255 4256 403d0f 4252->4256 4253->4245 4254 40140b 2 API calls 4254->4265 4255->4245 4255->4256 4260 403d1c 4256->4260 4263 403d63 SendMessageW 4256->4263 4264 403d2f 4256->4264 4270 403d14 4256->4270 4257->4245 4258->4245 4259 406072 18 API calls 4259->4265 4260->4263 4260->4270 4261 4040ed SendMessageW 4261->4251 4262 404114 19 API calls 4262->4265 4263->4251 4266 403d37 4264->4266 4267 403d4c 4264->4267 4265->4245 4265->4250 4265->4254 4265->4259 4265->4262 4271 404114 19 API calls 4265->4271 4286 403fdf DestroyWindow 4265->4286 4268 40140b 2 API calls 4266->4268 4269 40140b 2 API calls 4267->4269 4268->4270 4269->4270 4270->4251 4270->4261 4272 403ec7 GetDlgItem 4271->4272 4273 403ee4 ShowWindow EnableWindow 4272->4273 4274 403edc 4272->4274 4295 404136 EnableWindow 4273->4295 4274->4273 4276 403f0e EnableWindow 4279 403f22 4276->4279 4277 403f27 GetSystemMenu EnableMenuItem SendMessageW 4278 403f57 SendMessageW 4277->4278 4277->4279 4278->4279 4279->4277 4296 404149 SendMessageW 4279->4296 4297 406050 lstrcpynW 4279->4297 4282 403f85 lstrlenW 4283 406072 18 API calls 4282->4283 4284 403f9b SetWindowTextW 4283->4284 4285 401389 2 API calls 4284->4285 4285->4265 4286->4246 4287 403ff9 CreateDialogParamW 4286->4287 4287->4246 4288 40402c 4287->4288 4289 404114 19 API calls 4288->4289 4290 404037 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4289->4290 4291 401389 2 API calls 4290->4291 4292 40407d 4291->4292 4292->4245 4293 404085 ShowWindow 4292->4293 4294 404160 SendMessageW 4293->4294 4294->4246 4295->4276 4296->4279 4297->4282

        Executed Functions

        Function 004032A0 Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 401stringfilecomCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 4032a0-4032d3 SetErrorMode GetVersion 1 4032d5-4032dd call 40642a 0->1 2 4032e6 0->2 1->2 7 4032df 1->7 4 4032eb-4032ff call 4063ba lstrlenA 2->4 9 403301-403375 call 40642a * 2 #17 OleInitialize SHGetFileInfoW call 406050 GetCommandLineW call 406050 GetModuleHandleW 4->9 7->2 18 403377-40337e 9->18 19 40337f-403399 call 405a31 CharNextW 9->19 18->19 22 4034b0-4034ca GetTempPathW call 40326f 19->22 23 40339f-4033a5 19->23 30 403522-403531 DeleteFileW call 402dee 22->30 31 4034cc-4034ea GetWindowsDirectoryW lstrcatW call 40326f 22->31 25 4033a7-4033ac 23->25 26 4033ae-4033b2 23->26 25->25 25->26 28 4033b4-4033b8 26->28 29 4033b9-4033bd 26->29 28->29 32 4033c3-4033c9 29->32 33 40347c-403489 call 405a31 29->33 45 403536-40353c 30->45 31->30 48 4034ec-40351c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40326f 31->48 37 4033e4-40341d 32->37 38 4033cb-4033d3 32->38 49 40348b-40348c 33->49 50 40348d-403493 33->50 41 40343a-403474 37->41 42 40341f-403424 37->42 39 4033d5-4033d8 38->39 40 4033da 38->40 39->37 39->40 40->37 41->33 47 403476-40347a 41->47 42->41 46 403426-40342e 42->46 51 403542-403548 45->51 52 4035ed-4035fd call 4037bf OleUninitialize 45->52 54 403430-403433 46->54 55 403435 46->55 47->33 56 40349b-4034a9 call 406050 47->56 48->30 48->52 49->50 50->23 58 403499 50->58 59 4035dd-4035e9 call 403899 51->59 60 40354e-403559 call 405a31 51->60 69 403723-403729 52->69 70 403603-403613 call 405795 ExitProcess 52->70 54->41 54->55 55->41 66 4034ae 56->66 58->66 59->52 71 4035a7-4035b1 60->71 72 40355b-403590 60->72 66->22 74 4037a7-4037af 69->74 75 40372b-403741 GetCurrentProcess OpenProcessToken 69->75 79 4035b3-4035c1 call 405b0c 71->79 80 403619-40362d call 405718 lstrcatW 71->80 76 403592-403596 72->76 77 4037b1 74->77 78 4037b5-4037b9 ExitProcess 74->78 82 403743-403771 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 83 403777-403785 call 40642a 75->83 84 403598-40359d 76->84 85 40359f-4035a3 76->85 77->78 79->52 95 4035c3-4035d9 call 406050 * 2 79->95 96 40363a-403654 lstrcatW lstrcmpiW 80->96 97 40362f-403635 lstrcatW 80->97 82->83 93 403793-40379e ExitWindowsEx 83->93 94 403787-403791 83->94 84->85 89 4035a5 84->89 85->76 85->89 89->71 93->74 98 4037a0-4037a2 call 40140b 93->98 94->93 94->98 95->59 96->52 100 403656-403659 96->100 97->96 98->74 104 403662 call 4056fb 100->104 105 40365b-403660 call 40567e 100->105 110 403667-403675 SetCurrentDirectoryW 104->110 105->110 112 403682-4036ab call 406050 110->112 113 403677-40367d call 406050 110->113 117 4036b0-4036cc call 406072 DeleteFileW 112->117 113->112 120 40370d-403715 117->120 121 4036ce-4036de CopyFileW 117->121 120->117 122 403717-40371e call 405ef1 120->122 121->120 123 4036e0-403700 call 405ef1 call 406072 call 405730 121->123 122->52 123->120 132 403702-403709 CloseHandle 123->132 132->120
        APIs
        • SetErrorMode.KERNELBASE ref: 004032C3
        • GetVersion.KERNEL32 ref: 004032C9
        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
        • #17.COMCTL32(00000007,00000009), ref: 00403315
        • OleInitialize.OLE32(00000000), ref: 0040331C
        • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
        • GetCommandLineW.KERNEL32(00433EE0,NSIS Error), ref: 0040334D
        • GetModuleHandleW.KERNEL32(00000000,0043F000,00000000), ref: 00403360
        • CharNextW.USER32(00000000,0043F000,00000020), ref: 00403387
          • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
          • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
        • DeleteFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsxB483.tmp), ref: 00403527
          • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,00433EE0,NSIS Error), ref: 0040605D
        • OleUninitialize.OLE32(?), ref: 004035F2
        • ExitProcess.KERNEL32 ref: 00403613
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403626
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403635
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403640
        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00440800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,0043F000,00000000,?), ref: 0040364C
        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
        • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
        • CopyFileW.KERNEL32(00442800,0042AA08,00000001), ref: 004036D6
        • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
        • OpenProcessToken.ADVAPI32(00000000), ref: 00403739
        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
        • AdjustTokenPrivileges.ADVAPI32 ref: 00403771
        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
        • ExitProcess.KERNEL32 ref: 004037B9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
        • String ID: .tmp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsxB483.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
        • API String ID: 2488574733-4288650713
        • Opcode ID: 2ff4eeaa59d63db16641e32b56e8f41dd6deb8ab6398678d654e83296b586d17
        • Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
        • Opcode Fuzzy Hash: 2ff4eeaa59d63db16641e32b56e8f41dd6deb8ab6398678d654e83296b586d17
        • Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 133 4063ba-4063da GetSystemDirectoryW 134 4063dc 133->134 135 4063de-4063e0 133->135 134->135 136 4063f1-4063f3 135->136 137 4063e2-4063eb 135->137 139 4063f4-406427 wsprintfW LoadLibraryExW 136->139 137->136 138 4063ed-4063ef 137->138 138->139
        APIs
        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
        • wsprintfW.USER32 ref: 0040640C
        • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: DirectoryLibraryLoadSystemwsprintf
        • String ID: %s%S.dll$UXTHEME$\
        • API String ID: 2200240437-1946221925
        • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
        • Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
        • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
        • Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405C54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 140 405c54-405c60 141 405c61-405c95 GetTickCount GetTempFileNameW 140->141 142 405ca4-405ca6 141->142 143 405c97-405c99 141->143 145 405c9e-405ca1 142->145 143->141 144 405c9b 143->144 144->145
        APIs
        • GetTickCount.KERNEL32 ref: 00405C72
        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,0043F000,0040329E,C:\Users\user\AppData\Local\Temp\nsxB483.tmp,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CountFileNameTempTick
        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
        • API String ID: 1716503409-2042855515
        • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
        • Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
        • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
        • Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 146 40642a-406444 GetModuleHandleA 147 406450-40645d GetProcAddress 146->147 148 406446-406447 call 4063ba 146->148 150 406461-406463 147->150 151 40644c-40644e 148->151 151->147 152 40645f 151->152 152->150
        APIs
        • GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
        • GetProcAddress.KERNEL32(00000000,?), ref: 00406457
          • Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
          • Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
          • Part of subcall function 004063BA: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
        • String ID:
        • API String ID: 2547128583-0
        • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
        • Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
        • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
        • Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 153 405c25-405c51 GetFileAttributesW CreateFileW
        APIs
        • GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,0043F000,00403536,?), ref: 00405C29
        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,0043F000,00403536,?), ref: 00405C4B
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: File$AttributesCreate
        • String ID:
        • API String ID: 415043291-0
        • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
        • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
        • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
        • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 154 4056fb-405709 CreateDirectoryW 155 40570b-40570d 154->155 156 40570f GetLastError 154->156 157 405715 155->157 156->157
        APIs
        • CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
        • GetLastError.KERNEL32 ref: 0040570F
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CreateDirectoryErrorLast
        • String ID:
        • API String ID: 1375471231-0
        • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
        • Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
        • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
        • Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 171 405ca8-405cc4 ReadFile 172 405cd0 171->172 173 405cc6-405cc9 171->173 174 405cd2-405cd4 172->174 173->172 175 405ccb-405cce 173->175 175->174
        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
        • Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
        • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
        • Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405795 Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 176 405795-4057a8 177 4057aa-4057ad 176->177 178 4057af-4057b6 176->178 177->178 179 4057f6 177->179 180 4057b8 178->180 181 4057be-4057f0 MessageBoxIndirectW 178->181 180->181 181->179
        APIs
        • MessageBoxIndirectW.USER32(0040A3B8), ref: 004057F0
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: IndirectMessage
        • String ID:
        • API String ID: 1874166685-0
        • Opcode ID: ccd026c5384589d9d91cd1dc4b0848bd3c598ee9e9c1ce5f4514bc091511ba40
        • Instruction ID: d7df18c7d1cfe7968f91a71e4ce65a96867a43453752e6a410af80c0e71b783f
        • Opcode Fuzzy Hash: ccd026c5384589d9d91cd1dc4b0848bd3c598ee9e9c1ce5f4514bc091511ba40
        • Instruction Fuzzy Hash: 45F0DF75620300CBC354CF58EA457963BE0F388315F54603AE945A63A0C77899A4DF0A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004037BF Relevance: 1.5, APIs: 1, Instructions: 11COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 182 4037bf-4037c7 183 4037d7-4037e8 call 403804 call 405841 182->183 184 4037c9-4037d0 FindCloseChangeNotification 182->184 184->183
        APIs
        • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,004035F2,?), ref: 004037CA
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: ChangeCloseFindNotification
        • String ID:
        • API String ID: 2591292051-0
        • Opcode ID: 11f2164fdcf4882d09a4a0de7c791955399c7c72b14224a7a720262371b4e31f
        • Instruction ID: f140588c7f0437f4feb7db645ea9abd6b0460cad5339c8afa3da759f722761b4
        • Opcode Fuzzy Hash: 11f2164fdcf4882d09a4a0de7c791955399c7c72b14224a7a720262371b4e31f
        • Instruction Fuzzy Hash: 9CC0223010070042D0203F349E4F6143A546B00339FA08336B1F8B14F0C73C02A9881D
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 192 4052ee-405309 193 405498-40549f 192->193 194 40530f-4053d6 GetDlgItem * 3 call 404149 call 404a4c GetClientRect GetSystemMetrics SendMessageW * 2 192->194 196 4054a1-4054c3 GetDlgItem CreateThread CloseHandle 193->196 197 4054c9-4054d6 193->197 215 4053f4-4053f7 194->215 216 4053d8-4053f2 SendMessageW * 2 194->216 196->197 199 4054f4-4054fe 197->199 200 4054d8-4054de 197->200 204 405500-405506 199->204 205 405554-405558 199->205 202 4054e0-4054ef ShowWindow * 2 call 404149 200->202 203 405519-405522 call 40417b 200->203 202->199 212 405527-40552b 203->212 210 405508-405514 call 4040ed 204->210 211 40552e-40553e ShowWindow 204->211 205->203 208 40555a-405560 205->208 208->203 217 405562-405575 SendMessageW 208->217 210->203 213 405540-405549 call 4051af 211->213 214 40554e-40554f call 4040ed 211->214 213->214 214->205 221 405407-40541e call 404114 215->221 222 4053f9-405405 SendMessageW 215->222 216->215 223 405677-405679 217->223 224 40557b-4055a6 CreatePopupMenu call 406072 AppendMenuW 217->224 231 405420-405434 ShowWindow 221->231 232 405454-405475 GetDlgItem SendMessageW 221->232 222->221 223->212 229 4055a8-4055b8 GetWindowRect 224->229 230 4055bb-4055d0 TrackPopupMenu 224->230 229->230 230->223 234 4055d6-4055ed 230->234 235 405443 231->235 236 405436-405441 ShowWindow 231->236 232->223 233 40547b-405493 SendMessageW * 2 232->233 233->223 237 4055f2-40560d SendMessageW 234->237 238 405449-40544f call 404149 235->238 236->238 237->237 239 40560f-405632 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 237->239 238->232 241 405634-40565b SendMessageW 239->241 241->241 242 40565d-405671 GlobalUnlock SetClipboardData CloseClipboard 241->242 242->223
        APIs
        • GetDlgItem.USER32(?,00000403), ref: 0040534C
        • GetDlgItem.USER32(?,000003EE), ref: 0040535B
        • GetClientRect.USER32(?,?), ref: 00405398
        • GetSystemMetrics.USER32(00000002), ref: 0040539F
        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
        • ShowWindow.USER32(?,00000008), ref: 0040543B
        • GetDlgItem.USER32(?,000003EC), ref: 0040545C
        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
        • GetDlgItem.USER32(?,000003F8), ref: 0040536A
          • Part of subcall function 00404149: SendMessageW.USER32(00000028,?,00000001,00403F75), ref: 00404157
        • GetDlgItem.USER32(?,000003EC), ref: 004054AE
        • CreateThread.KERNEL32(00000000,00000000,Function_00005282,00000000), ref: 004054BC
        • CloseHandle.KERNEL32(00000000), ref: 004054C3
        • ShowWindow.USER32(00000000), ref: 004054E7
        • ShowWindow.USER32(?,00000008), ref: 004054EC
        • ShowWindow.USER32(00000008), ref: 00405536
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
        • CreatePopupMenu.USER32 ref: 0040557B
        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
        • GetWindowRect.USER32(?,?), ref: 004055AF
        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
        • OpenClipboard.USER32(00000000), ref: 00405610
        • EmptyClipboard.USER32 ref: 00405616
        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
        • GlobalLock.KERNEL32(00000000), ref: 0040562C
        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
        • GlobalUnlock.KERNEL32(00000000), ref: 00405660
        • SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
        • CloseClipboard.USER32 ref: 00405671
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
        • String ID: {
        • API String ID: 590372296-366298937
        • Opcode ID: 5a079ba3fa072edfcc104ec433df7a761f0ace007a27466cf36ce9faf3e20e8c
        • Instruction ID: 61e351ecde1d042c29ac1aa70548d375e1b8ad830a3fa6051c24e393c3684683
        • Opcode Fuzzy Hash: 5a079ba3fa072edfcc104ec433df7a761f0ace007a27466cf36ce9faf3e20e8c
        • Instruction Fuzzy Hash: FAB14971800608BFDB119F60DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 243 404b2b-404b77 GetDlgItem * 2 244 404d98-404d9f 243->244 245 404b7d-404c11 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 243->245 246 404da1-404db1 244->246 247 404db3 244->247 248 404c20-404c27 DeleteObject 245->248 249 404c13-404c1e SendMessageW 245->249 250 404db6-404dbf 246->250 247->250 251 404c29-404c31 248->251 249->248 252 404dc1-404dc4 250->252 253 404dca-404dd0 250->253 254 404c33-404c36 251->254 255 404c5a-404c5e 251->255 252->253 256 404eae-404eb5 252->256 259 404dd2-404dd9 253->259 260 404ddf-404de6 253->260 257 404c38 254->257 258 404c3b-404c58 call 406072 SendMessageW * 2 254->258 255->251 261 404c60-404c8c call 404114 * 2 255->261 262 404f26-404f2e 256->262 263 404eb7-404ebd 256->263 257->258 258->255 259->256 259->260 265 404de8-404deb 260->265 266 404e5b-404e5e 260->266 297 404c92-404c98 261->297 298 404d57-404d6a GetWindowLongW SetWindowLongW 261->298 271 404f30-404f36 SendMessageW 262->271 272 404f38-404f3f 262->272 268 404ec3-404ecd 263->268 269 40510e-405120 call 40417b 263->269 274 404df6-404e0b call 404a79 265->274 275 404ded-404df4 265->275 266->256 270 404e60-404e6a 266->270 268->269 278 404ed3-404ee2 SendMessageW 268->278 280 404e7a-404e84 270->280 281 404e6c-404e78 SendMessageW 270->281 271->272 282 404f41-404f48 272->282 283 404f73-404f7a 272->283 274->266 296 404e0d-404e1e 274->296 275->266 275->274 278->269 288 404ee8-404ef9 SendMessageW 278->288 280->256 290 404e86-404e90 280->290 281->280 291 404f51-404f58 282->291 292 404f4a-404f4b ImageList_Destroy 282->292 286 4050d0-4050d7 283->286 287 404f80-404f8c call 4011ef 283->287 286->269 302 4050d9-4050e0 286->302 315 404f9c-404f9f 287->315 316 404f8e-404f91 287->316 300 404f03-404f05 288->300 301 404efb-404f01 288->301 303 404ea1-404eab 290->303 304 404e92-404e9f 290->304 294 404f61-404f6d 291->294 295 404f5a-404f5b GlobalFree 291->295 292->291 294->283 295->294 296->266 305 404e20-404e22 296->305 306 404c9b-404ca2 297->306 310 404d70-404d74 298->310 308 404f06-404f1f call 401299 SendMessageW 300->308 301->300 301->308 302->269 309 4050e2-40510c ShowWindow GetDlgItem ShowWindow 302->309 303->256 304->256 311 404e24-404e2b 305->311 312 404e35 305->312 313 404d38-404d4b 306->313 314 404ca8-404cd0 306->314 308->262 309->269 318 404d76-404d89 ShowWindow call 404149 310->318 319 404d8e-404d96 call 404149 310->319 321 404e31-404e33 311->321 322 404e2d-404e2f 311->322 325 404e38-404e54 call 40117d 312->325 313->306 329 404d51-404d55 313->329 323 404cd2-404d08 SendMessageW 314->323 324 404d0a-404d0c 314->324 330 404fe0-405004 call 4011ef 315->330 331 404fa1-404fba call 4012e2 call 401299 315->331 326 404f93 316->326 327 404f94-404f97 call 404af9 316->327 318->269 319->244 321->325 322->325 323->313 333 404d0e-404d1d SendMessageW 324->333 334 404d1f-404d35 SendMessageW 324->334 325->266 326->327 327->315 329->298 329->310 345 4050a6-4050ba InvalidateRect 330->345 346 40500a 330->346 351 404fca-404fd9 SendMessageW 331->351 352 404fbc-404fc2 331->352 333->313 334->313 345->286 347 4050bc-4050cb call 404a4c call 404a34 345->347 348 40500d-405018 346->348 347->286 353 40501a-405029 348->353 354 40508e-4050a0 348->354 351->330 355 404fc4 352->355 356 404fc5-404fc8 352->356 358 40502b-405038 353->358 359 40503c-40503f 353->359 354->345 354->348 355->356 356->351 356->352 358->359 361 405041-405044 359->361 362 405046-40504f 359->362 363 405054-40508c SendMessageW * 2 361->363 362->363 364 405051 362->364 363->354 364->363
        APIs
        • GetDlgItem.USER32(?,000003F9), ref: 00404B43
        • GetDlgItem.USER32(?,00000408), ref: 00404B4E
        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
        • LoadBitmapW.USER32(0000006E), ref: 00404BAB
        • SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
        • SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
        • DeleteObject.GDI32(00000000), ref: 00404C21
        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
        • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
        • GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
        • ShowWindow.USER32(?,00000005), ref: 00404D7B
        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
        • ImageList_Destroy.COMCTL32(?), ref: 00404F4B
        • GlobalFree.KERNEL32(?), ref: 00404F5B
        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
        • SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
        • InvalidateRect.USER32(?,00000000,00000001), ref: 004050AC
        • ShowWindow.USER32(?,00000000), ref: 004050FA
        • GetDlgItem.USER32(?,000003FE), ref: 00405105
        • ShowWindow.USER32(00000000), ref: 0040510C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
        • String ID: $M$N
        • API String ID: 1638840714-813528018
        • Opcode ID: 8c45a3bebccd838025462a13ae5546f6c20f9e3bfbd9b3af7d062b47be19aa5d
        • Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
        • Opcode Fuzzy Hash: 8c45a3bebccd838025462a13ae5546f6c20f9e3bfbd9b3af7d062b47be19aa5d
        • Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004045AF Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003FB), ref: 004045FE
        • SetWindowTextW.USER32(00000000,?), ref: 00404628
        • SHBrowseForFolderW.SHELL32(?), ref: 004046D9
        • CoTaskMemFree.OLE32(00000000), ref: 004046E4
        • lstrcmpiW.KERNEL32(00432E80,0042D248,00000000,?,?), ref: 00404716
        • lstrcatW.KERNEL32(?,00432E80), ref: 00404722
        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734
          • Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C
          • Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
          • Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
          • Part of subcall function 004062E4: CharNextW.USER32(?,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
          • Part of subcall function 004062E4: CharPrevW.USER32(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
        • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 004047F7
        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812
          • Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
          • Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
          • Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
        • String ID: A
        • API String ID: 2624150263-3554254475
        • Opcode ID: 2012bd4a833c4d898378cba450fc69f200c02d46a41c020b3c2c2ea494a7c68c
        • Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
        • Opcode Fuzzy Hash: 2012bd4a833c4d898378cba450fc69f200c02d46a41c020b3c2c2ea494a7c68c
        • Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405841 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
        Download Yara Rule
        APIs
        • DeleteFileW.KERNEL32(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
        • lstrcatW.KERNEL32(0042F250,\*.*), ref: 004058B2
        • lstrcatW.KERNEL32(?,0040A014), ref: 004058D5
        • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
        • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
        • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
        • FindClose.KERNEL32(00000000), ref: 0040599A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\$\*.*
        • API String ID: 2035342205-3151436664
        • Opcode ID: 0834fff36565ee898563603d92d026ad614ba3aa6e0f956547113d163bc73b70
        • Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
        • Opcode Fuzzy Hash: 0834fff36565ee898563603d92d026ad614ba3aa6e0f956547113d163bc73b70
        • Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(?,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405861,?,756F3420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
        • FindClose.KERNEL32(00000000), ref: 004063AA
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID:
        • API String ID: 2295610775-0
        • Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
        • Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
        • Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
        • Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407040 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID:
        • String ID: p!C$p!C
        • API String ID: 0-3125587631
        • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
        • Instruction ID: 15f69c865bc8d9ec0e9cf8060aa07673d574756af28658d99b75493111c5da86
        • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
        • Instruction Fuzzy Hash: 1DC15831E042598BCF18CF68D4905EEB7B2FF99314F25826AD8567B380D7346A42CF95
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402095 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID:
        • API String ID: 542301482-0
        • Opcode ID: 56003168661b43130369e71dd8cf878fc49476dd3371d308d312326e99dcc780
        • Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
        • Opcode Fuzzy Hash: 56003168661b43130369e71dd8cf878fc49476dd3371d308d312326e99dcc780
        • Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: FileFindFirst
        • String ID:
        • API String ID: 1974802433-0
        • Opcode ID: d6f78358f7ade9e8f3d23659ba78f034e892842c8f99be51438fbb4c03911560
        • Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
        • Opcode Fuzzy Hash: d6f78358f7ade9e8f3d23659ba78f034e892842c8f99be51438fbb4c03911560
        • Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406869 Relevance: .3, Instructions: 334COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
        • Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
        • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
        • Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403C3C Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 365 403c3c-403c4e 366 403c54-403c5a 365->366 367 403d8f-403d9e 365->367 366->367 368 403c60-403c69 366->368 369 403da0-403de8 GetDlgItem * 2 call 404114 SetClassLongW call 40140b 367->369 370 403ded-403e02 367->370 374 403c6b-403c78 SetWindowPos 368->374 375 403c7e-403c81 368->375 369->370 372 403e42-403e47 call 404160 370->372 373 403e04-403e07 370->373 387 403e4c-403e67 372->387 379 403e09-403e14 call 401389 373->379 380 403e3a-403e3c 373->380 374->375 376 403c83-403c95 ShowWindow 375->376 377 403c9b-403ca1 375->377 376->377 382 403ca3-403cb8 DestroyWindow 377->382 383 403cbd-403cc0 377->383 379->380 400 403e16-403e35 SendMessageW 379->400 380->372 386 4040e1 380->386 389 4040be-4040c4 382->389 391 403cc2-403cce SetWindowLongW 383->391 392 403cd3-403cd9 383->392 388 4040e3-4040ea 386->388 394 403e70-403e76 387->394 395 403e69-403e6b call 40140b 387->395 389->386 401 4040c6-4040cc 389->401 391->388 398 403d7c-403d8a call 40417b 392->398 399 403cdf-403cf0 GetDlgItem 392->399 396 403e7c-403e87 394->396 397 40409f-4040b8 DestroyWindow EndDialog 394->397 395->394 396->397 403 403e8d-403eda call 406072 call 404114 * 3 GetDlgItem 396->403 397->389 398->388 404 403cf2-403d09 SendMessageW IsWindowEnabled 399->404 405 403d0f-403d12 399->405 400->388 401->386 407 4040ce-4040d7 ShowWindow 401->407 435 403ee4-403f20 ShowWindow EnableWindow call 404136 EnableWindow 403->435 436 403edc-403ee1 403->436 404->386 404->405 409 403d14-403d15 405->409 410 403d17-403d1a 405->410 407->386 413 403d45-403d4a call 4040ed 409->413 414 403d28-403d2d 410->414 415 403d1c-403d22 410->415 413->398 418 403d63-403d76 SendMessageW 414->418 420 403d2f-403d35 414->420 415->418 419 403d24-403d26 415->419 418->398 419->413 423 403d37-403d3d call 40140b 420->423 424 403d4c-403d55 call 40140b 420->424 431 403d43 423->431 424->398 433 403d57-403d61 424->433 431->413 433->431 439 403f22-403f23 435->439 440 403f25 435->440 436->435 441 403f27-403f55 GetSystemMenu EnableMenuItem SendMessageW 439->441 440->441 442 403f57-403f68 SendMessageW 441->442 443 403f6a 441->443 444 403f70-403fae call 404149 call 406050 lstrlenW call 406072 SetWindowTextW call 401389 442->444 443->444 444->387 453 403fb4-403fb6 444->453 453->387 454 403fbc-403fc0 453->454 455 403fc2-403fc8 454->455 456 403fdf-403ff3 DestroyWindow 454->456 455->386 457 403fce-403fd4 455->457 456->389 458 403ff9-404026 CreateDialogParamW 456->458 457->387 459 403fda 457->459 458->389 460 40402c-404083 call 404114 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 458->460 459->386 460->386 465 404085-40409d ShowWindow call 404160 460->465 465->389
        APIs
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
        • ShowWindow.USER32(?), ref: 00403C95
        • DestroyWindow.USER32 ref: 00403CA9
        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
        • GetDlgItem.USER32(?,?), ref: 00403CE6
        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
        • IsWindowEnabled.USER32(00000000), ref: 00403D01
        • GetDlgItem.USER32(?,00000001), ref: 00403DAF
        • GetDlgItem.USER32(?,00000002), ref: 00403DB9
        • SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E24
        • GetDlgItem.USER32(?,00000003), ref: 00403ECA
        • ShowWindow.USER32(00000000,?), ref: 00403EEB
        • EnableWindow.USER32(?,?), ref: 00403EFD
        • EnableWindow.USER32(?,?), ref: 00403F18
        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F2E
        • EnableMenuItem.USER32(00000000), ref: 00403F35
        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F4D
        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
        • lstrlenW.KERNEL32(0042D248,?,0042D248,00433EE0), ref: 00403F89
        • SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
        • ShowWindow.USER32(?,0000000A), ref: 004040D1
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
        • String ID:
        • API String ID: 184305955-0
        • Opcode ID: e1775bd96034a2e9b84b6caeea95e75ccf973f15f4dd1e1e4651a04b425f50ef
        • Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
        • Opcode Fuzzy Hash: e1775bd96034a2e9b84b6caeea95e75ccf973f15f4dd1e1e4651a04b425f50ef
        • Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403899 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215stringregistryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 468 403899-4038b1 call 40642a 471 4038b3-4038c3 call 405f97 468->471 472 4038c5-4038fc call 405f1d 468->472 481 40391f-403948 call 403b6f call 405b0c 471->481 477 403914-40391a lstrcatW 472->477 478 4038fe-40390f call 405f1d 472->478 477->481 478->477 486 4039da-4039e2 call 405b0c 481->486 487 40394e-403953 481->487 493 4039f0-403a15 LoadImageW 486->493 494 4039e4-4039eb call 406072 486->494 487->486 489 403959-403981 call 405f1d 487->489 489->486 495 403983-403987 489->495 497 403a96-403a9e call 40140b 493->497 498 403a17-403a47 RegisterClassW 493->498 494->493 499 403999-4039a5 lstrlenW 495->499 500 403989-403996 call 405a31 495->500 511 403aa0-403aa3 497->511 512 403aa8-403ab3 call 403b6f 497->512 501 403b65 498->501 502 403a4d-403a91 SystemParametersInfoW CreateWindowExW 498->502 506 4039a7-4039b5 lstrcmpiW 499->506 507 4039cd-4039d5 call 405a04 call 406050 499->507 500->499 505 403b67-403b6e 501->505 502->497 506->507 510 4039b7-4039c1 GetFileAttributesW 506->510 507->486 514 4039c3-4039c5 510->514 515 4039c7-4039c8 call 405a50 510->515 511->505 521 403ab9-403ad3 ShowWindow call 4063ba 512->521 522 403b3c-403b44 call 405282 512->522 514->507 514->515 515->507 527 403ad5-403ada call 4063ba 521->527 528 403adf-403af1 GetClassInfoW 521->528 529 403b46-403b4c 522->529 530 403b5e-403b60 call 40140b 522->530 527->528 533 403af3-403b03 GetClassInfoW RegisterClassW 528->533 534 403b09-403b3a DialogBoxParamW call 40140b call 4037e9 528->534 529->511 535 403b52-403b59 call 40140b 529->535 530->501 533->534 534->505 535->511
        APIs
          • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
          • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
        • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxB483.tmp,0042D248), ref: 0040391A
        • lstrlenW.KERNEL32(00432E80,?,?,?,00432E80,00000000,0043F800,C:\Users\user\AppData\Local\Temp\nsxB483.tmp,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,756F3420), ref: 0040399A
        • lstrcmpiW.KERNEL32(00432E78,.exe,00432E80,?,?,?,00432E80,00000000,0043F800,C:\Users\user\AppData\Local\Temp\nsxB483.tmp,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
        • GetFileAttributesW.KERNEL32(00432E80), ref: 004039B8
        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403A01
          • Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4
        • RegisterClassW.USER32(00433E80), ref: 00403A3E
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
        • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
        • ShowWindow.USER32(00000005,00000000), ref: 00403AC1
        • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
        • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
        • RegisterClassW.USER32(00433E80), ref: 00403B03
        • DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
        • String ID: .DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsxB483.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
        • API String ID: 1975747703-2553315635
        • Opcode ID: 1e5cccfba524a45f2d4d11677c2131e391572546f947df2dae94b256ac055dae
        • Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
        • Opcode Fuzzy Hash: 1e5cccfba524a45f2d4d11677c2131e391572546f947df2dae94b256ac055dae
        • Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004042B1 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
        Download Yara Rule
        APIs
        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040434F
        • GetDlgItem.USER32(?,000003E8), ref: 00404363
        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
        • GetSysColor.USER32(?), ref: 00404391
        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
        • lstrlenW.KERNEL32(?), ref: 004043B2
        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
        • GetDlgItem.USER32(?,0000040A), ref: 0040442D
        • SendMessageW.USER32(00000000), ref: 00404434
        • GetDlgItem.USER32(?,000003E8), ref: 0040445F
        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
        • LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
        • SetCursor.USER32(00000000), ref: 004044B3
        • ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,00000001), ref: 004044C8
        • LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
        • SetCursor.USER32(00000000), ref: 004044D7
        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404506
        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
        • String ID: (B@$N$open
        • API String ID: 3615053054-3643564497
        • Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
        • Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
        • Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
        • Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
        Download Yara Rule
        APIs
        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
        • BeginPaint.USER32(?,?), ref: 00401047
        • GetClientRect.USER32(?,?), ref: 0040105B
        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
        • DeleteObject.GDI32(?), ref: 004010ED
        • CreateFontIndirectW.GDI32(?), ref: 00401105
        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
        • SelectObject.GDI32(00000000,?), ref: 00401140
        • DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
        • SelectObject.GDI32(00000000,00000000), ref: 00401160
        • DeleteObject.GDI32(?), ref: 00401165
        • EndPaint.USER32(?,?), ref: 0040116E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
        • String ID: F
        • API String ID: 941294808-1304234792
        • Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
        • Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
        • Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
        • Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
        Download Yara Rule
        APIs
        • lstrcpyW.KERNEL32(004308E8,NUL), ref: 00405D8E
        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00405F12,?,?), ref: 00405DB2
        • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB
          • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
          • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
        • GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
        • wsprintfA.USER32 ref: 00405DF6
        • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
        • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
        • GlobalFree.KERNEL32(00000000), ref: 00405EDF
        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6
          • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,0043F000,00403536,?), ref: 00405C29
          • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,0043F000,00403536,?), ref: 00405C4B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
        • String ID: %ls=%ls$NUL$[Rename]
        • API String ID: 222337774-899692902
        • Opcode ID: 0a66907fe9b0217bb8d17ec5212d88e84616c82850af9cfedb14c7ec6270a046
        • Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
        • Opcode Fuzzy Hash: 0a66907fe9b0217bb8d17ec5212d88e84616c82850af9cfedb14c7ec6270a046
        • Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402DEE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 182COMMON
        Download Yara Rule
        APIs
        • GetTickCount.KERNEL32 ref: 00402DFF
        • GetModuleFileNameW.KERNEL32(00000000,00442800,00000400,?,?,0043F000,00403536,?), ref: 00402E1B
          • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,00442800,80000000,00000003,?,?,0043F000,00403536,?), ref: 00405C29
          • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,0043F000,00403536,?), ref: 00405C4B
        • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,00442800,00442800,80000000,00000003,?,?,0043F000,00403536,?), ref: 00402E67
        Strings
        • Inst, xrefs: 00402ED3
        • Null, xrefs: 00402EE5
        • Error launching installer, xrefs: 00402E3E
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
        • soft, xrefs: 00402EDC
        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
        • asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d, xrefs: 00402E7C, 00402E9D, 00402EB9, 00402F45
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: File$AttributesCountCreateModuleNameSizeTick
        • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d$soft
        • API String ID: 4283519449-1435006166
        • Opcode ID: 05824455060977a7bb7252739558d1f5cb77a7710911f7e6d34bdacea54ead92
        • Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
        • Opcode Fuzzy Hash: 05824455060977a7bb7252739558d1f5cb77a7710911f7e6d34bdacea54ead92
        • Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406072 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON
        Download Yara Rule
        APIs
        • GetVersion.KERNEL32(00000000,0042C228,?,004051E6,0042C228,00000000,00000000,?), ref: 00406135
        • GetSystemDirectoryW.KERNEL32(00432E80,00000400), ref: 004061B3
        • GetWindowsDirectoryW.KERNEL32(00432E80,00000400), ref: 004061C6
        • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
        • SHGetPathFromIDListW.SHELL32(?,00432E80), ref: 00406210
        • CoTaskMemFree.OLE32(?), ref: 0040621B
        • lstrcatW.KERNEL32(00432E80,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
        • lstrlenW.KERNEL32(00432E80,00000000,0042C228,?,004051E6,0042C228,00000000,00000000,?), ref: 00406299
        Strings
        • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406181
        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406239
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
        • API String ID: 900638850-730719616
        • Opcode ID: 0e6e7012782d552d3a91de86c70f0f64d15dea142bf4888c7ca5ccf2af425d1f
        • Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
        • Opcode Fuzzy Hash: 0e6e7012782d552d3a91de86c70f0f64d15dea142bf4888c7ca5ccf2af425d1f
        • Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EB), ref: 00404198
        • GetSysColor.USER32(00000000), ref: 004041B4
        • SetTextColor.GDI32(?,00000000), ref: 004041C0
        • SetBkMode.GDI32(?,?), ref: 004041CC
        • GetSysColor.USER32(?), ref: 004041DF
        • SetBkColor.GDI32(?,?), ref: 004041EF
        • DeleteObject.GDI32(?), ref: 00404209
        • CreateBrushIndirect.GDI32(?), ref: 00404213
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
        • String ID:
        • API String ID: 2320649405-0
        • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
        • Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
        • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
        • Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CountTick$wsprintf
        • String ID: ... %d%%$@
        • API String ID: 551687249-3859443358
        • Opcode ID: b9c73abe30954886df544254ff6dcb1187f966f7efd401cac9ed90b15a2befc5
        • Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
        • Opcode Fuzzy Hash: b9c73abe30954886df544254ff6dcb1187f966f7efd401cac9ed90b15a2befc5
        • Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
          • Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D1C
        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: File$Pointer$ByteCharMultiWide$Read
        • String ID: 9
        • API String ID: 163830602-2366072709
        • Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
        • Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
        • Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
        • Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004051AF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
        • lstrlenW.KERNEL32(0040318B,0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
        • lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
        • SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$lstrlen$TextWindowlstrcat
        • String ID:
        • API String ID: 2531174081-0
        • Opcode ID: 661b82109fdd2a37eb13e55163fdf06ea5e70fc68841ee5fa768d2a587fa1c0b
        • Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
        • Opcode Fuzzy Hash: 661b82109fdd2a37eb13e55163fdf06ea5e70fc68841ee5fa768d2a587fa1c0b
        • Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004062E4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,*?|<>/":,00000000,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
        • CharNextW.USER32(?,?,?,00000000), ref: 00406356
        • CharNextW.USER32(?,00000000,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
        • CharPrevW.USER32(?,?,756F3420,C:\Users\user\AppData\Local\Temp\,0043F000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Char$Next$Prev
        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
        • API String ID: 589700163-681532160
        • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
        • Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
        • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
        • Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
        • GetMessagePos.USER32 ref: 00404A9C
        • ScreenToClient.USER32(?,?), ref: 00404AB6
        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Message$Send$ClientScreen
        • String ID: f
        • API String ID: 41195575-1993550816
        • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
        • Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
        • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
        • Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
        Download Yara Rule
        APIs
        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
        • MulDiv.KERNEL32(?,00000064,00051A00), ref: 00402D4D
        • wsprintfW.USER32 ref: 00402D5D
        • SetWindowTextW.USER32(?,?), ref: 00402D6D
        • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
        Strings
        • verifying installer: %d%%, xrefs: 00402D57
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Text$ItemTimerWindowwsprintf
        • String ID: verifying installer: %d%%
        • API String ID: 1451636040-82062127
        • Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
        • Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
        • Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
        • Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
        Download Yara Rule
        APIs
        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
        • GlobalFree.KERNEL32(?), ref: 004028E9
        • GlobalFree.KERNEL32(00000000), ref: 004028FC
        • CloseHandle.KERNEL32(?), ref: 00402914
        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Global$AllocFree$CloseDeleteFileHandle
        • String ID:
        • API String ID: 2667972263-0
        • Opcode ID: d38b97de9adbc21ced8ed8a744625ac0d1ee3a783b6f23ffb60f529b6eaed753
        • Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
        • Opcode Fuzzy Hash: d38b97de9adbc21ced8ed8a744625ac0d1ee3a783b6f23ffb60f529b6eaed753
        • Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040567E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
        • GetLastError.KERNEL32 ref: 004056D5
        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
        • GetLastError.KERNEL32 ref: 004056F4
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: ErrorLast$CreateDirectoryFileSecurity
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 3449924974-1881609536
        • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
        • Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
        • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
        • Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401767 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
        Download Yara Rule
        APIs
        • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
        • CompareFileTime.KERNEL32(-00000014,?,0040A5D0,0040A5D0,00000000,00000000,0040A5D0,00440000,?,?,00000031), ref: 004017CD
          • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,00433EE0,NSIS Error), ref: 0040605D
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
          • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
          • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
          • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
        • String ID:
        • API String ID: 1941528284-0
        • Opcode ID: 6775144717fc476b5dbb97c3b6100e3a591b898303e6615bd834b0ce0a67ae3b
        • Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
        • Opcode Fuzzy Hash: 6775144717fc476b5dbb97c3b6100e3a591b898303e6615bd834b0ce0a67ae3b
        • Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
        • RegCloseKey.ADVAPI32(?), ref: 00402C65
        • RegCloseKey.ADVAPI32(?), ref: 00402C8A
        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Close$DeleteEnumOpen
        • String ID:
        • API String ID: 1912718029-0
        • Opcode ID: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
        • Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
        • Opcode Fuzzy Hash: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
        • Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,?), ref: 00401D00
        • GetClientRect.USER32(00000000,?), ref: 00401D0D
        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
        • DeleteObject.GDI32(00000000), ref: 00401D4B
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
        • String ID:
        • API String ID: 1849352358-0
        • Opcode ID: 31fd25822ce6b79118aa2e1ca3bb08fcdcc3158db0601b843d79d25736b73e43
        • Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
        • Opcode Fuzzy Hash: 31fd25822ce6b79118aa2e1ca3bb08fcdcc3158db0601b843d79d25736b73e43
        • Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(?), ref: 00401D59
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
        • ReleaseDC.USER32(?,00000000), ref: 00401D86
        • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CapsCreateDeviceFontIndirectRelease
        • String ID:
        • API String ID: 3808545654-0
        • Opcode ID: e2cc8dd5de9789456435784dbdd19b949a1a7a801120b19954393673f8e1d613
        • Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
        • Opcode Fuzzy Hash: e2cc8dd5de9789456435784dbdd19b949a1a7a801120b19954393673f8e1d613
        • Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
        • wsprintfW.USER32 ref: 00404A15
        • SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: ItemTextlstrlenwsprintf
        • String ID: %u.%u%s%s
        • API String ID: 3540041739-3551169577
        • Opcode ID: 11697fbeee2ec27caa838f9577c25575cb5a28f5da9000204df2581051c2f439
        • Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
        • Opcode Fuzzy Hash: 11697fbeee2ec27caa838f9577c25575cb5a28f5da9000204df2581051c2f439
        • Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
        Download Yara Rule
        APIs
        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$Timeout
        • String ID: !
        • API String ID: 1777923405-2657877971
        • Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
        • Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
        • Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
        • Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FEE
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
          • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
          • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
          • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
        • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
        • String ID: `OC
        • API String ID: 334405425-799166930
        • Opcode ID: 5181d75713787ffd6a629225a60919502673a9056936f114145810241d72ddad
        • Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
        • Opcode Fuzzy Hash: 5181d75713787ffd6a629225a60919502673a9056936f114145810241d72ddad
        • Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405B0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,00433EE0,NSIS Error), ref: 0040605D
          • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405861,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
          • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
          • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
        • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405861,?,756F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
        • GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50, 4ou,?,C:\Users\user\AppData\Local\Temp\,00405861,?,756F3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CharNext$AttributesFilelstrcpynlstrlen
        • String ID: 4ou$C:\Users\user\AppData\Local\Temp\
        • API String ID: 3248276644-2259175124
        • Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
        • Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
        • Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
        • Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
        • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
        • lstrcatW.KERNEL32(?,0040A014), ref: 00405A26
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CharPrevlstrcatlstrlen
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 2659869361-1881609536
        • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
        • Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
        • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
        • Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
        • lstrlenW.KERNEL32(0040B5D0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
        • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
        • RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CloseCreateValuelstrlen
        • String ID:
        • API String ID: 1356686001-0
        • Opcode ID: bfedc165a8574070aa25792ea214acd43fbdea90d1c39bf4e8f4e2e036591c34
        • Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
        • Opcode Fuzzy Hash: bfedc165a8574070aa25792ea214acd43fbdea90d1c39bf4e8f4e2e036591c34
        • Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
          • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,?,756F23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
          • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
          • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
          • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
          • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
          • Part of subcall function 00405730: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
          • Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766
        • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
        • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
        • String ID:
        • API String ID: 3585118688-0
        • Opcode ID: e8bd30eb30573bb393d6b9c1201975896ec1614d82597cab9a1ef0ab8b9eb6fa
        • Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
        • Opcode Fuzzy Hash: e8bd30eb30573bb393d6b9c1201975896ec1614d82597cab9a1ef0ab8b9eb6fa
        • Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,0043F000,00403536,?), ref: 00402D9D
        • GetTickCount.KERNEL32 ref: 00402DBB
        • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
        • ShowWindow.USER32(00000000,00000005,?,?,0043F000,00403536,?), ref: 00402DE6
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Window$CountCreateDestroyDialogParamShowTick
        • String ID:
        • API String ID: 2102729457-0
        • Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
        • Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
        • Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
        • Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 00405152
        • CallWindowProcW.USER32(?,?,?,?), ref: 004051A3
          • Part of subcall function 00404160: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404172
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Window$CallMessageProcSendVisible
        • String ID:
        • API String ID: 3748168415-3916222277
        • Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
        • Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
        • Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
        • Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
        Download Yara Rule
        APIs
        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
        • CloseHandle.KERNEL32(?), ref: 00405766
        Strings
        • Error launching installer, xrefs: 00405743
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: CloseCreateHandleProcess
        • String ID: Error launching installer
        • API String ID: 3712363035-66219284
        • Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
        • Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
        • Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
        • Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(?,756F3420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
        • GlobalFree.KERNEL32(?), ref: 00403825
        Strings
        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403804
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: Free$GlobalLibrary
        • String ID: C:\Users\user\AppData\Local\Temp\
        • API String ID: 1100898210-1881609536
        • Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
        • Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
        • Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
        • Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
        Download Yara Rule
        APIs
        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
        • CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
        • lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
        Memory Dump Source
        • Source File: 00000000.00000002.1282549877.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1282535891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000408000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282563211.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.1282653189.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_MbYnGuRGnm.jbxd
        Similarity
        • API ID: lstrlen$CharNextlstrcmpi
        • String ID:
        • API String ID: 190613189-0
        • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
        • Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
        • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
        • Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8
        Uniqueness

        Uniqueness Score: -1.00%