Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4NsDuAp8TA.exe

Overview

General Information

Sample name:4NsDuAp8TA.exe
renamed because original name is a hash value
Original sample name:0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567.exe
Analysis ID:1438239
MD5:cae6f54148013b927ed9f993f739ae2e
SHA1:381484ae43668a86797ef320f3d0eaaf0e907251
SHA256:0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 4NsDuAp8TA.exe (PID: 1124 cmdline: "C:\Users\user\Desktop\4NsDuAp8TA.exe" MD5: CAE6F54148013B927ED9F993F739AE2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 4NsDuAp8TA.exeVirustotal: Detection: 38%Perma Link
Source: 4NsDuAp8TA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405454
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405E7B FindFirstFileA,FindClose,0_2_00405E7B
Source: 4NsDuAp8TA.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 4NsDuAp8TA.exe, 00000000.00000002.2045049060.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error(
Source: 4NsDuAp8TA.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FC2
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_004030EF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030EF
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_004048010_2_00404801
Source: 4NsDuAp8TA.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: 4NsDuAp8TA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_004042C5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042C5
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeFile created: C:\Users\user\AppData\Local\Temp\nsi56C.tmpJump to behavior
Source: 4NsDuAp8TA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 4NsDuAp8TA.exeVirustotal: Detection: 38%
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeFile read: C:\Users\user\Desktop\4NsDuAp8TA.exeJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA2
Source: 4NsDuAp8TA.exeStatic PE information: real checksum: 0x70616 should be: 0x310b9
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeAPI coverage: 8.3 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_0040264F FindFirstFileA,0_2_0040264F
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405454 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405454
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405E7B FindFirstFileA,FindClose,0_2_00405E7B
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeAPI call chain: ExitProcess graph end nodegraph_0-2815
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405EA2 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA2
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\4NsDuAp8TA.exeCode function: 0_2_00405B99 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B99

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory4
System Information Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4NsDuAp8TA.exe38%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_Error4NsDuAp8TA.exefalse
    		high
    http://nsis.sf.net/NSIS_ErrorError4NsDuAp8TA.exefalse
      		high
      http://nsis.sf.net/NSIS_Error(4NsDuAp8TA.exe, 00000000.00000002.2045049060.0000000000ADE000.00000004.00000020.00020000.00000000.sdmpfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1438239
        Start date and time:2024-05-08 14:08:07 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 47s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:4NsDuAp8TA.exe
        renamed because original name is a hash value
        Original Sample Name:0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567.exe
        Detection:MAL
        Classification:mal48.winEXE@1/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 9
        • Number of non-executed functions: 38
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
        Entropy (8bit):6.342181082524124
        TrID:
        • Win32 Executable (generic) a (10002005/4) 92.16%
        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:4NsDuAp8TA.exe
        File size:165'400 bytes
        MD5:cae6f54148013b927ed9f993f739ae2e
        SHA1:381484ae43668a86797ef320f3d0eaaf0e907251
        SHA256:0471df01d611ffbd17f9bb9e6e32d69685d2378184c69107ff78a31bbbc84567
        SHA512:2c5d51b462c81d6a9461f47011313e554c0feb4ba68f65e97898686ea40e7d591e5c1b1802e1349f5e161ad683b80efa13bc7dfe0dec6b60428e49385cd73816
        SSDEEP:3072:qylurXGahXJpKmvQEMpJDqgkwQmvpUJ26qTJX:qzZzycgkyvG1qVX
        TLSH:B6F30756E3099CB8DD1A0775667BEDB10A23BEB8E420641D25DE3D2F7E73382406AD07
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L....e.Q.................\....9....

        File Icon

        Icon Hash:d080c6ee8e92ca1d

        Static PE Info

        General

        Entrypoint:0x4030ef
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:TERMINAL_SERVER_AWARE
        Time Stamp:0x519965C7 [Sun May 19 23:52:39 2013 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:b40f29cd171eb54c01b1dd2683c9c26b

        Authenticode Signature

        Signature Valid:
        Signature Issuer:
        Signature Validation Error:
        Error Number:
        Not Before, Not After
          Subject Chain
            Version:
            Thumbprint MD5:
            Thumbprint SHA-1:
            Thumbprint SHA-256:
            Serial:

            Entrypoint Preview

            Instruction
            sub esp, 00000184h
            push ebx
            push ebp
            push esi
            xor ebx, ebx
            push edi
            mov dword ptr [esp+1Ch], ebx
            mov dword ptr [esp+10h], 00409190h
            mov dword ptr [esp+18h], ebx
            mov byte ptr [esp+14h], 00000020h
            call dword ptr [00407034h]
            push 00008001h
            call dword ptr [004070B0h]
            push ebx
            call dword ptr [0040728Ch]
            push 00000008h
            mov dword ptr [007A27B8h], eax
            call 00007F77250DD9F3h
            mov dword ptr [007A2704h], eax
            push ebx
            lea eax, dword ptr [esp+38h]
            push 00000160h
            push eax
            push ebx
            push 0079DCB8h
            call dword ptr [00407164h]
            push 00409180h
            push 007A1F00h
            call 00007F77250DD69Dh
            call dword ptr [0040711Ch]
            mov ebp, 007A8000h
            push eax
            push ebp
            call 00007F77250DD68Bh
            push ebx
            call dword ptr [00407114h]
            cmp byte ptr [007A8000h], 00000022h
            mov dword ptr [007A2700h], eax
            mov eax, ebp
            jne 00007F77250DAC8Ch
            mov byte ptr [esp+14h], 00000022h
            mov eax, 007A8001h
            push dword ptr [esp+14h]
            push eax
            call 00007F77250DD138h
            push eax
            call dword ptr [00407220h]
            mov dword ptr [esp+20h], eax
            jmp 00007F77250DAD40h
            cmp cl, 00000020h
            jne 00007F77250DAC88h
            inc eax
            cmp byte ptr [eax], 00000020h
            je 00007F77250DAC7Ch

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3bf0000x111c8.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x637800xa40.data
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x5bc20x5c00d75213ff3654bd251ba7ede13ba551f3False0.6815132472826086data6.5073852787100455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x70000x11ce0x12006c31e0693072284f258d2c4a271de506False0.4524739583333333OpenPGP Secret Key5.236327486414569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x90000x3997f80x400cc4b8c7cfe81dc194cfb0c595288fc86unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .ndata0x3a30000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x3bf0000x111c80x11200bbb015d8423c571296eed99a1464fd36False0.12783702098540145data4.40852816567891IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x3bf2080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/mEnglishUnited States0.11396841358097717
            RT_DIALOG0x3cfa300x120dataEnglishUnited States0.5138888888888888
            RT_DIALOG0x3cfb500x11cdataEnglishUnited States0.6091549295774648
            RT_DIALOG0x3cfc700xc4dataEnglishUnited States0.5918367346938775
            RT_DIALOG0x3cfd380x60dataEnglishUnited States0.7291666666666666
            RT_GROUP_ICON0x3cfd980x14dataEnglishUnited States1.15
            RT_VERSION0x3cfdb00x148x86 executable not strippedEnglishUnited States0.600609756097561
            RT_MANIFEST0x3cfef80x2cbXML 1.0 document, ASCII text, with very long lines (715), with no line terminatorsEnglishUnited States0.5664335664335665

            Imports

            DLLImport
            KERNEL32.dllSleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
            USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
            ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
            ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:08:53
            Start date:08/05/2024
            Path:C:\Users\user\Desktop\4NsDuAp8TA.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\4NsDuAp8TA.exe"
            Imagebase:0x400000
            File size:165'400 bytes
            MD5 hash:CAE6F54148013B927ED9F993F739AE2E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:5.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:22.3%
              Total number of Nodes:1243
              Total number of Limit Nodes:16
              execution_graph 3220 4019c0 3228 402a07 3220->3228 3223 402a07 18 API calls 3224 4019d0 3223->3224 3225 4019d7 lstrcmpiA 3224->3225 3226 4019e9 lstrcmpA 3224->3226 3227 4019dd 3225->3227 3226->3227 3229 402a13 3228->3229 3230 405b99 18 API calls 3229->3230 3231 402a34 3230->3231 3232 4019c7 3231->3232 3233 405de2 5 API calls 3231->3233 3232->3223 3233->3232 3234 404fc2 3235 404fe3 GetDlgItem GetDlgItem GetDlgItem 3234->3235 3236 40516e 3234->3236 3280 403ebc SendMessageA 3235->3280 3238 405177 GetDlgItem CreateThread CloseHandle 3236->3238 3239 40519f 3236->3239 3238->3239 3241 4051ca 3239->3241 3242 4051b6 ShowWindow ShowWindow 3239->3242 3243 4051ec 3239->3243 3240 405054 3245 40505b GetClientRect GetSystemMetrics SendMessageA SendMessageA 3240->3245 3244 405228 3241->3244 3247 405201 ShowWindow 3241->3247 3248 4051db 3241->3248 3285 403ebc SendMessageA 3242->3285 3289 403eee 3243->3289 3244->3243 3254 405233 SendMessageA 3244->3254 3252 4050ca 3245->3252 3253 4050ae SendMessageA SendMessageA 3245->3253 3250 405221 3247->3250 3251 405213 3247->3251 3286 403e60 3248->3286 3257 403e60 SendMessageA 3250->3257 3256 404e84 25 API calls 3251->3256 3258 4050dd 3252->3258 3259 4050cf SendMessageA 3252->3259 3253->3252 3260 4051fa 3254->3260 3261 40524c CreatePopupMenu 3254->3261 3256->3250 3257->3244 3281 403e87 3258->3281 3259->3258 3262 405b99 18 API calls 3261->3262 3264 40525c AppendMenuA 3262->3264 3266 405282 3264->3266 3267 40526f GetWindowRect 3264->3267 3265 4050ed 3268 4050f6 ShowWindow 3265->3268 3269 40512a GetDlgItem SendMessageA 3265->3269 3271 40528b TrackPopupMenu 3266->3271 3267->3271 3272 405119 3268->3272 3273 40510c ShowWindow 3268->3273 3269->3260 3270 405151 SendMessageA SendMessageA 3269->3270 3270->3260 3271->3260 3274 4052a9 3271->3274 3284 403ebc SendMessageA 3272->3284 3273->3272 3275 4052c5 SendMessageA 3274->3275 3275->3275 3277 4052e2 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3275->3277 3278 405304 SendMessageA 3277->3278 3278->3278 3279 405326 GlobalUnlock SetClipboardData CloseClipboard 3278->3279 3279->3260 3280->3240 3282 405b99 18 API calls 3281->3282 3283 403e92 SetDlgItemTextA 3282->3283 3283->3265 3284->3269 3285->3241 3287 403e67 3286->3287 3288 403e6d SendMessageA 3286->3288 3287->3288 3288->3243 3290 403f06 GetWindowLongA 3289->3290 3300 403f8f 3289->3300 3291 403f17 3290->3291 3290->3300 3292 403f26 GetSysColor 3291->3292 3293 403f29 3291->3293 3292->3293 3294 403f39 SetBkMode 3293->3294 3295 403f2f SetTextColor 3293->3295 3296 403f51 GetSysColor 3294->3296 3297 403f57 3294->3297 3295->3294 3296->3297 3298 403f68 3297->3298 3299 403f5e SetBkColor 3297->3299 3298->3300 3301 403f82 CreateBrushIndirect 3298->3301 3302 403f7b DeleteObject 3298->3302 3299->3298 3300->3260 3301->3300 3302->3301 3303 4042c5 3304 4042f1 3303->3304 3305 404302 3303->3305 3364 40538c GetDlgItemTextA 3304->3364 3306 40430e GetDlgItem 3305->3306 3313 40436d 3305->3313 3308 404322 3306->3308 3312 404336 SetWindowTextA 3308->3312 3316 4056bd 4 API calls 3308->3316 3309 404451 3361 4045ec 3309->3361 3366 40538c GetDlgItemTextA 3309->3366 3310 4042fc 3311 405de2 5 API calls 3310->3311 3311->3305 3317 403e87 19 API calls 3312->3317 3313->3309 3318 405b99 18 API calls 3313->3318 3313->3361 3315 403eee 8 API calls 3320 404600 3315->3320 3321 40432c 3316->3321 3322 404352 3317->3322 3323 4043e1 SHBrowseForFolderA 3318->3323 3319 404481 3324 405712 18 API calls 3319->3324 3321->3312 3328 405624 3 API calls 3321->3328 3325 403e87 19 API calls 3322->3325 3323->3309 3326 4043f9 CoTaskMemFree 3323->3326 3327 404487 3324->3327 3329 404360 3325->3329 3330 405624 3 API calls 3326->3330 3367 405b77 lstrcpynA 3327->3367 3328->3312 3365 403ebc SendMessageA 3329->3365 3332 404406 3330->3332 3335 40443d SetDlgItemTextA 3332->3335 3339 405b99 18 API calls 3332->3339 3334 404366 3338 405ea2 3 API calls 3334->3338 3335->3309 3336 40449e 3337 405ea2 3 API calls 3336->3337 3345 4044a6 3337->3345 3338->3313 3340 404425 lstrcmpiA 3339->3340 3340->3335 3342 404436 lstrcatA 3340->3342 3341 4044e0 3368 405b77 lstrcpynA 3341->3368 3342->3335 3344 4044e7 3346 4056bd 4 API calls 3344->3346 3345->3341 3350 40566b 2 API calls 3345->3350 3351 404531 3345->3351 3347 4044ed GetDiskFreeSpaceA 3346->3347 3349 40450f MulDiv 3347->3349 3347->3351 3349->3351 3350->3345 3360 40459b 3351->3360 3369 40466d 3351->3369 3352 4045be 3377 403ea9 EnableWindow 3352->3377 3354 40140b 2 API calls 3354->3352 3355 40458d 3357 404592 3355->3357 3358 40459d SetDlgItemTextA 3355->3358 3359 40466d 21 API calls 3357->3359 3358->3360 3359->3360 3360->3352 3360->3354 3361->3315 3362 4045da 3362->3361 3378 40425a 3362->3378 3364->3310 3365->3334 3366->3319 3367->3336 3368->3344 3370 404687 3369->3370 3371 405b99 18 API calls 3370->3371 3372 4046bc 3371->3372 3373 405b99 18 API calls 3372->3373 3374 4046c7 3373->3374 3375 405b99 18 API calls 3374->3375 3376 4046f8 lstrlenA wsprintfA SetDlgItemTextA 3375->3376 3376->3355 3377->3362 3379 404268 3378->3379 3380 40426d SendMessageA 3378->3380 3379->3380 3380->3361 3381 4023c6 3392 402b11 3381->3392 3383 4023d0 3384 402a07 18 API calls 3383->3384 3385 4023d9 3384->3385 3386 4023e3 RegQueryValueExA 3385->3386 3389 40266d 3385->3389 3387 402409 RegCloseKey 3386->3387 3388 402403 3386->3388 3387->3389 3388->3387 3396 405ad5 wsprintfA 3388->3396 3393 402a07 18 API calls 3392->3393 3394 402b2a 3393->3394 3395 402b38 RegOpenKeyExA 3394->3395 3395->3383 3396->3387 3400 402b4c 3401 402b5b SetTimer 3400->3401 3403 402b74 3400->3403 3401->3403 3402 402bc9 3403->3402 3404 402b8e MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3403->3404 3404->3402 3405 401ccc GetDlgItem GetClientRect 3406 402a07 18 API calls 3405->3406 3407 401cfc LoadImageA SendMessageA 3406->3407 3408 401d1a DeleteObject 3407->3408 3409 40289c 3407->3409 3408->3409 3410 40264f 3411 402a07 18 API calls 3410->3411 3412 402656 FindFirstFileA 3411->3412 3413 402679 3412->3413 3414 402669 3412->3414 3418 405ad5 wsprintfA 3413->3418 3416 402680 3419 405b77 lstrcpynA 3416->3419 3418->3416 3419->3414 3420 4024cf 3421 4024d4 3420->3421 3422 4024e5 3420->3422 3429 4029ea 3421->3429 3423 402a07 18 API calls 3422->3423 3425 4024ec lstrlenA 3423->3425 3426 4024db 3425->3426 3427 40250b WriteFile 3426->3427 3428 40266d 3426->3428 3427->3428 3430 405b99 18 API calls 3429->3430 3431 4029fe 3430->3431 3431->3426 3432 401650 3433 402a07 18 API calls 3432->3433 3434 401657 3433->3434 3435 402a07 18 API calls 3434->3435 3436 401660 3435->3436 3437 402a07 18 API calls 3436->3437 3438 401669 MoveFileA 3437->3438 3439 401675 3438->3439 3440 40167c 3438->3440 3446 401423 3439->3446 3441 405e7b 2 API calls 3440->3441 3444 40217f 3440->3444 3443 40168b 3441->3443 3443->3444 3445 405a2b 40 API calls 3443->3445 3445->3439 3447 404e84 25 API calls 3446->3447 3448 401431 3447->3448 3448->3444 3449 403fd0 3450 403fe6 3449->3450 3457 4040f2 3449->3457 3453 403e87 19 API calls 3450->3453 3451 404161 3452 404235 3451->3452 3454 40416b GetDlgItem 3451->3454 3460 403eee 8 API calls 3452->3460 3458 40403c 3453->3458 3455 404181 3454->3455 3456 4041f3 3454->3456 3455->3456 3462 4041a7 6 API calls 3455->3462 3456->3452 3463 404205 3456->3463 3457->3451 3457->3452 3459 404136 GetDlgItem SendMessageA 3457->3459 3461 403e87 19 API calls 3458->3461 3480 403ea9 EnableWindow 3459->3480 3465 404230 3460->3465 3466 404049 CheckDlgButton 3461->3466 3462->3456 3468 40420b SendMessageA 3463->3468 3469 40421c 3463->3469 3478 403ea9 EnableWindow 3466->3478 3468->3469 3469->3465 3472 404222 SendMessageA 3469->3472 3470 40415c 3473 40425a SendMessageA 3470->3473 3471 404067 GetDlgItem 3479 403ebc SendMessageA 3471->3479 3472->3465 3473->3451 3475 40407d SendMessageA 3476 4040a4 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3475->3476 3477 40409b GetSysColor 3475->3477 3476->3465 3477->3476 3478->3471 3479->3475 3480->3470 3481 4014d6 3482 4029ea 18 API calls 3481->3482 3483 4014dc Sleep 3482->3483 3485 40289c 3483->3485 3486 401dd8 3487 402a07 18 API calls 3486->3487 3488 401dde 3487->3488 3489 402a07 18 API calls 3488->3489 3490 401de7 3489->3490 3491 402a07 18 API calls 3490->3491 3492 401df0 3491->3492 3493 402a07 18 API calls 3492->3493 3494 401df9 3493->3494 3495 401423 25 API calls 3494->3495 3496 401e00 ShellExecuteA 3495->3496 3497 401e2d 3496->3497 3498 40155b 3499 401577 ShowWindow 3498->3499 3500 40157e 3498->3500 3499->3500 3501 40289c 3500->3501 3502 40158c ShowWindow 3500->3502 3502->3501 3503 401edc 3504 402a07 18 API calls 3503->3504 3505 401ee3 GetFileVersionInfoSizeA 3504->3505 3506 401f06 GlobalAlloc 3505->3506 3508 401f5c 3505->3508 3507 401f1a GetFileVersionInfoA 3506->3507 3506->3508 3507->3508 3509 401f2b VerQueryValueA 3507->3509 3509->3508 3510 401f44 3509->3510 3514 405ad5 wsprintfA 3510->3514 3512 401f50 3515 405ad5 wsprintfA 3512->3515 3514->3512 3515->3508 3516 4025dd 3517 4025e4 3516->3517 3519 402849 3516->3519 3518 4029ea 18 API calls 3517->3518 3520 4025ef 3518->3520 3521 4025f6 SetFilePointer 3520->3521 3521->3519 3522 402606 3521->3522 3524 405ad5 wsprintfA 3522->3524 3524->3519 3525 4035e0 3526 4035eb 3525->3526 3527 4035f2 GlobalAlloc 3526->3527 3528 4035ef 3526->3528 3527->3528 3534 4018e3 3535 40191a 3534->3535 3536 402a07 18 API calls 3535->3536 3537 40191f 3536->3537 3538 405454 71 API calls 3537->3538 3539 401928 3538->3539 3540 4018e6 3541 402a07 18 API calls 3540->3541 3542 4018ed 3541->3542 3543 4053a8 MessageBoxIndirectA 3542->3543 3544 4018f6 3543->3544 3545 401f68 3546 401f7a 3545->3546 3547 402028 3545->3547 3548 402a07 18 API calls 3546->3548 3550 401423 25 API calls 3547->3550 3549 401f81 3548->3549 3551 402a07 18 API calls 3549->3551 3555 40217f 3550->3555 3552 401f8a 3551->3552 3553 401f92 GetModuleHandleA 3552->3553 3554 401f9f LoadLibraryExA 3552->3554 3553->3554 3556 401faf GetProcAddress 3553->3556 3554->3547 3554->3556 3557 401ffb 3556->3557 3558 401fbe 3556->3558 3559 404e84 25 API calls 3557->3559 3560 401423 25 API calls 3558->3560 3561 401fce 3558->3561 3559->3561 3560->3561 3561->3555 3562 40201c FreeLibrary 3561->3562 3562->3555 2775 4030ef #17 SetErrorMode OleInitialize 2852 405ea2 GetModuleHandleA 2775->2852 2779 40315f GetCommandLineA 2857 405b77 lstrcpynA 2779->2857 2781 403171 GetModuleHandleA 2782 403188 2781->2782 2858 40564f 2782->2858 2785 403271 2786 403284 GetTempPathA 2785->2786 2862 4030bb 2786->2862 2788 40329c 2789 4032a0 GetWindowsDirectoryA lstrcatA 2788->2789 2790 4032f6 DeleteFileA 2788->2790 2792 4030bb 11 API calls 2789->2792 2870 402c33 GetTickCount GetModuleFileNameA 2790->2870 2791 40564f CharNextA 2794 4031ac 2791->2794 2795 4032bc 2792->2795 2794->2785 2794->2791 2796 403273 2794->2796 2795->2790 2799 4032c0 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 2795->2799 2911 405b77 lstrcpynA 2796->2911 2802 4030bb 11 API calls 2799->2802 2800 4033a4 2900 403548 2800->2900 2805 4032ee 2802->2805 2803 403390 2929 403622 2803->2929 2805->2790 2805->2800 2807 40564f CharNextA 2808 403325 2807->2808 2816 40336b 2808->2816 2817 4033cf lstrcatA lstrcmpiA 2808->2817 2809 4033b9 2907 4053a8 2809->2907 2810 4034ad 2813 403530 2810->2813 2819 405ea2 3 API calls 2810->2819 2811 4033a0 2811->2800 2814 40353a 2813->2814 2815 40353e ExitProcess 2813->2815 2814->2815 2912 405712 2816->2912 2817->2800 2822 4033eb CreateDirectoryA SetCurrentDirectoryA 2817->2822 2820 4034bc 2819->2820 2823 405ea2 3 API calls 2820->2823 2825 403402 2822->2825 2826 40340d 2822->2826 2827 4034c5 2823->2827 2983 405b77 lstrcpynA 2825->2983 2984 405b77 lstrcpynA 2826->2984 2831 405ea2 3 API calls 2827->2831 2828 40337a 2927 405b77 lstrcpynA 2828->2927 2833 4034ce 2831->2833 2835 40351c ExitWindowsEx 2833->2835 2842 4034dc GetCurrentProcess 2833->2842 2834 403385 2928 405b77 lstrcpynA 2834->2928 2835->2813 2838 403529 2835->2838 3011 40140b 2838->3011 2841 403459 CopyFileA 2849 40341b 2841->2849 2845 4034ec 2842->2845 2843 4034a1 2846 405a2b 40 API calls 2843->2846 2845->2835 2847 4034f0 2845->2847 2846->2811 2847->2835 2848 405b99 18 API calls 2848->2849 2849->2843 2849->2848 2851 40348d CloseHandle 2849->2851 2985 405b99 2849->2985 3003 405a2b 2849->3003 3008 405347 CreateProcessA 2849->3008 2851->2849 2853 405ec9 GetProcAddress 2852->2853 2854 405ebe LoadLibraryA 2852->2854 2855 403134 SHGetFileInfoA 2853->2855 2854->2853 2854->2855 2856 405b77 lstrcpynA 2855->2856 2856->2779 2857->2781 2859 405655 2858->2859 2860 40319c CharNextA 2859->2860 2861 40565b CharNextA 2859->2861 2860->2794 2861->2859 3014 405de2 2862->3014 2864 4030d1 2864->2788 2865 4030c7 2865->2864 3023 405624 lstrlenA CharPrevA 2865->3023 3030 405825 GetFileAttributesA CreateFileA 2870->3030 2872 402c73 2873 402c83 2872->2873 3031 405b77 lstrcpynA 2872->3031 2873->2800 2873->2803 2873->2807 2875 402c99 3032 40566b lstrlenA 2875->3032 2879 402caa GetFileSize 2880 402cc1 2879->2880 2896 402da6 2879->2896 2880->2873 2886 402e12 2880->2886 2892 402d79 2880->2892 2880->2896 3037 403072 ReadFile 2880->3037 2881 402bcf 6 API calls 2882 402daf 2881->2882 2882->2873 2884 402ddf GlobalAlloc 2882->2884 3050 4030a4 SetFilePointer 2882->3050 3051 4030a4 SetFilePointer 2884->3051 2888 402bcf 6 API calls 2886->2888 2899 402e19 2888->2899 2889 402dc8 2891 403072 ReadFile 2889->2891 2890 402dfa 3052 402e6c 2890->3052 2894 402dd3 2891->2894 2892->2880 3039 402bcf 2892->3039 2894->2873 2894->2884 2896->2881 2897 402e06 2897->2873 2897->2897 2898 402e43 SetFilePointer 2897->2898 2898->2899 2899->2873 2901 403560 2900->2901 2902 403552 FindCloseChangeNotification 2900->2902 3088 40358d 2901->3088 2902->2901 2908 4053bd 2907->2908 2909 4033c7 ExitProcess 2908->2909 2910 4053d1 MessageBoxIndirectA 2908->2910 2910->2909 2911->2786 3148 405b77 lstrcpynA 2912->3148 2914 405723 3149 4056bd CharNextA CharNextA 2914->3149 2917 403376 2917->2800 2917->2828 2918 405de2 5 API calls 2919 405739 2918->2919 2919->2917 2925 40574c 2919->2925 2920 405764 lstrlenA 2921 40576f 2920->2921 2920->2925 2922 405624 3 API calls 2921->2922 2924 405774 GetFileAttributesA 2922->2924 2923 405e7b 2 API calls 2923->2925 2924->2917 2925->2917 2925->2920 2925->2923 2926 40566b 2 API calls 2925->2926 2926->2920 2927->2834 2928->2803 2930 405ea2 3 API calls 2929->2930 2931 403636 2930->2931 2932 40363c 2931->2932 2933 40364e 2931->2933 3155 405ad5 wsprintfA 2932->3155 3156 405a5e RegOpenKeyExA 2933->3156 2937 403697 lstrcatA 2938 40364c 2937->2938 3161 4038e7 2938->3161 2939 405a5e 3 API calls 2939->2937 2942 405712 18 API calls 2943 4036c9 2942->2943 2944 403752 2943->2944 2946 405a5e 3 API calls 2943->2946 2945 405712 18 API calls 2944->2945 2947 403758 2945->2947 2948 4036f5 2946->2948 2949 403768 LoadImageA 2947->2949 2950 405b99 18 API calls 2947->2950 2948->2944 2953 403711 lstrlenA 2948->2953 2957 40564f CharNextA 2948->2957 2951 40380e 2949->2951 2952 40378f RegisterClassA 2949->2952 2950->2949 2956 40140b 2 API calls 2951->2956 2954 4037c5 SystemParametersInfoA CreateWindowExA 2952->2954 2955 403818 2952->2955 2958 403745 2953->2958 2959 40371f lstrcmpiA 2953->2959 2954->2951 2955->2811 2960 403814 2956->2960 2962 40370f 2957->2962 2961 405624 3 API calls 2958->2961 2959->2958 2963 40372f GetFileAttributesA 2959->2963 2960->2955 2964 4038e7 19 API calls 2960->2964 2965 40374b 2961->2965 2962->2953 2966 40373b 2963->2966 2967 403825 2964->2967 3170 405b77 lstrcpynA 2965->3170 2966->2958 2969 40566b 2 API calls 2966->2969 2970 403831 ShowWindow LoadLibraryA 2967->2970 2971 4038b4 2967->2971 2969->2958 2972 403850 LoadLibraryA 2970->2972 2973 403857 GetClassInfoA 2970->2973 3171 404f56 OleInitialize 2971->3171 2972->2973 2975 403881 DialogBoxParamA 2973->2975 2976 40386b GetClassInfoA RegisterClassA 2973->2976 2978 40140b 2 API calls 2975->2978 2976->2975 2977 4038ba 2979 4038d6 2977->2979 2980 4038be 2977->2980 2978->2955 2981 40140b 2 API calls 2979->2981 2980->2955 2982 40140b 2 API calls 2980->2982 2981->2955 2982->2955 2983->2826 2984->2849 2994 405ba6 2985->2994 2986 405dc9 2987 40344c DeleteFileA 2986->2987 3188 405b77 lstrcpynA 2986->3188 2987->2841 2987->2849 2989 405c47 GetVersion 2989->2994 2990 405da0 lstrlenA 2990->2994 2992 405b99 10 API calls 2992->2990 2994->2986 2994->2989 2994->2990 2994->2992 2995 405a5e 3 API calls 2994->2995 2996 405cbf GetSystemDirectoryA 2994->2996 2997 405cd2 GetWindowsDirectoryA 2994->2997 2998 405de2 5 API calls 2994->2998 2999 405b99 10 API calls 2994->2999 3000 405d49 lstrcatA 2994->3000 3001 405d06 SHGetSpecialFolderLocation 2994->3001 3186 405ad5 wsprintfA 2994->3186 3187 405b77 lstrcpynA 2994->3187 2995->2994 2996->2994 2997->2994 2998->2994 2999->2994 3000->2994 3001->2994 3002 405d1e SHGetPathFromIDListA CoTaskMemFree 3001->3002 3002->2994 3004 405ea2 3 API calls 3003->3004 3005 405a32 3004->3005 3007 405a53 3005->3007 3189 40589d lstrcpyA 3005->3189 3007->2849 3009 405382 3008->3009 3010 405376 CloseHandle 3008->3010 3009->2849 3010->3009 3012 401389 2 API calls 3011->3012 3013 401420 3012->3013 3013->2813 3021 405dee 3014->3021 3015 405e56 3016 405e5a CharPrevA 3015->3016 3018 405e75 3015->3018 3016->3015 3017 405e4b CharNextA 3017->3015 3017->3021 3018->2865 3019 40564f CharNextA 3019->3021 3020 405e39 CharNextA 3020->3021 3021->3015 3021->3017 3021->3019 3021->3020 3022 405e46 CharNextA 3021->3022 3022->3017 3024 4030d9 CreateDirectoryA 3023->3024 3025 40563e lstrcatA 3023->3025 3026 405854 3024->3026 3025->3024 3027 40585f GetTickCount GetTempFileNameA 3026->3027 3028 4030ed 3027->3028 3029 40588c 3027->3029 3028->2788 3029->3027 3029->3028 3030->2872 3031->2875 3033 405678 3032->3033 3034 402c9f 3033->3034 3035 40567d CharPrevA 3033->3035 3036 405b77 lstrcpynA 3034->3036 3035->3033 3035->3034 3036->2879 3038 403093 3037->3038 3038->2880 3040 402bf0 3039->3040 3041 402bd8 3039->3041 3044 402c00 GetTickCount 3040->3044 3045 402bf8 3040->3045 3042 402be1 DestroyWindow 3041->3042 3043 402be8 3041->3043 3042->3043 3043->2892 3046 402c31 3044->3046 3047 402c0e CreateDialogParamA ShowWindow 3044->3047 3072 405edb 3045->3072 3046->2892 3047->3046 3050->2889 3051->2890 3054 402e84 3052->3054 3053 402eb1 3056 403072 ReadFile 3053->3056 3054->3053 3076 4030a4 SetFilePointer 3054->3076 3057 402ebc 3056->3057 3058 403001 3057->3058 3059 402ece GetTickCount 3057->3059 3061 402fec 3057->3061 3060 40304d 3058->3060 3065 403005 3058->3065 3059->3061 3069 402ef7 3059->3069 3062 403072 ReadFile 3060->3062 3061->2897 3062->3061 3063 403072 ReadFile 3063->3069 3064 403072 ReadFile 3064->3065 3065->3061 3065->3064 3066 403025 WriteFile 3065->3066 3066->3061 3066->3065 3067 402f4d GetTickCount 3067->3069 3068 402f76 MulDiv wsprintfA 3077 404e84 3068->3077 3069->3061 3069->3063 3069->3067 3069->3068 3071 402fb4 WriteFile 3069->3071 3071->3061 3071->3069 3073 405ef8 PeekMessageA 3072->3073 3074 402bfe 3073->3074 3075 405eee DispatchMessageA 3073->3075 3074->2892 3075->3073 3076->3053 3078 404e9f 3077->3078 3086 404f42 3077->3086 3079 404ebc lstrlenA 3078->3079 3080 405b99 18 API calls 3078->3080 3081 404ee5 3079->3081 3082 404eca lstrlenA 3079->3082 3080->3079 3083 404ef8 3081->3083 3084 404eeb SetWindowTextA 3081->3084 3085 404edc lstrcatA 3082->3085 3082->3086 3083->3086 3087 404efe SendMessageA SendMessageA SendMessageA 3083->3087 3084->3083 3085->3081 3086->3069 3087->3086 3089 40359b 3088->3089 3090 4035a0 FreeLibrary GlobalFree 3089->3090 3091 403565 3089->3091 3090->3090 3090->3091 3092 405454 3091->3092 3093 405712 18 API calls 3092->3093 3094 405474 3093->3094 3095 405493 3094->3095 3096 40547c DeleteFileA 3094->3096 3099 4055cb 3095->3099 3132 405b77 lstrcpynA 3095->3132 3097 4033a9 OleUninitialize 3096->3097 3097->2809 3097->2810 3099->3097 3103 4055c1 3099->3103 3100 4054b9 3101 4054cc 3100->3101 3102 4054bf lstrcatA 3100->3102 3105 40566b 2 API calls 3101->3105 3104 4054d2 3102->3104 3103->3099 3142 405e7b FindFirstFileA 3103->3142 3107 4054e0 lstrcatA 3104->3107 3108 4054d7 3104->3108 3105->3104 3110 4054eb lstrlenA FindFirstFileA 3107->3110 3108->3107 3108->3110 3110->3103 3130 40550f 3110->3130 3111 405624 3 API calls 3112 4055ef 3111->3112 3114 40540c 5 API calls 3112->3114 3113 40564f CharNextA 3113->3130 3115 4055fb 3114->3115 3116 405615 3115->3116 3119 4055ff 3115->3119 3120 404e84 25 API calls 3116->3120 3117 4055a0 FindNextFileA 3121 4055b8 FindClose 3117->3121 3117->3130 3119->3097 3122 404e84 25 API calls 3119->3122 3120->3097 3121->3103 3123 40560c 3122->3123 3124 405a2b 40 API calls 3123->3124 3127 405613 3124->3127 3126 405454 64 API calls 3126->3130 3127->3097 3128 404e84 25 API calls 3128->3117 3129 404e84 25 API calls 3129->3130 3130->3113 3130->3117 3130->3126 3130->3128 3130->3129 3131 405a2b 40 API calls 3130->3131 3133 405b77 lstrcpynA 3130->3133 3134 40540c 3130->3134 3131->3130 3132->3100 3133->3130 3145 405800 GetFileAttributesA 3134->3145 3137 405439 3137->3130 3138 405427 RemoveDirectoryA 3140 405435 3138->3140 3139 40542f DeleteFileA 3139->3140 3140->3137 3141 405445 SetFileAttributesA 3140->3141 3141->3137 3143 405e91 FindClose 3142->3143 3144 4055e5 3142->3144 3143->3144 3144->3097 3144->3111 3146 405812 SetFileAttributesA 3145->3146 3147 405418 3145->3147 3146->3147 3147->3137 3147->3138 3147->3139 3148->2914 3150 4056d8 3149->3150 3152 4056e8 3149->3152 3151 4056e3 CharNextA 3150->3151 3150->3152 3154 405708 3151->3154 3153 40564f CharNextA 3152->3153 3152->3154 3153->3152 3154->2917 3154->2918 3155->2938 3157 405a91 RegQueryValueExA 3156->3157 3158 403679 3156->3158 3159 405ab2 RegCloseKey 3157->3159 3158->2937 3158->2939 3159->3158 3162 4038fb 3161->3162 3178 405ad5 wsprintfA 3162->3178 3164 40396c 3165 405b99 18 API calls 3164->3165 3166 403978 SetWindowTextA 3165->3166 3167 403994 3166->3167 3168 4036a7 3166->3168 3167->3168 3169 405b99 18 API calls 3167->3169 3168->2942 3169->3167 3170->2944 3179 403ed3 3171->3179 3173 404fa0 3174 403ed3 SendMessageA 3173->3174 3176 404fb2 OleUninitialize 3174->3176 3175 404f79 3175->3173 3182 401389 3175->3182 3176->2977 3178->3164 3180 403eeb 3179->3180 3181 403edc SendMessageA 3179->3181 3180->3175 3181->3180 3184 401390 3182->3184 3183 4013fe 3183->3175 3184->3183 3185 4013cb MulDiv SendMessageA 3184->3185 3185->3184 3186->2994 3187->2994 3188->2987 3190 4058c6 3189->3190 3191 4058ec GetShortPathNameA 3189->3191 3213 405825 GetFileAttributesA CreateFileA 3190->3213 3193 405901 3191->3193 3194 405a25 3191->3194 3193->3194 3196 405909 wsprintfA 3193->3196 3194->3007 3195 4058d0 CloseHandle GetShortPathNameA 3195->3194 3197 4058e4 3195->3197 3198 405b99 18 API calls 3196->3198 3197->3191 3197->3194 3199 405931 3198->3199 3214 405825 GetFileAttributesA CreateFileA 3199->3214 3201 40593e 3201->3194 3202 40594d GetFileSize GlobalAlloc 3201->3202 3203 405a1e CloseHandle 3202->3203 3204 40596f ReadFile 3202->3204 3203->3194 3204->3203 3205 405987 3204->3205 3205->3203 3215 40578a lstrlenA 3205->3215 3208 4059a0 lstrcpyA 3211 4059c2 3208->3211 3209 4059b4 3210 40578a 4 API calls 3209->3210 3210->3211 3212 4059f9 SetFilePointer WriteFile GlobalFree 3211->3212 3212->3203 3213->3195 3214->3201 3216 4057cb lstrlenA 3215->3216 3217 4057d3 3216->3217 3218 4057a4 lstrcmpiA 3216->3218 3217->3208 3217->3209 3218->3217 3219 4057c2 CharNextA 3218->3219 3219->3216 3563 4014f0 SetForegroundWindow 3564 40289c 3563->3564 3565 401af0 3566 402a07 18 API calls 3565->3566 3567 401af7 3566->3567 3568 4029ea 18 API calls 3567->3568 3569 401b00 wsprintfA 3568->3569 3570 40289c 3569->3570 3571 4019f1 3572 402a07 18 API calls 3571->3572 3573 4019fa ExpandEnvironmentStringsA 3572->3573 3574 401a0e 3573->3574 3576 401a21 3573->3576 3575 401a13 lstrcmpA 3574->3575 3574->3576 3575->3576 3577 402877 SendMessageA 3578 402891 InvalidateRect 3577->3578 3579 40289c 3577->3579 3578->3579 3580 401c78 3581 4029ea 18 API calls 3580->3581 3582 401c7e IsWindow 3581->3582 3583 4019e1 3582->3583 3584 404df8 3585 404e08 3584->3585 3586 404e1c 3584->3586 3588 404e65 3585->3588 3589 404e0e 3585->3589 3587 404e24 IsWindowVisible 3586->3587 3595 404e3b 3586->3595 3587->3588 3590 404e31 3587->3590 3591 404e6a CallWindowProcA 3588->3591 3592 403ed3 SendMessageA 3589->3592 3597 40474f SendMessageA 3590->3597 3593 404e18 3591->3593 3592->3593 3595->3591 3602 4047cf 3595->3602 3598 404772 GetMessagePos ScreenToClient SendMessageA 3597->3598 3599 4047ae SendMessageA 3597->3599 3600 4047a6 3598->3600 3601 4047ab 3598->3601 3599->3600 3600->3595 3601->3599 3611 405b77 lstrcpynA 3602->3611 3604 4047e2 3612 405ad5 wsprintfA 3604->3612 3606 4047ec 3607 40140b 2 API calls 3606->3607 3608 4047f5 3607->3608 3613 405b77 lstrcpynA 3608->3613 3610 4047fc 3610->3588 3611->3604 3612->3606 3613->3610 3614 40227d 3615 402a07 18 API calls 3614->3615 3616 40228e 3615->3616 3617 402a07 18 API calls 3616->3617 3618 402297 3617->3618 3619 402a07 18 API calls 3618->3619 3620 4022a1 GetPrivateProfileStringA 3619->3620 3621 40427e 3622 4042b4 3621->3622 3623 40428e 3621->3623 3625 403eee 8 API calls 3622->3625 3624 403e87 19 API calls 3623->3624 3626 40429b SetDlgItemTextA 3624->3626 3627 4042c0 3625->3627 3626->3622 3628 4014fe 3629 401506 3628->3629 3631 401519 3628->3631 3630 4029ea 18 API calls 3629->3630 3630->3631 3632 401000 3633 401037 BeginPaint GetClientRect 3632->3633 3634 40100c DefWindowProcA 3632->3634 3635 4010f3 3633->3635 3637 401179 3634->3637 3638 401073 CreateBrushIndirect FillRect DeleteObject 3635->3638 3639 4010fc 3635->3639 3638->3635 3640 401102 CreateFontIndirectA 3639->3640 3641 401167 EndPaint 3639->3641 3640->3641 3642 401112 6 API calls 3640->3642 3641->3637 3642->3641 3643 404801 GetDlgItem GetDlgItem 3644 404853 7 API calls 3643->3644 3650 404a6b 3643->3650 3645 4048f6 DeleteObject 3644->3645 3646 4048e9 SendMessageA 3644->3646 3647 4048ff 3645->3647 3646->3645 3648 404936 3647->3648 3649 405b99 18 API calls 3647->3649 3651 403e87 19 API calls 3648->3651 3654 404918 SendMessageA SendMessageA 3649->3654 3653 404b4f 3650->3653 3660 40474f 5 API calls 3650->3660 3676 404adc 3650->3676 3656 40494a 3651->3656 3652 404bfb 3655 404c05 SendMessageA 3652->3655 3659 404c0d 3652->3659 3653->3652 3662 404ba8 SendMessageA 3653->3662 3686 404a5e 3653->3686 3654->3647 3655->3659 3661 403e87 19 API calls 3656->3661 3657 403eee 8 API calls 3663 404df1 3657->3663 3658 404b41 SendMessageA 3658->3653 3664 404c26 3659->3664 3665 404c1f ImageList_Destroy 3659->3665 3672 404c36 3659->3672 3660->3676 3677 404958 3661->3677 3667 404bbd SendMessageA 3662->3667 3662->3686 3668 404c2f GlobalFree 3664->3668 3664->3672 3665->3664 3666 404da5 3673 404db7 ShowWindow GetDlgItem ShowWindow 3666->3673 3666->3686 3670 404bd0 3667->3670 3668->3672 3669 404a2c GetWindowLongA SetWindowLongA 3671 404a45 3669->3671 3678 404be1 SendMessageA 3670->3678 3674 404a63 3671->3674 3675 404a4b ShowWindow 3671->3675 3672->3666 3685 4047cf 4 API calls 3672->3685 3689 404c71 3672->3689 3673->3686 3695 403ebc SendMessageA 3674->3695 3694 403ebc SendMessageA 3675->3694 3676->3653 3676->3658 3677->3669 3679 404a26 3677->3679 3682 4049a7 SendMessageA 3677->3682 3683 4049e3 SendMessageA 3677->3683 3684 4049f4 SendMessageA 3677->3684 3678->3652 3679->3669 3679->3671 3682->3677 3683->3677 3684->3677 3685->3689 3686->3657 3687 404d7b InvalidateRect 3687->3666 3688 404d91 3687->3688 3691 40466d 21 API calls 3688->3691 3690 404c9f SendMessageA 3689->3690 3693 404cb5 3689->3693 3690->3693 3691->3666 3692 404d29 SendMessageA SendMessageA 3692->3693 3693->3687 3693->3692 3694->3686 3695->3650 3696 401705 3697 402a07 18 API calls 3696->3697 3698 40170c SearchPathA 3697->3698 3699 401727 3698->3699 3700 404607 3701 404633 3700->3701 3702 404617 3700->3702 3704 404666 3701->3704 3705 404639 SHGetPathFromIDListA 3701->3705 3711 40538c GetDlgItemTextA 3702->3711 3707 404649 3705->3707 3710 404650 SendMessageA 3705->3710 3706 404624 SendMessageA 3706->3701 3708 40140b 2 API calls 3707->3708 3708->3710 3710->3704 3711->3706 3712 402188 3713 402a07 18 API calls 3712->3713 3714 40218e 3713->3714 3715 402a07 18 API calls 3714->3715 3716 402197 3715->3716 3717 402a07 18 API calls 3716->3717 3718 4021a0 3717->3718 3719 405e7b 2 API calls 3718->3719 3720 4021a9 3719->3720 3721 4021ba lstrlenA lstrlenA 3720->3721 3722 4021ad 3720->3722 3724 404e84 25 API calls 3721->3724 3723 404e84 25 API calls 3722->3723 3725 4021b5 3722->3725 3723->3725 3726 4021f6 SHFileOperationA 3724->3726 3726->3722 3726->3725 3727 40220a 3728 402211 3727->3728 3731 402224 3727->3731 3729 405b99 18 API calls 3728->3729 3730 40221e 3729->3730 3732 4053a8 MessageBoxIndirectA 3730->3732 3732->3731 3733 40260c 3734 402613 3733->3734 3735 40289c 3733->3735 3736 402619 FindClose 3734->3736 3736->3735 3737 40268d 3738 402a07 18 API calls 3737->3738 3740 40269b 3738->3740 3739 4026b1 3741 405800 2 API calls 3739->3741 3740->3739 3742 402a07 18 API calls 3740->3742 3743 4026b7 3741->3743 3742->3739 3763 405825 GetFileAttributesA CreateFileA 3743->3763 3745 4026c4 3746 4026d0 GlobalAlloc 3745->3746 3747 40276d 3745->3747 3748 402764 CloseHandle 3746->3748 3749 4026e9 3746->3749 3750 402775 DeleteFileA 3747->3750 3751 402788 3747->3751 3748->3747 3764 4030a4 SetFilePointer 3749->3764 3750->3751 3753 4026ef 3754 403072 ReadFile 3753->3754 3755 4026f8 GlobalAlloc 3754->3755 3756 402708 3755->3756 3757 40273c WriteFile GlobalFree 3755->3757 3759 402e6c 33 API calls 3756->3759 3758 402e6c 33 API calls 3757->3758 3760 402761 3758->3760 3762 402715 3759->3762 3760->3748 3761 402733 GlobalFree 3761->3757 3762->3761 3763->3745 3764->3753 3765 40278e 3766 4029ea 18 API calls 3765->3766 3767 402794 3766->3767 3768 4027b8 3767->3768 3769 4027cf 3767->3769 3772 40266d 3767->3772 3773 4027bd 3768->3773 3774 4027cc 3768->3774 3770 4027e5 3769->3770 3771 4027d9 3769->3771 3776 405b99 18 API calls 3770->3776 3775 4029ea 18 API calls 3771->3775 3779 405b77 lstrcpynA 3773->3779 3774->3772 3780 405ad5 wsprintfA 3774->3780 3775->3774 3776->3774 3779->3772 3780->3772 3781 401490 3782 404e84 25 API calls 3781->3782 3783 401497 3782->3783 3784 401b11 3785 401b62 3784->3785 3786 401b1e 3784->3786 3787 401b8b GlobalAlloc 3785->3787 3788 401b66 3785->3788 3792 401b35 3786->3792 3794 401ba6 3786->3794 3789 405b99 18 API calls 3787->3789 3797 402224 3788->3797 3805 405b77 lstrcpynA 3788->3805 3789->3794 3790 405b99 18 API calls 3791 40221e 3790->3791 3798 4053a8 MessageBoxIndirectA 3791->3798 3803 405b77 lstrcpynA 3792->3803 3794->3790 3794->3797 3796 401b78 GlobalFree 3796->3797 3798->3797 3799 401b44 3804 405b77 lstrcpynA 3799->3804 3801 401b53 3806 405b77 lstrcpynA 3801->3806 3803->3799 3804->3801 3805->3796 3806->3797 3807 402814 3808 4029ea 18 API calls 3807->3808 3809 40281a 3808->3809 3810 40284b 3809->3810 3811 40266d 3809->3811 3813 402828 3809->3813 3810->3811 3812 405b99 18 API calls 3810->3812 3812->3811 3813->3811 3815 405ad5 wsprintfA 3813->3815 3815->3811 3816 401595 3817 402a07 18 API calls 3816->3817 3818 40159c SetFileAttributesA 3817->3818 3819 4015ae 3818->3819 3820 401c95 3821 4029ea 18 API calls 3820->3821 3822 401c9c 3821->3822 3823 4029ea 18 API calls 3822->3823 3824 401ca4 GetDlgItem 3823->3824 3825 4024c9 3824->3825 3826 402517 3827 4029ea 18 API calls 3826->3827 3833 402521 3827->3833 3828 402597 3829 402555 ReadFile 3829->3828 3829->3833 3830 402599 3835 405ad5 wsprintfA 3830->3835 3832 4025a9 3832->3828 3834 4025bf SetFilePointer 3832->3834 3833->3828 3833->3829 3833->3830 3833->3832 3834->3828 3835->3828 3842 40231a 3843 402320 3842->3843 3844 402a07 18 API calls 3843->3844 3845 402332 3844->3845 3846 402a07 18 API calls 3845->3846 3847 40233c RegCreateKeyExA 3846->3847 3848 402366 3847->3848 3849 40289c 3847->3849 3850 40237e 3848->3850 3851 402a07 18 API calls 3848->3851 3852 40238a 3850->3852 3855 4029ea 18 API calls 3850->3855 3854 402377 lstrlenA 3851->3854 3853 4023a5 RegSetValueExA 3852->3853 3856 402e6c 33 API calls 3852->3856 3857 4023bb RegCloseKey 3853->3857 3854->3850 3855->3852 3856->3853 3857->3849 3859 403f9b lstrcpynA lstrlenA 3860 4016a1 3861 402a07 18 API calls 3860->3861 3862 4016a7 GetFullPathNameA 3861->3862 3863 4016be 3862->3863 3864 4016df 3862->3864 3863->3864 3867 405e7b 2 API calls 3863->3867 3865 4016f3 GetShortPathNameA 3864->3865 3866 40289c 3864->3866 3865->3866 3868 4016cf 3867->3868 3868->3864 3870 405b77 lstrcpynA 3868->3870 3870->3864 3871 401d26 GetDC GetDeviceCaps 3872 4029ea 18 API calls 3871->3872 3873 401d44 MulDiv ReleaseDC 3872->3873 3874 4029ea 18 API calls 3873->3874 3875 401d63 3874->3875 3876 405b99 18 API calls 3875->3876 3877 401d9c CreateFontIndirectA 3876->3877 3878 4024c9 3877->3878 3879 402626 3880 402629 3879->3880 3881 402641 3879->3881 3882 402636 FindNextFileA 3880->3882 3882->3881 3883 402680 3882->3883 3885 405b77 lstrcpynA 3883->3885 3885->3881 3886 40172c 3887 402a07 18 API calls 3886->3887 3888 401733 3887->3888 3889 405854 2 API calls 3888->3889 3890 40173a 3889->3890 3890->3890 3891 401dac 3892 4029ea 18 API calls 3891->3892 3893 401db2 3892->3893 3894 4029ea 18 API calls 3893->3894 3895 401dbb 3894->3895 3896 401dc2 ShowWindow 3895->3896 3897 401dcd EnableWindow 3895->3897 3898 40289c 3896->3898 3897->3898 3899 401eac 3900 402a07 18 API calls 3899->3900 3901 401eb3 3900->3901 3902 405e7b 2 API calls 3901->3902 3903 401eb9 3902->3903 3905 401ecb 3903->3905 3906 405ad5 wsprintfA 3903->3906 3906->3905 3907 40192d 3908 402a07 18 API calls 3907->3908 3909 401934 lstrlenA 3908->3909 3910 4024c9 3909->3910 3911 4024ad 3912 402a07 18 API calls 3911->3912 3913 4024b4 3912->3913 3916 405825 GetFileAttributesA CreateFileA 3913->3916 3915 4024c0 3916->3915 3917 401cb0 3918 4029ea 18 API calls 3917->3918 3919 401cc0 SetWindowLongA 3918->3919 3920 40289c 3919->3920 3921 401a31 3922 4029ea 18 API calls 3921->3922 3923 401a37 3922->3923 3924 4029ea 18 API calls 3923->3924 3925 4019e1 3924->3925 3926 401e32 3927 402a07 18 API calls 3926->3927 3928 401e38 3927->3928 3929 404e84 25 API calls 3928->3929 3930 401e42 3929->3930 3931 405347 2 API calls 3930->3931 3935 401e48 3931->3935 3932 401e9e CloseHandle 3934 40266d 3932->3934 3933 401e67 WaitForSingleObject 3933->3935 3936 401e75 GetExitCodeProcess 3933->3936 3935->3932 3935->3933 3935->3934 3937 405edb 2 API calls 3935->3937 3938 401e87 3936->3938 3940 401e90 3936->3940 3937->3933 3941 405ad5 wsprintfA 3938->3941 3940->3932 3941->3940 3942 4015b3 3943 402a07 18 API calls 3942->3943 3944 4015ba 3943->3944 3945 4056bd 4 API calls 3944->3945 3957 4015c2 3945->3957 3946 40160a 3947 401638 3946->3947 3948 40160f 3946->3948 3953 401423 25 API calls 3947->3953 3950 401423 25 API calls 3948->3950 3949 40564f CharNextA 3951 4015d0 CreateDirectoryA 3949->3951 3952 401616 3950->3952 3954 4015e5 GetLastError 3951->3954 3951->3957 3960 405b77 lstrcpynA 3952->3960 3959 401630 3953->3959 3956 4015f2 GetFileAttributesA 3954->3956 3954->3957 3956->3957 3957->3946 3957->3949 3958 401621 SetCurrentDirectoryA 3958->3959 3960->3958 3961 4039b4 3962 403b07 3961->3962 3963 4039cc 3961->3963 3965 403b58 3962->3965 3966 403b18 GetDlgItem GetDlgItem 3962->3966 3963->3962 3964 4039d8 3963->3964 3968 4039e3 SetWindowPos 3964->3968 3969 4039f6 3964->3969 3967 403bb2 3965->3967 3978 401389 2 API calls 3965->3978 3970 403e87 19 API calls 3966->3970 3971 403ed3 SendMessageA 3967->3971 3979 403b02 3967->3979 3968->3969 3972 403a13 3969->3972 3973 4039fb ShowWindow 3969->3973 3974 403b42 SetClassLongA 3970->3974 3998 403bc4 3971->3998 3975 403a35 3972->3975 3976 403a1b DestroyWindow 3972->3976 3973->3972 3977 40140b 2 API calls 3974->3977 3980 403a3a SetWindowLongA 3975->3980 3981 403a4b 3975->3981 4028 403e10 3976->4028 3977->3965 3982 403b8a 3978->3982 3980->3979 3983 403ac2 3981->3983 3984 403a57 GetDlgItem 3981->3984 3982->3967 3985 403b8e SendMessageA 3982->3985 3990 403eee 8 API calls 3983->3990 3988 403a87 3984->3988 3989 403a6a SendMessageA IsWindowEnabled 3984->3989 3985->3979 3986 40140b 2 API calls 3986->3998 3987 403e12 DestroyWindow EndDialog 3987->4028 3993 403a94 3988->3993 3996 403adb SendMessageA 3988->3996 3997 403aa7 3988->3997 4003 403a8c 3988->4003 3989->3979 3989->3988 3990->3979 3991 403e41 ShowWindow 3991->3979 3992 405b99 18 API calls 3992->3998 3993->3996 3993->4003 3994 403e60 SendMessageA 3994->3983 3995 403e87 19 API calls 3995->3998 3996->3983 3999 403ac4 3997->3999 4000 403aaf 3997->4000 3998->3979 3998->3986 3998->3987 3998->3992 3998->3995 4004 403e87 19 API calls 3998->4004 4019 403d52 DestroyWindow 3998->4019 4001 40140b 2 API calls 3999->4001 4002 40140b 2 API calls 4000->4002 4001->4003 4002->4003 4003->3983 4003->3994 4005 403c3f GetDlgItem 4004->4005 4006 403c54 4005->4006 4007 403c5c ShowWindow EnableWindow 4005->4007 4006->4007 4029 403ea9 EnableWindow 4007->4029 4009 403c86 EnableWindow 4012 403c9a 4009->4012 4010 403c9f GetSystemMenu EnableMenuItem SendMessageA 4011 403ccf SendMessageA 4010->4011 4010->4012 4011->4012 4012->4010 4030 403ebc SendMessageA 4012->4030 4031 405b77 lstrcpynA 4012->4031 4015 403cfd lstrlenA 4016 405b99 18 API calls 4015->4016 4017 403d0e SetWindowTextA 4016->4017 4018 401389 2 API calls 4017->4018 4018->3998 4020 403d6c CreateDialogParamA 4019->4020 4019->4028 4021 403d9f 4020->4021 4020->4028 4022 403e87 19 API calls 4021->4022 4023 403daa GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4022->4023 4024 401389 2 API calls 4023->4024 4025 403df0 4024->4025 4025->3979 4026 403df8 ShowWindow 4025->4026 4027 403ed3 SendMessageA 4026->4027 4027->4028 4028->3979 4028->3991 4029->4009 4030->4012 4031->4015 4032 402036 4033 402a07 18 API calls 4032->4033 4034 40203d 4033->4034 4035 402a07 18 API calls 4034->4035 4036 402047 4035->4036 4037 402a07 18 API calls 4036->4037 4038 402050 4037->4038 4039 402a07 18 API calls 4038->4039 4040 40205a 4039->4040 4041 402a07 18 API calls 4040->4041 4042 402064 4041->4042 4043 402078 CoCreateInstance 4042->4043 4044 402a07 18 API calls 4042->4044 4047 402097 4043->4047 4049 40214d 4043->4049 4044->4043 4045 401423 25 API calls 4046 40217f 4045->4046 4048 40212c MultiByteToWideChar 4047->4048 4047->4049 4048->4049 4049->4045 4049->4046 4050 4014b7 4051 4014bd 4050->4051 4052 401389 2 API calls 4051->4052 4053 4014c5 4052->4053 4054 402438 4055 402b11 19 API calls 4054->4055 4056 402442 4055->4056 4057 4029ea 18 API calls 4056->4057 4058 40244b 4057->4058 4059 40266d 4058->4059 4060 402462 RegEnumKeyA 4058->4060 4061 40246e RegEnumValueA 4058->4061 4062 402487 RegCloseKey 4060->4062 4061->4059 4061->4062 4062->4059 4064 401bb8 4065 4029ea 18 API calls 4064->4065 4066 401bbf 4065->4066 4067 4029ea 18 API calls 4066->4067 4068 401bc9 4067->4068 4069 401bd9 4068->4069 4070 402a07 18 API calls 4068->4070 4071 401be9 4069->4071 4074 402a07 18 API calls 4069->4074 4070->4069 4072 401bf4 4071->4072 4073 401c38 4071->4073 4075 4029ea 18 API calls 4072->4075 4076 402a07 18 API calls 4073->4076 4074->4071 4077 401bf9 4075->4077 4078 401c3d 4076->4078 4079 4029ea 18 API calls 4077->4079 4080 402a07 18 API calls 4078->4080 4081 401c02 4079->4081 4082 401c46 FindWindowExA 4080->4082 4083 401c28 SendMessageA 4081->4083 4084 401c0a SendMessageTimeoutA 4081->4084 4085 401c64 4082->4085 4083->4085 4084->4085 4086 402239 4087 402241 4086->4087 4088 402247 4086->4088 4089 402a07 18 API calls 4087->4089 4090 402a07 18 API calls 4088->4090 4091 402257 4088->4091 4089->4088 4090->4091 4092 402a07 18 API calls 4091->4092 4094 402265 4091->4094 4092->4094 4093 402a07 18 API calls 4095 40226e WritePrivateProfileStringA 4093->4095 4094->4093 4096 4022be 4097 4022c3 4096->4097 4098 4022ee 4096->4098 4100 402b11 19 API calls 4097->4100 4099 402a07 18 API calls 4098->4099 4101 4022f5 4099->4101 4102 4022ca 4100->4102 4107 402a47 RegOpenKeyExA 4101->4107 4103 402a07 18 API calls 4102->4103 4106 40230b 4102->4106 4104 4022db RegDeleteValueA RegCloseKey 4103->4104 4104->4106 4110 402a72 4107->4110 4115 402abe 4107->4115 4108 402a98 RegEnumKeyA 4109 402aaa RegCloseKey 4108->4109 4108->4110 4112 405ea2 3 API calls 4109->4112 4110->4108 4110->4109 4111 402acf RegCloseKey 4110->4111 4113 402a47 3 API calls 4110->4113 4111->4115 4114 402aba 4112->4114 4113->4110 4114->4115 4116 402aea RegDeleteKeyA 4114->4116 4115->4106 4116->4115 4117 40163f 4118 402a07 18 API calls 4117->4118 4119 401645 4118->4119 4120 405e7b 2 API calls 4119->4120 4121 40164b 4120->4121 4122 40173f 4123 402a07 18 API calls 4122->4123 4124 401746 4123->4124 4125 401764 4124->4125 4126 40176c 4124->4126 4160 405b77 lstrcpynA 4125->4160 4161 405b77 lstrcpynA 4126->4161 4129 40176a 4132 405de2 5 API calls 4129->4132 4130 401777 4131 405624 3 API calls 4130->4131 4133 40177d lstrcatA 4131->4133 4153 401789 4132->4153 4133->4129 4134 405e7b 2 API calls 4134->4153 4135 405800 2 API calls 4135->4153 4137 4017a0 CompareFileTime 4137->4153 4138 401864 4139 404e84 25 API calls 4138->4139 4140 40186e 4139->4140 4142 402e6c 33 API calls 4140->4142 4141 404e84 25 API calls 4147 401850 4141->4147 4143 401881 4142->4143 4144 401895 SetFileTime 4143->4144 4146 4018a7 CloseHandle 4143->4146 4144->4146 4145 405b99 18 API calls 4145->4153 4146->4147 4148 4018b8 4146->4148 4150 4018d0 4148->4150 4151 4018bd 4148->4151 4149 405b77 lstrcpynA 4149->4153 4152 405b99 18 API calls 4150->4152 4154 405b99 18 API calls 4151->4154 4155 4018d8 4152->4155 4153->4134 4153->4135 4153->4137 4153->4138 4153->4145 4153->4149 4156 4053a8 MessageBoxIndirectA 4153->4156 4159 40183b 4153->4159 4162 405825 GetFileAttributesA CreateFileA 4153->4162 4157 4018c5 lstrcatA 4154->4157 4158 4053a8 MessageBoxIndirectA 4155->4158 4156->4153 4157->4155 4158->4147 4159->4141 4159->4147 4160->4129 4161->4130 4162->4153 4163 40193f 4164 4029ea 18 API calls 4163->4164 4165 401946 4164->4165 4166 4029ea 18 API calls 4165->4166 4167 401950 4166->4167 4168 402a07 18 API calls 4167->4168 4169 401959 4168->4169 4170 40196c lstrlenA 4169->4170 4171 4019a7 4169->4171 4172 401976 4170->4172 4172->4171 4176 405b77 lstrcpynA 4172->4176 4174 401990 4174->4171 4175 40199d lstrlenA 4174->4175 4175->4171 4176->4174

              Executed Functions

              Function 004030EF Relevance: 72.1, APIs: 27, Strings: 14, Instructions: 324stringfilecomCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 4030ef-403186 #17 SetErrorMode OleInitialize call 405ea2 SHGetFileInfoA call 405b77 GetCommandLineA call 405b77 GetModuleHandleA 7 403192-4031a7 call 40564f CharNextA 0->7 8 403188-40318d 0->8 11 403267-40326b 7->11 8->7 12 403271 11->12 13 4031ac-4031af 11->13 16 403284-40329e GetTempPathA call 4030bb 12->16 14 4031b1-4031b5 13->14 15 4031b7-4031bf 13->15 14->14 14->15 18 4031c1-4031c2 15->18 19 4031c7-4031ca 15->19 25 4032a0-4032be GetWindowsDirectoryA lstrcatA call 4030bb 16->25 26 4032f6-403305 DeleteFileA call 402c33 16->26 18->19 20 4031d0-4031d4 19->20 21 403257-403264 call 40564f 19->21 23 4031d6-4031dc 20->23 24 4031e7-403214 20->24 21->11 40 403266 21->40 28 4031e2 23->28 29 4031de-4031e0 23->29 30 403216-40321c 24->30 31 403227-403255 24->31 25->26 42 4032c0-4032f0 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030bb 25->42 39 40330a-403310 26->39 28->24 29->24 29->28 35 403222 30->35 36 40321e-403220 30->36 31->21 38 403273-40327f call 405b77 31->38 35->31 36->31 36->35 38->16 43 4033a4-4033b3 call 403548 OleUninitialize 39->43 44 403316-40331c 39->44 40->11 42->26 42->43 54 4033b9-4033c9 call 4053a8 ExitProcess 43->54 55 4034ad-4034b3 43->55 47 403394-4033a0 call 403622 44->47 48 40331e-403329 call 40564f 44->48 47->43 57 40332b-403354 48->57 58 40335f-403369 48->58 60 403530-403538 55->60 61 4034b5-4034d2 call 405ea2 * 3 55->61 62 403356-403358 57->62 65 40336b-403378 call 405712 58->65 66 4033cf-4033e9 lstrcatA lstrcmpiA 58->66 63 40353a 60->63 64 40353e-403542 ExitProcess 60->64 87 4034d4-4034d6 61->87 88 40351c-403527 ExitWindowsEx 61->88 62->58 70 40335a-40335d 62->70 63->64 65->43 78 40337a-403390 call 405b77 * 2 65->78 66->43 72 4033eb-403400 CreateDirectoryA SetCurrentDirectoryA 66->72 70->58 70->62 75 403402-403408 call 405b77 72->75 76 40340d-403435 call 405b77 72->76 75->76 86 40343b-403457 call 405b99 DeleteFileA 76->86 78->47 96 403498-40349f 86->96 97 403459-403469 CopyFileA 86->97 87->88 91 4034d8-4034da 87->91 88->60 93 403529-40352b call 40140b 88->93 91->88 98 4034dc-4034ee GetCurrentProcess 91->98 93->60 96->86 100 4034a1-4034a8 call 405a2b 96->100 97->96 99 40346b-40348b call 405a2b call 405b99 call 405347 97->99 98->88 105 4034f0-403512 98->105 99->96 112 40348d-403494 CloseHandle 99->112 100->43 105->88 112->96
              APIs
              • #17.COMCTL32 ref: 00403110
              • SetErrorMode.KERNELBASE(00008001), ref: 0040311B
              • OleInitialize.OLE32(00000000), ref: 00403122
                • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                • Part of subcall function 00405EA2: LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
                • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
              • SHGetFileInfoA.SHELL32(0079DCB8,00000000,?,00000160,00000000,00000008), ref: 0040314A
                • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
              • GetCommandLineA.KERNEL32(007A1F00,NSIS Error), ref: 0040315F
              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\4NsDuAp8TA.exe",00000000), ref: 00403172
              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\4NsDuAp8TA.exe",00000020), ref: 0040319D
              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403295
              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032A6
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032B2
              • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032C6
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032CE
              • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032DF
              • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032E7
              • DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsi56C.tmp), ref: 004032FB
              • OleUninitialize.OLE32(?), ref: 004033A9
              • ExitProcess.KERNEL32 ref: 004033C9
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\4NsDuAp8TA.exe",00000000,?), ref: 004033D5
              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033E1
              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033ED
              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033F4
              • DeleteFileA.KERNEL32(0079D8B8,0079D8B8,?,007A3000,?), ref: 0040344D
              • CopyFileA.KERNEL32(C:\Users\user\Desktop\4NsDuAp8TA.exe,0079D8B8,00000001), ref: 00403461
              • CloseHandle.KERNEL32(00000000,0079D8B8,0079D8B8,?,0079D8B8,00000000), ref: 0040348E
              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004034E3
              • ExitWindowsEx.USER32(00000002,00000000), ref: 0040351F
              • ExitProcess.KERNEL32 ref: 00403542
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
              • String ID: "$"C:\Users\user\Desktop\4NsDuAp8TA.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi56C.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\4NsDuAp8TA.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
              • API String ID: 4107622049-3618925605
              • Opcode ID: bb2f33ecdff20610578708f8948ad051a470c2b479a9dfe6989223ef90e98589
              • Instruction ID: 3931d960d2cecc16523f178db0b803f8d2f925e5e1ab1ff86deffc182e7e2b76
              • Opcode Fuzzy Hash: bb2f33ecdff20610578708f8948ad051a470c2b479a9dfe6989223ef90e98589
              • Instruction Fuzzy Hash: 01B10A709083816EE7116F755C4DA2B7EE8EB86306F04457EF181B62E2C77C9A05CB6E
              Function 00405EA2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 197 405ea2-405ebc GetModuleHandleA 198 405ec9-405ed0 GetProcAddress 197->198 199 405ebe-405ec7 LoadLibraryA 197->199 200 405ed6-405ed8 198->200 199->198 199->200
              APIs
              • GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
              • LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
              • GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: AddressHandleLibraryLoadModuleProc
              • String ID:
              • API String ID: 310444273-0
              • Opcode ID: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
              • Instruction ID: 2f3dee603afa82187d4e64c95529cacee06f2ec99598d25ed76f38a586475c1c
              • Opcode Fuzzy Hash: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
              • Instruction Fuzzy Hash: FBE08C32A04610ABC6209B209D0896B77ACEB88B41300497EF945F6151D734AC119BBA
              Function 00402C33 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 113 402c33-402c81 GetTickCount GetModuleFileNameA call 405825 116 402c83-402c88 113->116 117 402c8d-402cbb call 405b77 call 40566b call 405b77 GetFileSize 113->117 118 402e65-402e69 116->118 125 402cc1 117->125 126 402da8-402db6 call 402bcf 117->126 128 402cc6-402cdd 125->128 132 402db8-402dbb 126->132 133 402e0b-402e10 126->133 130 402ce1-402ce3 call 403072 128->130 131 402cdf 128->131 137 402ce8-402cea 130->137 131->130 135 402dbd-402dd5 call 4030a4 call 403072 132->135 136 402ddf-402e09 GlobalAlloc call 4030a4 call 402e6c 132->136 133->118 135->133 161 402dd7-402ddd 135->161 136->133 160 402e1c-402e2d 136->160 139 402cf0-402cf7 137->139 140 402e12-402e1a call 402bcf 137->140 144 402d73-402d77 139->144 145 402cf9-402d0d call 4057e0 139->145 140->133 149 402d81-402d87 144->149 150 402d79-402d80 call 402bcf 144->150 145->149 164 402d0f-402d16 145->164 155 402d96-402da0 149->155 156 402d89-402d93 call 405f14 149->156 150->149 155->128 159 402da6 155->159 156->155 159->126 165 402e35-402e3a 160->165 166 402e2f 160->166 161->133 161->136 164->149 168 402d18-402d1f 164->168 170 402e3b-402e41 165->170 166->165 168->149 169 402d21-402d28 168->169 169->149 171 402d2a-402d31 169->171 170->170 172 402e43-402e63 SetFilePointer call 4057e0 170->172 171->149 173 402d33-402d53 171->173 172->118 173->133 175 402d59-402d5d 173->175 177 402d65-402d6d 175->177 178 402d5f-402d63 175->178 177->149 179 402d6f-402d71 177->179 178->159 178->177 179->149
              APIs
              • GetTickCount.KERNEL32 ref: 00402C44
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\4NsDuAp8TA.exe,00000400), ref: 00402C60
                • Part of subcall function 00405825: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 00405829
                • Part of subcall function 00405825: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
              • GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NsDuAp8TA.exe,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 00402CAC
              Strings
              • Error launching installer, xrefs: 00402C83
              • C:\Users\user\Desktop\4NsDuAp8TA.exe, xrefs: 00402C4A, 00402C59, 00402C6D, 00402C8D
              • Null, xrefs: 00402D2A
              • C:\Users\user\Desktop, xrefs: 00402C8E, 00402C93, 00402C99
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
              • "C:\Users\user\Desktop\4NsDuAp8TA.exe", xrefs: 00402C33
              • soft, xrefs: 00402D21
              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E0B
              • Inst, xrefs: 00402D18
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: File$AttributesCountCreateModuleNameSizeTick
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\4NsDuAp8TA.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
              • API String ID: 4283519449-3959419485
              • Opcode ID: 8615a0d7497347a6936d50477fdbb3dffcc1fd598afdbcafc3831bfd5a2cc2dc
              • Instruction ID: 9cc68cb9a8033aa8cfa9fb84db7bfe2d2ab72e09e198f7c7f71ed61724ba903c
              • Opcode Fuzzy Hash: 8615a0d7497347a6936d50477fdbb3dffcc1fd598afdbcafc3831bfd5a2cc2dc
              • Instruction Fuzzy Hash: 74510471D40204ABDB209F65DE89B6E7BA8EF40354F14403BFA04B62D1C7BC9E418BAD
              Function 00405854 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 180 405854-40585e 181 40585f-40588a GetTickCount GetTempFileNameA 180->181 182 405899-40589b 181->182 183 40588c-40588e 181->183 185 405893-405896 182->185 183->181 184 405890 183->184 184->185
              APIs
              • GetTickCount.KERNEL32 ref: 00405868
              • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405882
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-2858627192
              • Opcode ID: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
              • Instruction ID: 7032c49e779d22ef4b019cebcd704e5cdda6a64cd28d021928a5f34cef86c798
              • Opcode Fuzzy Hash: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
              • Instruction Fuzzy Hash: 21F082777082046BDB109F66DC04B9B7B9CDF95750F14C03BFE44DA180D6B499548B59
              Function 004030BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00405DE2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E3A
                • Part of subcall function 00405DE2: CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                • Part of subcall function 00405DE2: CharNextA.USER32(?,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E4C
                • Part of subcall function 00405DE2: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E5C
              • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 004030DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Char$Next$CreateDirectoryPrev
              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi56C.tmp
              • API String ID: 4115351271-3746163108
              • Opcode ID: 8e7680eb481f2e00cc16df113ff911000dfe49d9d02a3d1b6cba6af61926cd3a
              • Instruction ID: c9728f7b553dd8aa4c0e43ad66b561e8a411fb1fe81b444dc1201db4bd0af2db
              • Opcode Fuzzy Hash: 8e7680eb481f2e00cc16df113ff911000dfe49d9d02a3d1b6cba6af61926cd3a
              • Instruction Fuzzy Hash: 13D09222506D3122E99132263C06FCF1A4C8F8B35AF51817BF50A781855A6D1A92C9FE
              Function 00405825 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 201 405825-405851 GetFileAttributesA CreateFileA
              APIs
              • GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 00405829
              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
              • Instruction ID: d58f26a5a32defaeeb3d325f121af029a3aa60b04f4a5bd1c9a51958cab5ad8a
              • Opcode Fuzzy Hash: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
              • Instruction Fuzzy Hash: B8D09E31658301AFEF098F20DE16F2EBBA2EB84B01F10962CB642940E0D6715C15DB16
              Function 00403072 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 202 403072-403091 ReadFile 203 403093-403096 202->203 204 40309d 202->204 203->204 205 403098-40309b 203->205 206 40309f-4030a1 204->206 205->206
              APIs
              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EBC,000000FF,00000004,00000000,00000000,00000000), ref: 00403089
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
              • Instruction ID: 0981d36ce8a37324ca65ea29ac33eec068edb21049201a101882ec42e2df6d76
              • Opcode Fuzzy Hash: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
              • Instruction Fuzzy Hash: 3FE08C32151119BBCF205E619C08AEB3B5CEB007A6F00C033BA18E5190D630EB149BA8
              Function 004053A8 Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 207 4053a8-4053bb 208 4053c2-4053c9 207->208 209 4053bd-4053c0 207->209 211 4053d1-405403 MessageBoxIndirectA 208->211 212 4053cb 208->212 209->208 210 405409 209->210 211->210 212->211
              APIs
              • MessageBoxIndirectA.USER32(00409210), ref: 00405403
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: IndirectMessage
              • String ID:
              • API String ID: 1874166685-0
              • Opcode ID: 5101a69139d125882d8b2f460b10c68b17d567ebaafa8d60d0565db0f68381b7
              • Instruction ID: 35481f56b36490c99b65deed9c981b3ebab50b8ac52ff9247c4327c075b7b7cb
              • Opcode Fuzzy Hash: 5101a69139d125882d8b2f460b10c68b17d567ebaafa8d60d0565db0f68381b7
              • Instruction Fuzzy Hash: B8F05274680200AFC354CF58EA447623BE0E399350F10897EE245A23B2C3B88A86CF48
              Function 00403548 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 213 403548-403550 214 403560-403571 call 40358d call 405454 213->214 215 403552-403559 FindCloseChangeNotification 213->215 215->214
              APIs
              • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,004033A9,?), ref: 00403553
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 589a16cc77adabca8de4aa73762697773acad4ee3cb03b9089ecdffb6a6655dc
              • Instruction ID: fc4578a4b6b7db8cc3d98c31650a0345e59194aa90dc0d4e26b17281c046a7f9
              • Opcode Fuzzy Hash: 589a16cc77adabca8de4aa73762697773acad4ee3cb03b9089ecdffb6a6655dc
              • Instruction Fuzzy Hash: 91C08030604600A6D5247F7C9D4BA453A945741336B904735F475F50F3D73C5BC5956D

              Non-executed Functions

              Function 00404FC2 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 279windowclipboardmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 220 404fc2-404fdd 221 404fe3-4050ac GetDlgItem * 3 call 403ebc call 404722 GetClientRect GetSystemMetrics SendMessageA * 2 220->221 222 40516e-405175 220->222 242 4050ca-4050cd 221->242 243 4050ae-4050c8 SendMessageA * 2 221->243 224 405177-405199 GetDlgItem CreateThread CloseHandle 222->224 225 40519f-4051ac 222->225 224->225 227 4051ca-4051d1 225->227 228 4051ae-4051b4 225->228 232 4051d3-4051d9 227->232 233 405228-40522c 227->233 230 4051b6-4051c5 ShowWindow * 2 call 403ebc 228->230 231 4051ec-4051f5 call 403eee 228->231 230->227 246 4051fa-4051fe 231->246 237 405201-405211 ShowWindow 232->237 238 4051db-4051e7 call 403e60 232->238 233->231 235 40522e-405231 233->235 235->231 244 405233-405246 SendMessageA 235->244 240 405221-405223 call 403e60 237->240 241 405213-40521c call 404e84 237->241 238->231 240->233 241->240 249 4050dd-4050f4 call 403e87 242->249 250 4050cf-4050db SendMessageA 242->250 243->242 251 405340-405342 244->251 252 40524c-40526d CreatePopupMenu call 405b99 AppendMenuA 244->252 259 4050f6-40510a ShowWindow 249->259 260 40512a-40514b GetDlgItem SendMessageA 249->260 250->249 251->246 257 405282-405288 252->257 258 40526f-405280 GetWindowRect 252->258 262 40528b-4052a3 TrackPopupMenu 257->262 258->262 263 405119 259->263 264 40510c-405117 ShowWindow 259->264 260->251 261 405151-405169 SendMessageA * 2 260->261 261->251 262->251 265 4052a9-4052c0 262->265 266 40511f-405125 call 403ebc 263->266 264->266 267 4052c5-4052e0 SendMessageA 265->267 266->260 267->267 269 4052e2-405302 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 267->269 270 405304-405324 SendMessageA 269->270 270->270 271 405326-40533a GlobalUnlock SetClipboardData CloseClipboard 270->271 271->251
              APIs
              • GetDlgItem.USER32(?,00000403), ref: 00405021
              • GetDlgItem.USER32(?,000003EE), ref: 00405030
              • GetClientRect.USER32(?,?), ref: 0040506D
              • GetSystemMetrics.USER32(00000015), ref: 00405075
              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405096
              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050A7
              • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050BA
              • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050C8
              • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050DB
              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050FD
              • ShowWindow.USER32(?,00000008), ref: 00405111
              • GetDlgItem.USER32(?,000003EC), ref: 00405132
              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405142
              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040515B
              • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405167
              • GetDlgItem.USER32(?,000003F8), ref: 0040503F
                • Part of subcall function 00403EBC: SendMessageA.USER32(00000028,?,00000001,00403CED), ref: 00403ECA
              • GetDlgItem.USER32(?,000003EC), ref: 00405184
              • CreateThread.KERNEL32(00000000,00000000,Function_00004F56,00000000), ref: 00405192
              • CloseHandle.KERNEL32(00000000), ref: 00405199
              • ShowWindow.USER32(00000000), ref: 004051BD
              • ShowWindow.USER32(00000000,00000008), ref: 004051C2
              • ShowWindow.USER32(00000008), ref: 00405209
              • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 0040523B
              • CreatePopupMenu.USER32 ref: 0040524C
              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405261
              • GetWindowRect.USER32(00000000,?), ref: 00405274
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052D3
              • OpenClipboard.USER32(00000000), ref: 004052E3
              • EmptyClipboard.USER32 ref: 004052E9
              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
              • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052FC
              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405310
              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405329
              • SetClipboardData.USER32(00000001,00000000), ref: 00405334
              • CloseClipboard.USER32 ref: 0040533A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
              • String ID: {
              • API String ID: 590372296-366298937
              • Opcode ID: 0ea0c883de9e267c42cbeb6e3c80013dc4c93350febcbc7ac3233a1783f0389b
              • Instruction ID: 5cc5a493c7826af022734a05619d12b61540e90d3b7798cd1ee4812e4cb533c1
              • Opcode Fuzzy Hash: 0ea0c883de9e267c42cbeb6e3c80013dc4c93350febcbc7ac3233a1783f0389b
              • Instruction Fuzzy Hash: FDA16C70900208BFEB119F60DC85AAE7F79FB44355F00816AFA05BA1A1C7795E41DFA9
              Function 00404801 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 272 404801-40484d GetDlgItem * 2 273 404853-4048e7 GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 272->273 274 404a6d-404a74 272->274 275 4048f6-4048fd DeleteObject 273->275 276 4048e9-4048f4 SendMessageA 273->276 277 404a76-404a86 274->277 278 404a88 274->278 280 4048ff-404907 275->280 276->275 279 404a8b-404a94 277->279 278->279 281 404a96-404a99 279->281 282 404a9f-404aa5 279->282 283 404930-404934 280->283 284 404909-40490c 280->284 281->282 288 404b83-404b8a 281->288 285 404ab4-404abb 282->285 286 404aa7-404aae 282->286 283->280 287 404936-404962 call 403e87 * 2 283->287 289 404911-40492e call 405b99 SendMessageA * 2 284->289 290 40490e 284->290 292 404b30-404b33 285->292 293 404abd-404ac0 285->293 286->285 286->288 328 404968-40496e 287->328 329 404a2c-404a3f GetWindowLongA SetWindowLongA 287->329 295 404bfb-404c03 288->295 296 404b8c-404b92 288->296 289->283 290->289 292->288 297 404b35-404b3f 292->297 301 404ac2-404ac9 293->301 302 404acb-404ae0 call 40474f 293->302 299 404c05-404c0b SendMessageA 295->299 300 404c0d-404c14 295->300 304 404de3-404df5 call 403eee 296->304 305 404b98-404ba2 296->305 307 404b41-404b4d SendMessageA 297->307 308 404b4f-404b59 297->308 299->300 309 404c16-404c1d 300->309 310 404c48-404c4f 300->310 301->292 301->302 302->292 327 404ae2-404af3 302->327 305->304 313 404ba8-404bb7 SendMessageA 305->313 307->308 308->288 315 404b5b-404b65 308->315 316 404c26-404c2d 309->316 317 404c1f-404c20 ImageList_Destroy 309->317 320 404da5-404dac 310->320 321 404c55-404c61 call 4011ef 310->321 313->304 322 404bbd-404bce SendMessageA 313->322 323 404b76-404b80 315->323 324 404b67-404b74 315->324 325 404c36-404c42 316->325 326 404c2f-404c30 GlobalFree 316->326 317->316 320->304 333 404dae-404db5 320->333 346 404c71-404c74 321->346 347 404c63-404c66 321->347 331 404bd0-404bd6 322->331 332 404bd8-404bda 322->332 323->288 324->288 325->310 326->325 327->292 335 404af5-404af7 327->335 336 404971-404977 328->336 334 404a45-404a49 329->334 331->332 338 404bdb-404bf4 call 401299 SendMessageA 331->338 332->338 333->304 339 404db7-404de1 ShowWindow GetDlgItem ShowWindow 333->339 340 404a63-404a6b call 403ebc 334->340 341 404a4b-404a5e ShowWindow call 403ebc 334->341 342 404af9-404b00 335->342 343 404b0a 335->343 344 404a0d-404a20 336->344 345 40497d-4049a5 336->345 338->295 339->304 340->274 341->304 355 404b02-404b04 342->355 356 404b06-404b08 342->356 359 404b0d-404b29 call 40117d 343->359 344->336 350 404a26-404a2a 344->350 357 4049a7-4049dd SendMessageA 345->357 358 4049df-4049e1 345->358 351 404cb5-404cd9 call 4011ef 346->351 352 404c76-404c8f call 4012e2 call 401299 346->352 360 404c68 347->360 361 404c69-404c6c call 4047cf 347->361 350->329 350->334 374 404d7b-404d8f InvalidateRect 351->374 375 404cdf 351->375 382 404c91-404c97 352->382 383 404c9f-404cae SendMessageA 352->383 355->359 356->359 357->344 362 4049e3-4049f2 SendMessageA 358->362 363 4049f4-404a0a SendMessageA 358->363 359->292 360->361 361->346 362->344 363->344 374->320 377 404d91-404da0 call 404722 call 40466d 374->377 378 404ce2-404ced 375->378 377->320 379 404d63-404d75 378->379 380 404cef-404cfe 378->380 379->374 379->378 384 404d00-404d0d 380->384 385 404d11-404d14 380->385 386 404c99 382->386 387 404c9a-404c9d 382->387 383->351 384->385 389 404d16-404d19 385->389 390 404d1b-404d24 385->390 386->387 387->382 387->383 392 404d29-404d61 SendMessageA * 2 389->392 390->392 393 404d26 390->393 392->379 393->392
              APIs
              • GetDlgItem.USER32(?,000003F9), ref: 00404819
              • GetDlgItem.USER32(?,00000408), ref: 00404824
              • GlobalAlloc.KERNEL32(00000040,?), ref: 0040486E
              • LoadBitmapA.USER32(0000006E), ref: 00404881
              • SetWindowLongA.USER32(?,000000FC,00404DF8), ref: 0040489A
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048AE
              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048C0
              • SendMessageA.USER32(?,00001109,00000002), ref: 004048D6
              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048E2
              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048F4
              • DeleteObject.GDI32(00000000), ref: 004048F7
              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404922
              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040492E
              • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049C3
              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049EE
              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A02
              • GetWindowLongA.USER32(?,000000F0), ref: 00404A31
              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A3F
              • ShowWindow.USER32(?,00000005), ref: 00404A50
              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B4D
              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BB2
              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BC7
              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BEB
              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C0B
              • ImageList_Destroy.COMCTL32(?), ref: 00404C20
              • GlobalFree.KERNEL32(?), ref: 00404C30
              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA9
              • SendMessageA.USER32(?,00001102,?,?), ref: 00404D52
              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D61
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D81
              • ShowWindow.USER32(?,00000000), ref: 00404DCF
              • GetDlgItem.USER32(?,000003FE), ref: 00404DDA
              • ShowWindow.USER32(00000000), ref: 00404DE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N
              • API String ID: 1638840714-813528018
              • Opcode ID: fd8361cfeaf59b72f1386bedcc7aea6d4778cb975f7506de2bc5f1e87fd31e76
              • Instruction ID: 73e5042133b470fdde48d750d06e43d2904589ccee469aaf4ee40575ec54014f
              • Opcode Fuzzy Hash: fd8361cfeaf59b72f1386bedcc7aea6d4778cb975f7506de2bc5f1e87fd31e76
              • Instruction Fuzzy Hash: 59027FB0900209AFEB10DF54DC85AAE7BB5FB84315F10853AF610B62E1C7799E42CF58
              Function 004042C5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268stringCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 00404314
              • SetWindowTextA.USER32(00000000,?), ref: 0040433E
              • SHBrowseForFolderA.SHELL32(?,0079E0D0,?), ref: 004043EF
              • CoTaskMemFree.OLE32(00000000), ref: 004043FA
              • lstrcmpiA.KERNEL32(007A16A0,0079ECF8), ref: 0040442C
              • lstrcatA.KERNEL32(?,007A16A0), ref: 00404438
              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040444A
                • Part of subcall function 0040538C: GetDlgItemTextA.USER32(?,?,00000400,00404481), ref: 0040539F
                • Part of subcall function 00405DE2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E3A
                • Part of subcall function 00405DE2: CharNextA.USER32(?,?,?,00000000), ref: 00405E47
                • Part of subcall function 00405DE2: CharNextA.USER32(?,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E4C
                • Part of subcall function 00405DE2: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E5C
              • GetDiskFreeSpaceA.KERNEL32(0079DCC8,?,?,0000040F,?,0079DCC8,0079DCC8,?,00000000,0079DCC8,?,?,000003FB,?), ref: 00404505
              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404520
              • SetDlgItemTextA.USER32(00000000,00000400,0079DCB8), ref: 004045A6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
              • String ID: A
              • API String ID: 2246997448-3554254475
              • Opcode ID: a68b45dffeb6f84f52b39daaa5d793e6caad4b47951e738af54e6220d2aef0ae
              • Instruction ID: 03cdc0df629eda19bc81850558ffdd0616f3ff49271ebeceec1b5cb03d6b2ac4
              • Opcode Fuzzy Hash: a68b45dffeb6f84f52b39daaa5d793e6caad4b47951e738af54e6220d2aef0ae
              • Instruction Fuzzy Hash: DB9192B1900208BBDB11AFA1CC81AAF77B8EF85305F14447BFB01B62D1D77C9A418B69
              Function 00405B99 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON
              Download Yara Rule
              APIs
              • GetVersion.KERNEL32(?,0079E4D8,00000000,00404EBC,0079E4D8,00000000), ref: 00405C4A
              • GetSystemDirectoryA.KERNEL32(007A16A0,00000400), ref: 00405CC5
              • GetWindowsDirectoryA.KERNEL32(007A16A0,00000400), ref: 00405CD8
              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405D14
              • SHGetPathFromIDListA.SHELL32(?,007A16A0), ref: 00405D22
              • CoTaskMemFree.OLE32(?), ref: 00405D2D
              • lstrcatA.KERNEL32(007A16A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D4F
              • lstrlenA.KERNEL32(007A16A0,?,0079E4D8,00000000,00404EBC,0079E4D8,00000000), ref: 00405DA1
              Strings
              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C94
              • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D49
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
              • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 900638850-730719616
              • Opcode ID: eaa8d679cdde7ec1b846b7d20550e8a9090a2d3d3f7a51f3022e8c133c3e6eb0
              • Instruction ID: 050506686e60d08a76f5c318217997e75ce046d50ca6fca7f220fc6f31a13d77
              • Opcode Fuzzy Hash: eaa8d679cdde7ec1b846b7d20550e8a9090a2d3d3f7a51f3022e8c133c3e6eb0
              • Instruction Fuzzy Hash: 5E61F471A04A05AAEF115F24CC88BBF3BA9EF52314F14813BE941BA2D1D27C5981DF5E
              Function 00405454 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
              Download Yara Rule
              APIs
              • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 0040547D
              • lstrcatA.KERNEL32(0079FD00,\*.*,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 004054C5
              • lstrcatA.KERNEL32(?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 004054E6
              • lstrlenA.KERNEL32(?,?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 004054EC
              • FindFirstFileA.KERNEL32(0079FD00,?,?,?,00409014,?,0079FD00,?,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 004054FD
              • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055AA
              • FindClose.KERNEL32(00000000), ref: 004055BB
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405462
              • "C:\Users\user\Desktop\4NsDuAp8TA.exe", xrefs: 00405454
              • \*.*, xrefs: 004054BF
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
              • API String ID: 2035342205-425970362
              • Opcode ID: 882c0e5d12b924f8698f38e7a6dc77829c612616eb812936588a6f232fd63121
              • Instruction ID: 6c887a6cd9596c43cc691a5f5e4ea67afdeb508a4c755cd09b57e0a75bcacbf5
              • Opcode Fuzzy Hash: 882c0e5d12b924f8698f38e7a6dc77829c612616eb812936588a6f232fd63121
              • Instruction Fuzzy Hash: 6F51C030800A04BACB21AB21CC45BBF7AB9DF42318F54817BF455B11D2D73C9A82DEAD
              Function 00402036 Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409398,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: ByteCharCreateInstanceMultiWide
              • String ID:
              • API String ID: 123533781-0
              • Opcode ID: e012038d3e8a169ff903bf719303fb9d47d5aed85b4ede8371c8d23c588ac1eb
              • Instruction ID: b07af7920b8309ffd935e8952b71055f016d565fd75ec3e93ef818f940943bf4
              • Opcode Fuzzy Hash: e012038d3e8a169ff903bf719303fb9d47d5aed85b4ede8371c8d23c588ac1eb
              • Instruction Fuzzy Hash: 91415F75A00205AFCB00DFA4CD88EAE7BB5EF49314F204169F905EB2D1CA79AD41CB55
              Function 00405E7B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNEL32(?,007A0548,007A0100,00405755,007A0100,007A0100,00000000,007A0100,007A0100,?,?,75923410,00405474,?,C:\Users\user\AppData\Local\Temp\,75923410), ref: 00405E86
              • FindClose.KERNEL32(00000000), ref: 00405E92
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: cc838ac162cb5096740799fdca5271843f6408794e75c0bc12259f58485ee713
              • Instruction ID: e3a419463b19944544fc21c9ad6669fb55d517ae4bfd2eba5619c06405e9773a
              • Opcode Fuzzy Hash: cc838ac162cb5096740799fdca5271843f6408794e75c0bc12259f58485ee713
              • Instruction Fuzzy Hash: 6AD012319195205BC3406738AC0C89F7B69DB563317304B32B5BDF12E0C2389D628AE9
              Function 0040264F Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040265E
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: 8e05c904b43dae5a009f96364440cc8acb8de351f29cb0f39e35ebea2b885a46
              • Instruction ID: 3ab4b2e523f4ece34398282fff8650a64823828ee778d7c177d23f294cc8494d
              • Opcode Fuzzy Hash: 8e05c904b43dae5a009f96364440cc8acb8de351f29cb0f39e35ebea2b885a46
              • Instruction Fuzzy Hash: FAF0A032A041149AD700E7B4A949AEEB778CB15324F20067BE101E20C2C6B869859A2E
              Function 004039B4 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 394 4039b4-4039c6 395 403b07-403b16 394->395 396 4039cc-4039d2 394->396 398 403b65-403b7a 395->398 399 403b18-403b60 GetDlgItem * 2 call 403e87 SetClassLongA call 40140b 395->399 396->395 397 4039d8-4039e1 396->397 402 4039e3-4039f0 SetWindowPos 397->402 403 4039f6-4039f9 397->403 400 403bba-403bbf call 403ed3 398->400 401 403b7c-403b7f 398->401 399->398 416 403bc4-403bdf 400->416 405 403b81-403b8c call 401389 401->405 406 403bb2-403bb4 401->406 402->403 408 403a13-403a19 403->408 409 4039fb-403a0d ShowWindow 403->409 405->406 427 403b8e-403bad SendMessageA 405->427 406->400 415 403e54 406->415 411 403a35-403a38 408->411 412 403a1b-403a30 DestroyWindow 408->412 409->408 419 403a3a-403a46 SetWindowLongA 411->419 420 403a4b-403a51 411->420 417 403e31-403e37 412->417 424 403e56-403e5d 415->424 422 403be1-403be3 call 40140b 416->422 423 403be8-403bee 416->423 417->415 428 403e39-403e3f 417->428 419->424 425 403af4-403b02 call 403eee 420->425 426 403a57-403a68 GetDlgItem 420->426 422->423 430 403e12-403e2b DestroyWindow EndDialog 423->430 431 403bf4-403bff 423->431 425->424 433 403a87-403a8a 426->433 434 403a6a-403a81 SendMessageA IsWindowEnabled 426->434 427->424 428->415 436 403e41-403e4a ShowWindow 428->436 430->417 431->430 432 403c05-403c52 call 405b99 call 403e87 * 3 GetDlgItem 431->432 464 403c54-403c59 432->464 465 403c5c-403c98 ShowWindow EnableWindow call 403ea9 EnableWindow 432->465 438 403a8c-403a8d 433->438 439 403a8f-403a92 433->439 434->415 434->433 436->415 442 403abd-403ac2 call 403e60 438->442 443 403aa0-403aa5 439->443 444 403a94-403a9a 439->444 442->425 447 403adb-403aee SendMessageA 443->447 449 403aa7-403aad 443->449 444->447 448 403a9c-403a9e 444->448 447->425 448->442 452 403ac4-403acd call 40140b 449->452 453 403aaf-403ab5 call 40140b 449->453 452->425 462 403acf-403ad9 452->462 460 403abb 453->460 460->442 462->460 464->465 468 403c9a-403c9b 465->468 469 403c9d 465->469 470 403c9f-403ccd GetSystemMenu EnableMenuItem SendMessageA 468->470 469->470 471 403ce2 470->471 472 403ccf-403ce0 SendMessageA 470->472 473 403ce8-403d21 call 403ebc call 405b77 lstrlenA call 405b99 SetWindowTextA call 401389 471->473 472->473 473->416 482 403d27-403d29 473->482 482->416 483 403d2f-403d33 482->483 484 403d52-403d66 DestroyWindow 483->484 485 403d35-403d3b 483->485 484->417 486 403d6c-403d99 CreateDialogParamA 484->486 485->415 487 403d41-403d47 485->487 486->417 488 403d9f-403df6 call 403e87 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 486->488 487->416 489 403d4d 487->489 488->415 494 403df8-403e10 ShowWindow call 403ed3 488->494 489->415 494->417
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039F0
              • ShowWindow.USER32(?), ref: 00403A0D
              • DestroyWindow.USER32 ref: 00403A21
              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A3D
              • GetDlgItem.USER32(?,?), ref: 00403A5E
              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A72
              • IsWindowEnabled.USER32(00000000), ref: 00403A79
              • GetDlgItem.USER32(?,00000001), ref: 00403B27
              • GetDlgItem.USER32(?,00000002), ref: 00403B31
              • SetClassLongA.USER32(?,000000F2,?), ref: 00403B4B
              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B9C
              • GetDlgItem.USER32(?,00000003), ref: 00403C42
              • ShowWindow.USER32(00000000,?), ref: 00403C63
              • EnableWindow.USER32(?,?), ref: 00403C75
              • EnableWindow.USER32(?,?), ref: 00403C90
              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA6
              • EnableMenuItem.USER32(00000000), ref: 00403CAD
              • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CC5
              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD8
              • lstrlenA.KERNEL32(0079ECF8,?,0079ECF8,007A1F00), ref: 00403D01
              • SetWindowTextA.USER32(?,0079ECF8), ref: 00403D10
              • ShowWindow.USER32(?,0000000A), ref: 00403E44
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
              • String ID:
              • API String ID: 184305955-0
              • Opcode ID: d971db1fb676f9121a2777190888625fc0312326e765dd8249487f5c43209863
              • Instruction ID: 08d6703954b26bba67f61acca2d9aa754b0d4f7535d1ee947126766f28ce6238
              • Opcode Fuzzy Hash: d971db1fb676f9121a2777190888625fc0312326e765dd8249487f5c43209863
              • Instruction Fuzzy Hash: 42C1C231904200ABEB21AF25ED45E2B7EACF745706F04453EFA41B11E1C77DA982DB6E
              Function 00403622 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 216stringregistrylibraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 497 403622-40363a call 405ea2 500 40363c-40364c call 405ad5 497->500 501 40364e-40367f call 405a5e 497->501 510 4036a2-4036cb call 4038e7 call 405712 500->510 506 403681-403692 call 405a5e 501->506 507 403697-40369d lstrcatA 501->507 506->507 507->510 515 4036d1-4036d6 510->515 516 403752-40375a call 405712 510->516 515->516 517 4036d8-4036fc call 405a5e 515->517 522 403768-40378d LoadImageA 516->522 523 40375c-403763 call 405b99 516->523 517->516 524 4036fe-403700 517->524 526 40380e-403816 call 40140b 522->526 527 40378f-4037bf RegisterClassA 522->527 523->522 528 403711-40371d lstrlenA 524->528 529 403702-40370f call 40564f 524->529 541 403820-40382b call 4038e7 526->541 542 403818-40381b 526->542 530 4037c5-403809 SystemParametersInfoA CreateWindowExA 527->530 531 4038dd 527->531 535 403745-40374d call 405624 call 405b77 528->535 536 40371f-40372d lstrcmpiA 528->536 529->528 530->526 533 4038df-4038e6 531->533 535->516 536->535 540 40372f-403739 GetFileAttributesA 536->540 545 40373b-40373d 540->545 546 40373f-403740 call 40566b 540->546 550 403831-40384e ShowWindow LoadLibraryA 541->550 551 4038b4-4038bc call 404f56 541->551 542->533 545->535 545->546 546->535 552 403850-403855 LoadLibraryA 550->552 553 403857-403869 GetClassInfoA 550->553 559 4038d6-4038d8 call 40140b 551->559 560 4038be-4038c4 551->560 552->553 555 403881-4038b2 DialogBoxParamA call 40140b call 403572 553->555 556 40386b-40387b GetClassInfoA RegisterClassA 553->556 555->533 556->555 559->531 560->542 561 4038ca-4038d1 call 40140b 560->561 561->542
              APIs
                • Part of subcall function 00405EA2: GetModuleHandleA.KERNEL32(?,?,?,00403134,00000008), ref: 00405EB4
                • Part of subcall function 00405EA2: LoadLibraryA.KERNELBASE(?,?,?,00403134,00000008), ref: 00405EBF
                • Part of subcall function 00405EA2: GetProcAddress.KERNEL32(00000000,?), ref: 00405ED0
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi56C.tmp,0079ECF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECF8,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75923410,"C:\Users\user\Desktop\4NsDuAp8TA.exe",00000000), ref: 0040369D
              • lstrlenA.KERNEL32(007A16A0,?,?,?,007A16A0,00000000,007A8400,C:\Users\user\AppData\Local\Temp\nsi56C.tmp,0079ECF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ECF8,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403712
              • lstrcmpiA.KERNEL32(?,.exe), ref: 00403725
              • GetFileAttributesA.KERNEL32(007A16A0), ref: 00403730
              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007A8400), ref: 00403779
                • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
              • RegisterClassA.USER32(007A1EA0), ref: 004037B6
              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037CE
              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403803
              • ShowWindow.USER32(00000005,00000000), ref: 00403839
              • LoadLibraryA.KERNEL32(RichEd20), ref: 0040384A
              • LoadLibraryA.KERNEL32(RichEd32), ref: 00403855
              • GetClassInfoA.USER32(00000000,RichEdit20A,007A1EA0), ref: 00403865
              • GetClassInfoA.USER32(00000000,RichEdit,007A1EA0), ref: 00403872
              • RegisterClassA.USER32(007A1EA0), ref: 0040387B
              • DialogBoxParamA.USER32(?,00000000,004039B4,00000000), ref: 0040389A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$.DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi56C.tmp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
              • API String ID: 914957316-694510882
              • Opcode ID: fcf350a16533a8f7f48c774a1ae8809bdd7b9640d83f0523be5dbe97f1948a0b
              • Instruction ID: b0afc0e10dc8cbe2448bed9474bc03f366f348945261fe302a10aac9679cd79a
              • Opcode Fuzzy Hash: fcf350a16533a8f7f48c774a1ae8809bdd7b9640d83f0523be5dbe97f1948a0b
              • Instruction Fuzzy Hash: FA61E6716442007EE710BB659C85F373AACEB8275AF00857EFA45B22E2D67D6D01CB2D
              Function 00403FD0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 205windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 568 403fd0-403fe0 569 4040f2-404105 568->569 570 403fe6-403fee 568->570 571 404161-404165 569->571 572 404107-404110 569->572 573 403ff0-403fff 570->573 574 404001-404099 call 403e87 * 2 CheckDlgButton call 403ea9 GetDlgItem call 403ebc SendMessageA 570->574 578 404235-40423c 571->578 579 40416b-40417f GetDlgItem 571->579 575 404244 572->575 576 404116-40411e 572->576 573->574 606 4040a4-4040ed SendMessageA * 2 lstrlenA SendMessageA * 2 574->606 607 40409b-40409e GetSysColor 574->607 584 404247-40424e call 403eee 575->584 576->575 582 404124-404130 576->582 578->575 583 40423e 578->583 580 404181-404188 579->580 581 4041f3-4041fa 579->581 580->581 586 40418a-4041a5 580->586 581->584 587 4041fc-404203 581->587 582->575 588 404136-40415c GetDlgItem SendMessageA call 403ea9 call 40425a 582->588 583->575 594 404253-404257 584->594 586->581 591 4041a7-4041f0 SendMessageA LoadCursorA SetCursor ShellExecuteA LoadCursorA SetCursor 586->591 587->584 592 404205-404209 587->592 588->571 591->581 597 40420b-40421a SendMessageA 592->597 598 40421c-404220 592->598 597->598 601 404230-404233 598->601 602 404222-40422e SendMessageA 598->602 601->594 602->601 606->594 607->606
              APIs
              • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040405B
              • GetDlgItem.USER32(00000000,000003E8), ref: 0040406F
              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040408D
              • GetSysColor.USER32(?), ref: 0040409E
              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040AD
              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040BC
              • lstrlenA.KERNEL32(?), ref: 004040BF
              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040CE
              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040E3
              • GetDlgItem.USER32(?,0000040A), ref: 00404145
              • SendMessageA.USER32(00000000), ref: 00404148
              • GetDlgItem.USER32(?,000003E8), ref: 00404173
              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041B3
              • LoadCursorA.USER32(00000000,00007F02), ref: 004041C2
              • SetCursor.USER32(00000000), ref: 004041CB
              • ShellExecuteA.SHELL32(0000070B,open,007A16A0,00000000,00000000,00000001), ref: 004041DE
              • LoadCursorA.USER32(00000000,00007F00), ref: 004041EB
              • SetCursor.USER32(00000000), ref: 004041EE
              • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040421A
              • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040422E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
              • String ID: N$open
              • API String ID: 3615053054-904208323
              • Opcode ID: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
              • Instruction ID: 031dbeac94855a04ab7bc056baf49b9f62a127ba2e136bb98bc4968a945489ce
              • Opcode Fuzzy Hash: d629206fc8082d4d9534340c1f089e738487a858c59a90b8640b314579ac6490
              • Instruction Fuzzy Hash: DF61B971A40209BFEB109F60CC45F6A3B69FB84755F10816AFB047B2D1C7B8A951CF99
              Function 0040589D Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141filestringmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 608 40589d-4058c4 lstrcpyA 609 4058c6-4058de call 405825 CloseHandle GetShortPathNameA 608->609 610 4058ec-4058fb GetShortPathNameA 608->610 613 405a25-405a2a 609->613 616 4058e4-4058e6 609->616 612 405901-405903 610->612 610->613 612->613 615 405909-405947 wsprintfA call 405b99 call 405825 612->615 615->613 621 40594d-405969 GetFileSize GlobalAlloc 615->621 616->610 616->613 622 405a1e-405a1f CloseHandle 621->622 623 40596f-405981 ReadFile 621->623 622->613 623->622 624 405987-40598b 623->624 624->622 625 405991-40599e call 40578a 624->625 628 4059a0-4059b2 lstrcpyA 625->628 629 4059b4-4059c6 call 40578a 625->629 630 4059e9 628->630 634 4059e5 629->634 635 4059c8-4059ce 629->635 633 4059eb-405a18 call 4057e0 SetFilePointer WriteFile GlobalFree 630->633 633->622 634->630 637 4059d6-4059d8 635->637 639 4059d0-4059d5 637->639 640 4059da-4059e3 637->640 639->637 640->633
              APIs
              • lstrcpyA.KERNEL32(007A0A88,NUL,?,00000000,?,00000000,?,00405A53,?,?,00000001,00405613,?,00000000,000000F1,?), ref: 004058AD
              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A53,?,?,00000001,00405613,?,00000000,000000F1,?), ref: 004058D1
              • GetShortPathNameA.KERNEL32(00000000,007A0A88,00000400), ref: 004058DA
                • Part of subcall function 0040578A: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
                • Part of subcall function 0040578A: lstrlenA.KERNEL32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
              • GetShortPathNameA.KERNEL32(?,007A0E88,00000400), ref: 004058F7
              • wsprintfA.USER32 ref: 00405915
              • GetFileSize.KERNEL32(00000000,00000000,007A0E88,C0000000,00000004,007A0E88,?,?,?,?,?), ref: 00405950
              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040595F
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405979
              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004059A9
              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,007A0688,00000000,-0000000A,0040936C,00000000,[Rename]), ref: 004059FF
              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405A11
              • GlobalFree.KERNEL32(00000000), ref: 00405A18
              • CloseHandle.KERNEL32(00000000), ref: 00405A1F
                • Part of subcall function 00405825: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 00405829
                • Part of subcall function 00405825: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040584B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
              • String ID: %s=%s$NUL$[Rename]
              • API String ID: 3756836283-4148678300
              • Opcode ID: 3dc5f7bb7184485a7b87fb4c129ebc8997b7fd1a3a4ee1b2d00c5489aec53c8d
              • Instruction ID: 703081f9f45e0959c07b6a00457515c8324f77790511a56e8ac0345a7c84fdf8
              • Opcode Fuzzy Hash: 3dc5f7bb7184485a7b87fb4c129ebc8997b7fd1a3a4ee1b2d00c5489aec53c8d
              • Instruction Fuzzy Hash: 91412B71B04705AFD2206B249C49F6B7B6CEF89754F14053AFD01F62D2D678A8008EBD
              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
              Download Yara Rule
              APIs
              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32(?,?), ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectA.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextA.USER32(00000000,007A1F00,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F
              • API String ID: 941294808-1304234792
              • Opcode ID: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
              • Instruction ID: dd0e79dd03d73333c37d03741989dce367d08c72bd534bd23d7a1991bc4c48e1
              • Opcode Fuzzy Hash: 98e14e1640eb646ee3811aa623ba2e5d1e9cc6367b1deba79bcf05c34458357a
              • Instruction Fuzzy Hash: E5419A71804249AFCB058F95CD459BFBFB9FF45310F00812AF962AA1A0C738EA51DFA5
              Function 00402E6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171fileCOMMON
              Download Yara Rule
              APIs
              • GetTickCount.KERNEL32 ref: 00402ECE
              • GetTickCount.KERNEL32 ref: 00402F55
              • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F82
              • wsprintfA.USER32 ref: 00402F92
              • WriteFile.KERNEL32(00000000,00000000,?,7FFFFFFF,00000000), ref: 00402FC0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CountTick$FileWritewsprintf
              • String ID: ... %d%%
              • API String ID: 4209647438-2449383134
              • Opcode ID: 596e255581a170ddd44a042c57955e67d10ae647dc5c05ba9c0314ae55046869
              • Instruction ID: abbc5e543d40cc295139a54e2e8a13b251616715b744bb5f177e15d4b263a606
              • Opcode Fuzzy Hash: 596e255581a170ddd44a042c57955e67d10ae647dc5c05ba9c0314ae55046869
              • Instruction Fuzzy Hash: B1519C7190121AABCF10DF69DA48A9E7BB8BF04355F14413BF901B72C4D3789E50DBAA
              Function 00405DE2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E3A
              • CharNextA.USER32(?,?,?,00000000), ref: 00405E47
              • CharNextA.USER32(?,"C:\Users\user\Desktop\4NsDuAp8TA.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E4C
              • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030C7,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405E5C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Char$Next$Prev
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-1833393900
              • Opcode ID: 2024885374f02dac88d9fb103eccae40028a2ab1d30660e2dcec4d8ea4488381
              • Instruction ID: 982ed4f0ea0d1ffb3a75412ce8e95c0ea6245537b44222f6b90d7ae264b7a878
              • Opcode Fuzzy Hash: 2024885374f02dac88d9fb103eccae40028a2ab1d30660e2dcec4d8ea4488381
              • Instruction Fuzzy Hash: 7511B671804B9129EB3217248C44B776F98CB9A7A0F18047BE5C5723C2C67C5E828EED
              Function 00403EEE Relevance: 12.1, APIs: 8, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • GetWindowLongA.USER32(?,000000EB), ref: 00403F0B
              • GetSysColor.USER32(00000000), ref: 00403F27
              • SetTextColor.GDI32(?,00000000), ref: 00403F33
              • SetBkMode.GDI32(?,?), ref: 00403F3F
              • GetSysColor.USER32(?), ref: 00403F52
              • SetBkColor.GDI32(?,?), ref: 00403F62
              • DeleteObject.GDI32(?), ref: 00403F7C
              • CreateBrushIndirect.GDI32(?), ref: 00403F86
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
              • Instruction ID: 43f1f9eadd2e023582460ec461a07703dc87d5103ca70cdaf59bc9c3c4c10c95
              • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
              • Instruction Fuzzy Hash: B1219971904705AFC7219F68DD08B5BBFF8AF01715F04852AF995E22D1C378E944CB55
              Function 0040268D Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026E1
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026FD
              • GlobalFree.KERNEL32(?), ref: 00402736
              • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402748
              • GlobalFree.KERNEL32(00000000), ref: 0040274F
              • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402767
              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040277B
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
              • String ID:
              • API String ID: 3294113728-0
              • Opcode ID: 9965696cac2c5dcee919c64b3846389293bd495e345133515c16cb9a9d46e221
              • Instruction ID: 94283e328d35fee59e2da4f8035aa06736476ebf885dd15e4876c46effbb42d0
              • Opcode Fuzzy Hash: 9965696cac2c5dcee919c64b3846389293bd495e345133515c16cb9a9d46e221
              • Instruction Fuzzy Hash: E4319171C00128BBCF216FA5DD89DAE7E79EF05364F20423AF520762E1C7791D408BA9
              Function 00404E84 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
              • lstrlenA.KERNEL32(00402FA6,0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
              • lstrcatA.KERNEL32(0079E4D8,00402FA6,00402FA6,0079E4D8,00000000,?,007898A8), ref: 00404EE0
              • SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID:
              • API String ID: 2531174081-0
              • Opcode ID: 6d23eeeeadc8c975830744756af2e0c6f2d7ce04b7bca1b24e7dcfc844a15c14
              • Instruction ID: 0879e44440130bf100c4abc817e106b172b9c081b4a19821dc72f8a86b472426
              • Opcode Fuzzy Hash: 6d23eeeeadc8c975830744756af2e0c6f2d7ce04b7bca1b24e7dcfc844a15c14
              • Instruction Fuzzy Hash: E3216071900118BFDB019FA5CD849DEBFB9EB45354F14807AF904B6291C6785E40CBA4
              Function 0040474F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040476A
              • GetMessagePos.USER32 ref: 00404772
              • ScreenToClient.USER32(?,?), ref: 0040478C
              • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040479E
              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
              • Instruction ID: 6bd71cb3d479751b3b69d93d67c88433f783f46e4abb255f82c81c082e4bdd88
              • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
              • Instruction Fuzzy Hash: C5014075D00218BADB01DBA4DC45FFEBBBCAB55711F10412BBB10B71C0C7B865018BA5
              Function 00402B4C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B67
              • MulDiv.KERNEL32(?,00000064,?), ref: 00402B92
              • wsprintfA.USER32 ref: 00402BA2
              • SetWindowTextA.USER32(?,?), ref: 00402BB2
              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BC4
              Strings
              • verifying installer: %d%%, xrefs: 00402B9C
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: verifying installer: %d%%
              • API String ID: 1451636040-82062127
              • Opcode ID: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
              • Instruction ID: 338c4dd4cc7a1f9a3f94f7e8e9aba01fa07f8a2d27e46d6da828e47d9d426f75
              • Opcode Fuzzy Hash: b2596dc42376c4ed7c7376505dbeede42f27e887c2baf36158ddba7532441070
              • Instruction Fuzzy Hash: 32014F70540208ABEF249F61DD0AEAE37B9AB00304F00803AFA06A92D1D7B9A9518B59
              Function 0040173F Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
              Download Yara Rule
              APIs
              • lstrcatA.KERNEL32(00000000,00000000,00409B98,007A8800,00000000,00000000,00000031), ref: 0040177E
              • CompareFileTime.KERNEL32(-00000014,?,00409B98,00409B98,00000000,00000000,00409B98,007A8800,00000000,00000000,00000031), ref: 004017A8
                • Part of subcall function 00405B77: lstrcpynA.KERNEL32(?,?,00000400,0040315F,007A1F00,NSIS Error), ref: 00405B84
                • Part of subcall function 00404E84: lstrlenA.KERNEL32(0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
                • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FA6,0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
                • Part of subcall function 00404E84: lstrcatA.KERNEL32(0079E4D8,00402FA6,00402FA6,0079E4D8,00000000,?,007898A8), ref: 00404EE0
                • Part of subcall function 00404E84: SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID:
              • API String ID: 1941528284-0
              • Opcode ID: 9b098a5e810a5c28b9326644494c538c1da79562833f8fa9deb61f0cdda3993c
              • Instruction ID: df8d039fdd937f1c478db27dfce12e75bce6feb5164cf919340bcacede668491
              • Opcode Fuzzy Hash: 9b098a5e810a5c28b9326644494c538c1da79562833f8fa9deb61f0cdda3993c
              • Instruction Fuzzy Hash: F241B771900615BACB10BBA5CC46DAF7979DF42368F20423BF525F10E2DA3C5A419A6D
              Function 00402A47 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A68
              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA4
              • RegCloseKey.ADVAPI32(?), ref: 00402AAD
              • RegCloseKey.ADVAPI32(?), ref: 00402AD2
              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF0
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Close$DeleteEnumOpen
              • String ID:
              • API String ID: 1912718029-0
              • Opcode ID: 61aa7b08b25d36179ae4cb5662e9664e60734cdc6a87b09974626dd03ae36e85
              • Instruction ID: 1ad4598d9375e79b5c4158f8ae6fede31b6a0d7771ae0489b8e1e2a10aea7df0
              • Opcode Fuzzy Hash: 61aa7b08b25d36179ae4cb5662e9664e60734cdc6a87b09974626dd03ae36e85
              • Instruction Fuzzy Hash: 72116D31600108BFDF219F90DE48DAA3B6DEB55348B108036FA06A00A0D7B89E519F69
              Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?), ref: 00401CD0
              • GetClientRect.USER32(00000000,?), ref: 00401CDD
              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
              • DeleteObject.GDI32(00000000), ref: 00401D1B
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: b0c852230168c282e54fa96b58fa246ff6a884e323492708f62686b2ee3a6f71
              • Instruction ID: 7c3280a60d84a3596340f685d6ada4bc9ba3972ea03b1155ec5ca5a37b5200ea
              • Opcode Fuzzy Hash: b0c852230168c282e54fa96b58fa246ff6a884e323492708f62686b2ee3a6f71
              • Instruction Fuzzy Hash: 01F04FB2905104AFD701EBA4EE88CAFB7BCEB44301B004476F601F2091C638AD018B79
              Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(?), ref: 00401D29
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
              • ReleaseDC.USER32(?,00000000), ref: 00401D56
              • CreateFontIndirectA.GDI32(0040AFA0), ref: 00401DA1
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontIndirectRelease
              • String ID:
              • API String ID: 3808545654-0
              • Opcode ID: d50846cf01dc4d21c027121a250a91c6e779b9c02126d39bd440f749e4007b39
              • Instruction ID: 4f22f7d967d41569425e1cc72a43e48c322de2a0bc5ea7779ffcdbaac11077e3
              • Opcode Fuzzy Hash: d50846cf01dc4d21c027121a250a91c6e779b9c02126d39bd440f749e4007b39
              • Instruction Fuzzy Hash: 760162B1958341AFE7015BB0AE1ABAF7F74A725705F100439F145BA2E2C67C14158B2B
              Function 0040466D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(0079ECF8,0079ECF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040458D,000000DF,0000040F,00000400,00000000), ref: 004046FB
              • wsprintfA.USER32 ref: 00404703
              • SetDlgItemTextA.USER32(?,0079ECF8), ref: 00404716
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: de6b24ac2de06aa5a6c00b34d189335991a4621482d9b42b83f82e23e4af78ce
              • Instruction ID: 808364b1aeea65b13bf83ed040d55ad759ad6ec36480b824a7a4bb04bc91d3c3
              • Opcode Fuzzy Hash: de6b24ac2de06aa5a6c00b34d189335991a4621482d9b42b83f82e23e4af78ce
              • Instruction Fuzzy Hash: 8B1108736002243BDB0065699C06EEF329DDBC3375F14023BFA29F61D1E9799C5182E9
              Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: 8eff71bb5ebd36046c366c13d8ffe373437556df99635d979973e320c5583c2f
              • Instruction ID: 12ae1f52ecf524c97be6b8063d2fdb139482407b097923a357ceac7fbdf5fe65
              • Opcode Fuzzy Hash: 8eff71bb5ebd36046c366c13d8ffe373437556df99635d979973e320c5583c2f
              • Instruction Fuzzy Hash: 43219271A44248AFEF01AFB4CD8AAAE7FB5EF44348F14443EF501B61E1D6B95940DB18
              Function 00405624 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030D9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 0040562A
              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030D9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923410,0040329C), ref: 00405633
              • lstrcatA.KERNEL32(?,00409014), ref: 00405644
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405624
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-823278215
              • Opcode ID: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
              • Instruction ID: 00b6ae861ddc274f1a22631493032202eb54a79e67bc778d52c9d7871f0e19dd
              • Opcode Fuzzy Hash: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
              • Instruction Fuzzy Hash: C8D0A962A099302ED20226158C05EDB3A98CF02315B040873F200B22E2C67C2D418BFE
              Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93
                • Part of subcall function 00404E84: lstrlenA.KERNEL32(0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000,?), ref: 00404EBD
                • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FA6,0079E4D8,00000000,?,007898A8,?,?,?,?,?,?,?,?,?,00402FA6,00000000), ref: 00404ECD
                • Part of subcall function 00404E84: lstrcatA.KERNEL32(0079E4D8,00402FA6,00402FA6,0079E4D8,00000000,?,007898A8), ref: 00404EE0
                • Part of subcall function 00404E84: SetWindowTextA.USER32(0079E4D8,0079E4D8), ref: 00404EF2
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F18
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F32
                • Part of subcall function 00404E84: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F40
              • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
              • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
              • String ID:
              • API String ID: 2987980305-0
              • Opcode ID: 2a470f3a265e4707170224a08b78964a62a1333b3cd2c4511b05f9becfff01cd
              • Instruction ID: d3abe0a985e527f0133db3cb222e4045a6b822903cb71d54981d30858ec5e20d
              • Opcode Fuzzy Hash: 2a470f3a265e4707170224a08b78964a62a1333b3cd2c4511b05f9becfff01cd
              • Instruction Fuzzy Hash: 01213032904211ABCF207F64CE49A6F79B0AF44358F20413BF601B62D1D7BD4E419A5E
              Function 0040231A Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402358
              • lstrlenA.KERNEL32(0040A398,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402378
              • RegSetValueExA.ADVAPI32(?,?,?,?,0040A398,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B1
              • RegCloseKey.ADVAPI32(?,?,?,0040A398,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040248E
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CloseCreateValuelstrlen
              • String ID:
              • API String ID: 1356686001-0
              • Opcode ID: 5e693f3d9e7b741cdf9ea44cab5545e1dd95195cd1b4dfe7724add09a22c1e66
              • Instruction ID: 496afd6724d83472fd7aeeeeb6c9636b40b67d15b6efd44fac0fbba193c6cb19
              • Opcode Fuzzy Hash: 5e693f3d9e7b741cdf9ea44cab5545e1dd95195cd1b4dfe7724add09a22c1e66
              • Instruction Fuzzy Hash: 40116071E00208BEEB10EFB5CE89EAF7A78EB44358F10403AF905B61D1D6B85D419A69
              Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004056BD: CharNextA.USER32(?,?,007A0100,?,00405729,007A0100,007A0100,?,?,75923410,00405474,?,C:\Users\user\AppData\Local\Temp\,75923410,00000000), ref: 004056CB
                • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056D0
                • Part of subcall function 004056BD: CharNextA.USER32(00000000), ref: 004056E4
              • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
              • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
              • SetCurrentDirectoryA.KERNEL32(00000000,007A8800,00000000,00000000,000000F0), ref: 00401622
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
              • String ID:
              • API String ID: 3751793516-0
              • Opcode ID: e118064044a600f7a7b96e15b728bb44457af851d1526a60e40b802bef7a032a
              • Instruction ID: be2e729169105f21f0136a8afe605fb55404e4043758c9297c14daf22ca337c6
              • Opcode Fuzzy Hash: e118064044a600f7a7b96e15b728bb44457af851d1526a60e40b802bef7a032a
              • Instruction Fuzzy Hash: A7114831908150ABDB213F755D04EBF77B4EE56366724073FF492B22E2C63C09429A2E
              Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
              • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                • Part of subcall function 00405AD5: wsprintfA.USER32 ref: 00405AE2
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
              • String ID:
              • API String ID: 1404258612-0
              • Opcode ID: 8dfb373d46bd70ea73ae3966ad25f80cbb65e2499764b4783afd86685f1e7734
              • Instruction ID: d9cf4706ccd720fe68a9057b37b388a6d3cc99dc36037c8cf20abe177969b22e
              • Opcode Fuzzy Hash: 8dfb373d46bd70ea73ae3966ad25f80cbb65e2499764b4783afd86685f1e7734
              • Instruction Fuzzy Hash: 02117071900108BEDB01EFA5DD81DAEBBB9EF04344B20807AF505F61E2D7789E54DB28
              Function 00402BCF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000,00000000,00402DAF,00000001), ref: 00402BE2
              • GetTickCount.KERNEL32 ref: 00402C00
              • CreateDialogParamA.USER32(0000006F,00000000,00402B4C,00000000), ref: 00402C1D
              • ShowWindow.USER32(00000000,00000005), ref: 00402C2B
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Window$CountCreateDestroyDialogParamShowTick
              • String ID:
              • API String ID: 2102729457-0
              • Opcode ID: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
              • Instruction ID: d1c4e1838bfb856cd6d3ea9dd85ee240d54de3540c59ddf7a57925f8cf4fbe18
              • Opcode Fuzzy Hash: 7de69ba99e19708d0d579c18d4dfd725f7e56dba20af062519453b561e00e44c
              • Instruction Fuzzy Hash: 52F0D030909620BFC6616F18BD4CE5F7BA4E745B117518467F204A11A5D27CA8838FAD
              Function 004038E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • SetWindowTextA.USER32(00000000,007A1F00), ref: 0040397F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: TextWindow
              • String ID: "C:\Users\user\Desktop\4NsDuAp8TA.exe"$C:\Users\user\AppData\Local\Temp\nsi56C.tmp
              • API String ID: 530164218-3123412644
              • Opcode ID: 25d9b52c00bc6c780318a8bb18bdb4372ba541c453f9d771c50e3bd4cd5310d4
              • Instruction ID: 3eeb35b712935f7be9db67fea1ba5421606f6b55dcd8c4013f5d2095cba695b6
              • Opcode Fuzzy Hash: 25d9b52c00bc6c780318a8bb18bdb4372ba541c453f9d771c50e3bd4cd5310d4
              • Instruction Fuzzy Hash: 121108B1B046009BC721AF19CC809333BADEBC6756318823FED01673A1D77D9D028B68
              Function 00404DF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00404E27
              • CallWindowProcA.USER32(?,?,?,?), ref: 00404E78
                • Part of subcall function 00403ED3: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403EE5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: 526848415f932e083bf7b3d36508f4b1bda904cbcea418d5975b356f5bc0ad6e
              • Instruction ID: 7d65f4a0b806027d78491f0c636345f1b5379c259f2f3d92d144b4497ee353ee
              • Opcode Fuzzy Hash: 526848415f932e083bf7b3d36508f4b1bda904cbcea418d5975b356f5bc0ad6e
              • Instruction Fuzzy Hash: 600184B1500208ABDF219F21ED80EAB3726F7C5755F204137FB04761D1C7799C5196AA
              Function 00405347 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007A0500,Error launching installer), ref: 0040536C
              • CloseHandle.KERNEL32(?), ref: 00405379
              Strings
              • Error launching installer, xrefs: 0040535A
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: Error launching installer
              • API String ID: 3712363035-66219284
              • Opcode ID: 788b6a00b7ec5152489f9dc894b393f1b4e1631423b852db40bb4005bf856efe
              • Instruction ID: f3300c01cb1876a67fd1897e7389f13c8369481b1b26804573fe4f9c45dca3ad
              • Opcode Fuzzy Hash: 788b6a00b7ec5152489f9dc894b393f1b4e1631423b852db40bb4005bf856efe
              • Instruction Fuzzy Hash: 22E0ECB4900209AFDB009F64DC09E6F7BBCFB00344F40CA21BD11E2150F778E9108AA9
              Function 0040358D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923410,00403565,004033A9,?), ref: 004035A7
              • GlobalFree.KERNEL32(?), ref: 004035AE
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040359F
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: Free$GlobalLibrary
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 1100898210-823278215
              • Opcode ID: a867077822133ff692d23af0c54fa15bc8068d047174f32ce19527d60d8a5524
              • Instruction ID: 25ceb6f6e8048fd8c7c72bafa6746df7c9a9eea5615397dbd2628d9726c916a8
              • Opcode Fuzzy Hash: a867077822133ff692d23af0c54fa15bc8068d047174f32ce19527d60d8a5524
              • Instruction Fuzzy Hash: 6EE08C32805020ABC6215F14AD0471AB6686B89B22F01406BE9407B2A087B8AD428BD8
              Function 0040566B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NsDuAp8TA.exe,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 00405671
              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\4NsDuAp8TA.exe,C:\Users\user\Desktop\4NsDuAp8TA.exe,80000000,00000003), ref: 0040567F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\user\Desktop
              • API String ID: 2709904686-1246513382
              • Opcode ID: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
              • Instruction ID: 066a61083934c2e15797617eaf2660ffc2c94803564b26df0c9315ada1aa8723
              • Opcode Fuzzy Hash: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
              • Instruction Fuzzy Hash: 38D0A762409D702EF30352108C04BEF6A88CF12300F0904A2E440E21D0C2781C418BED
              Function 0040578A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,0040599C,00000000,[Rename]), ref: 0040579A
              • lstrcmpiA.KERNEL32(?,?), ref: 004057B2
              • CharNextA.USER32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057C3
              • lstrlenA.KERNEL32(?,?,00000000,0040599C,00000000,[Rename]), ref: 004057CC
              Memory Dump Source
              • Source File: 00000000.00000002.2044721183.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2044704620.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044734705.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.0000000000795000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044748829.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2044899114.00000000007BF000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_4NsDuAp8TA.jbxd
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
              • Instruction ID: df48b93824ef6af08d299fa443af8079e3e9d2208639ace1cb57769ac35cd01d
              • Opcode Fuzzy Hash: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
              • Instruction Fuzzy Hash: DBF0C235504518FFC7029BA5DC4099FBBB8EF45350F2540AAF800F7210D274EE01ABA9