Edit tour

Windows Analysis Report
yUgCaQhCIc.exe

Overview

General Information

Sample name:yUgCaQhCIc.exe
renamed because original name is a hash value
Original sample name:virussign.com_5da47991f8da648663063560b0182040.exe
Analysis ID:1638022
MD5:5da47991f8da648663063560b0182040
SHA1:a23ba563cd76be2e6324733fd93725365e1af593
SHA256:faa5c705f7a92dbc2bedd76bb8eb4f0f002389d16d1362ebee36eeffcf969a87
Tags:adwareexeuser-2huMarisa
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious PE digital signature
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE / OLE file has an invalid certificate
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • yUgCaQhCIc.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\yUgCaQhCIc.exe" MD5: 5DA47991F8DA648663063560B0182040)
    • chrome.exe (PID: 7380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 6880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 6848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: yUgCaQhCIc.exeAvira: detected
Source: yUgCaQhCIc.exeVirustotal: Detection: 65%Perma Link
Source: yUgCaQhCIc.exeReversingLabs: Detection: 68%
Source: yUgCaQhCIc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405D07 FindFirstFileA,FindClose,0_2_00405D07
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405331
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
Source: global trafficDNS traffic detected: DNS query: download.toggle.com
Source: global trafficDNS traffic detected: DNS query: pf.toggle.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global trafficDNS traffic detected: DNS query: beacons.gvt2.com
Source: global trafficDNS traffic detected: DNS query: beacons2.gvt2.com
Source: global trafficDNS traffic detected: DNS query: beacons3.gvt2.com
Source: yUgCaQhCIc.exeString found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: yUgCaQhCIc.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: yUgCaQhCIc.exeString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/nsis/
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exeString found in binary or memory: http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1
Source: yUgCaQhCIc.exeString found in binary or memory: http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255Set
Source: yUgCaQhCIc.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yUgCaQhCIc.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: yUgCaQhCIc.exeString found in binary or memory: http://ocsp.thawte.com0
Source: yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/img_en_248567_
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gif
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifD
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIq
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519j
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:
Source: yUgCaQhCIc.exeString found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownload
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaField
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.coupish.com/terms.php
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.coupish.com/terms.phpof
Source: yUgCaQhCIc.exe, show_page_toolbar.0.drString found in binary or memory: http://www.dealply.com/terms/
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.dealply.com/terms/Field
Source: yUgCaQhCIc.exe, show_page_toolbar.0.drString found in binary or memory: http://www.funmoods.com/privacy
Source: yUgCaQhCIc.exe, show_page_toolbar.0.drString found in binary or memory: http://www.funmoods.com/terms
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.funmoods.com/termshttp://www.funmoods.com/privacyBy
Source: yUgCaQhCIc.exeString found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: unknownNetwork traffic detected: HTTP traffic on port 58593 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58570 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58606 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58555 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58558 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58506 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58582
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58581
Source: unknownNetwork traffic detected: HTTP traffic on port 58561 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58580
Source: unknownNetwork traffic detected: HTTP traffic on port 58569 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58517 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58506
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58505
Source: unknownNetwork traffic detected: HTTP traffic on port 58552 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58589
Source: unknownNetwork traffic detected: HTTP traffic on port 58573 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58504
Source: unknownNetwork traffic detected: HTTP traffic on port 58590 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58503
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58596
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58593
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58592
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58595
Source: unknownNetwork traffic detected: HTTP traffic on port 58503 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58594
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58591
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58590
Source: unknownNetwork traffic detected: HTTP traffic on port 58566 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58576 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58591 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58522
Source: unknownNetwork traffic detected: HTTP traffic on port 58504 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58563 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58546 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58582 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
Source: unknownNetwork traffic detected: HTTP traffic on port 58596 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58554 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58571 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58526
Source: unknownNetwork traffic detected: HTTP traffic on port 58557 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58526 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58560 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58568 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58522 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58574 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58580 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58565 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58594 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58559 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58546
Source: unknownNetwork traffic detected: HTTP traffic on port 58577 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58547
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58553
Source: unknownNetwork traffic detected: HTTP traffic on port 58556 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58552
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58555
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58554
Source: unknownNetwork traffic detected: HTTP traffic on port 58562 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58557
Source: unknownNetwork traffic detected: HTTP traffic on port 58572 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58553 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58556
Source: unknownNetwork traffic detected: HTTP traffic on port 58595 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58559
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58558
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58564
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58563
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58566
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58565
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58560
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58562
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58561
Source: unknownNetwork traffic detected: HTTP traffic on port 58567 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58607 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58607
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58606
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58568
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58567
Source: unknownNetwork traffic detected: HTTP traffic on port 58592 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58569
Source: unknownNetwork traffic detected: HTTP traffic on port 58575 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58575
Source: unknownNetwork traffic detected: HTTP traffic on port 58581 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58574
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58577
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58576
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58571
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58570
Source: unknownNetwork traffic detected: HTTP traffic on port 58505 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58573
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58572
Source: unknownNetwork traffic detected: HTTP traffic on port 58589 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58547 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58564 -> 443
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EE8
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FA
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7380_1397110669Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir7380_1397110669Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_004061280_2_00406128
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_004046F90_2_004046F9
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_004068FF0_2_004068FF
Source: yUgCaQhCIc.exeStatic PE information: invalid certificate
Source: yUgCaQhCIc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@26/10@57/2
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041FC
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C1.tmpJump to behavior
Source: yUgCaQhCIc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: yUgCaQhCIc.exeVirustotal: Detection: 65%
Source: yUgCaQhCIc.exeReversingLabs: Detection: 68%
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/nsis/
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exeString found in binary or memory: \Toolbar_Toggle.exehttp://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exeString found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exeString found in binary or memory: .exehttp://download.toggle.com/installers/extra_software/dealply/dealply.exe comand line fordealply:
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile read: C:\Users\user\Desktop\yUgCaQhCIc.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\yUgCaQhCIc.exe "C:\Users\user\Desktop\yUgCaQhCIc.exe"
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile written: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\ioSpecial.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D2E

Persistence and Installation Behavior

barindex
Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple critical red flags: 1) Certificate is expired since 2013, over 12 years ago from current date (March 2025). 2) Signature is explicitly marked as invalid with validation errors. 3) Compilation timestamp (Dec 2009) predates the certificate's validity period (Jan 2012), suggesting potential timestamp manipulation. 4) While Thawte is a known CA, 'Inffinity Internet' appears suspicious due to the misspelling of 'Infinity' and lacks corporate legitimacy. 5) The significant time gaps between compilation (2009), certification (2012-2013), and current date (2025) with an invalid signature strongly suggests certificate abuse or forgery. The only slightly mitigating factor is that the country (Spain) is not typically associated with high-risk regions.
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405D07 FindFirstFileA,FindClose,0_2_00405D07
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405331
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll741918519
Source: yUgCaQhCIc.exe, 00000000.00000003.1399102984.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeAPI call chain: ExitProcess graph end nodegraph_0-3191
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405D2E
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exeCode function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405A2E
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote Services1
Archive Collected Data
12
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API
Boot or Logon Initialization Scripts1
DLL Side-Loading
11
Process Injection
LSASS Memory3
File and Directory Discovery
Remote Desktop Protocol1
Clipboard Data
1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager3
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
File Deletion
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638022 Sample: yUgCaQhCIc.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 60 27 pf.toggle.com 2->27 29 download.toggle.com 2->29 31 5 other IPs or domains 2->31 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 AI detected suspicious PE digital signature 2->45 8 yUgCaQhCIc.exe 42 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\...\inetc.dll, PE32 8->19 dropped 21 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 8->21 dropped 23 C:\Users\user\AppData\Local\...\System.dll, PE32 8->23 dropped 25 4 other files (none is malicious) 8->25 dropped 11 chrome.exe 2 8->11         started        process6 dnsIp7 33 192.168.2.5, 138, 443, 49454 unknown unknown 11->33 14 chrome.exe 11->14         started        17 chrome.exe 11->17         started        process8 dnsIp9 35 www.google.com 216.58.212.164, 443, 58546, 58547 GOOGLEUS United States 14->35 37 pf.toggle.com 14->37 39 7 other IPs or domains 14->39

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
yUgCaQhCIc.exe66%VirustotalBrowse
yUgCaQhCIc.exe68%ReversingLabsWin32.Adware.Coupish
yUgCaQhCIc.exe100%AviraADWARE/Adware.Gen4
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.dealply.com/terms/Field0%Avira URL Cloudsafe
http://www.dealply.com/terms/0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=20121026210%Avira URL Cloudsafe
http://download.toggle.com/installers/nsis/0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.0%Avira URL Cloudsafe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifD0%Avira URL Cloudsafe
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form10%Avira URL Cloudsafe
http://download.toggle.com/installers/toolbar/0%Avira URL Cloudsafe
http://pf.toggle.com/0%Avira URL Cloudsafe
http://download.toggle.com/installers/extra_software/dealply/dealply.exe0%Avira URL Cloudsafe
http://www.funmoods.com/privacy0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe0%Avira URL Cloudsafe
http://pf.toggle.com/img_en_248567_0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=17419185190%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:0%Avira URL Cloudsafe
http://www.funmoods.com/terms0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519j0%Avira URL Cloudsafe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownload0%Avira URL Cloudsafe
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255Set0%Avira URL Cloudsafe
http://www.coupish.com/terms.phpof0%Avira URL Cloudsafe
http://www.funmoods.com/termshttp://www.funmoods.com/privacyBy0%Avira URL Cloudsafe
http://www.coupish.com/terms.php0%Avira URL Cloudsafe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gif0%Avira URL Cloudsafe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIq0%Avira URL Cloudsafe
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaField0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
beacons3.gvt2.com
142.250.186.35
truefalse
    high
    google.com
    142.250.185.78
    truefalse
      high
      beacons-handoff.gcp.gvt2.com
      142.251.143.67
      truefalse
        high
        www.google.com
        216.58.212.164
        truefalse
          high
          beacons2.gvt2.com
          216.239.32.3
          truefalse
            high
            beacons.gvt2.com
            142.250.180.99
            truefalse
              high
              beacons6.gvt2.com
              216.58.206.35
              truefalse
                high
                download.toggle.com
                unknown
                unknownfalse
                  unknown
                  beacons.gcp.gvt2.com
                  unknown
                  unknownfalse
                    high
                    pf.toggle.com
                    unknown
                    unknownfalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://pf.toggle.com/yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.dealply.com/terms/FieldyUgCaQhCIc.exefalse
                      • Avira URL Cloud: safe
                      unknown
                      http://ocsp.thawte.com0yUgCaQhCIc.exefalse
                        high
                        http://www.dealply.com/terms/yUgCaQhCIc.exe, show_page_toolbar.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://download.toggle.com/installers/extra_software/dealply/dealply.exeyUgCaQhCIc.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1yUgCaQhCIc.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621yUgCaQhCIc.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://download.toggle.com/installers/toolbar/yUgCaQhCIc.exefalse
                        • Avira URL Cloud: safe
                        unknown
                        http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://nsis.sf.net/NSIS_ErrorErroryUgCaQhCIc.exefalse
                          high
                          http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifDyUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://download.toggle.com/installers/nsis/yUgCaQhCIc.exefalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.funmoods.com/privacyyUgCaQhCIc.exe, show_page_toolbar.0.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://nsis.sf.net/NSIS_ErroryUgCaQhCIc.exefalse
                            high
                            http://cs-g2-crl.thawte.com/ThawteCSG2.crl0yUgCaQhCIc.exefalse
                              high
                              http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:yUgCaQhCIc.exefalse
                              • Avira URL Cloud: safe
                              unknown
                              http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://crl.thawte.com/ThawtePCA.crl0yUgCaQhCIc.exefalse
                                high
                                http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeyUgCaQhCIc.exefalse
                                • Avira URL Cloud: safe
                                unknown
                                http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://a9.com/-/spec/opensearch/1.1/yUgCaQhCIc.exefalse
                                  high
                                  http://pf.toggle.com/img_en_248567_yUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=yUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.funmoods.com/termsyUgCaQhCIc.exe, show_page_toolbar.0.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulayUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519jyUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownloadyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.funmoods.com/termshttp://www.funmoods.com/privacyByyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255SetyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifyUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.coupish.com/terms.phpyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.coupish.com/terms.phpofyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaFieldyUgCaQhCIc.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIqyUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  216.58.212.164
                                  www.google.comUnited States
                                  15169GOOGLEUSfalse
                                  IP
                                  192.168.2.5
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1638022
                                  Start date and time:2025-03-14 03:14:17 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 48s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:14
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:yUgCaQhCIc.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:virussign.com_5da47991f8da648663063560b0182040.exe
                                  Detection:MAL
                                  Classification:mal60.winEXE@26/10@57/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 37
                                  • Number of non-executed functions: 29
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 142.250.185.206, 142.250.184.227, 142.250.185.142, 74.125.133.84, 216.58.206.67, 74.125.206.84, 216.58.206.78, 142.250.186.46
                                  • Excluded domains from analysis (whitelisted): clients1.google.com, ev2-ring.msedge.net, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, g.bing.com, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenFile calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  No simulations
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  beacons3.gvt2.comhttp://marina84.com/food/Get hashmaliciousUnknownBrowse
                                  • 142.250.185.163
                                  http://allstarteventsmiami.comGet hashmaliciousUnknownBrowse
                                  • 142.250.186.131
                                  http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/tVpHSqKmotAGet hashmaliciousHTMLPhisherBrowse
                                  • 172.217.18.3
                                  http://insprocks.com/Insprock289.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.184.195
                                  https://sites.google.com/view/rfdzxgffg/homeGet hashmaliciousUnknownBrowse
                                  • 172.217.18.99
                                  Robert Martin shared _Clarion Security _ with you {Ref _8589}.emlGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                  • 172.217.18.3
                                  https://simplified.com/designs/cd97e327-288b-43f7-99e7-024626ab4a8c/share?utm_content=cd97e327-288b-43f7-99e7-024626ab4a8c&utm_campaign=share&utm_medium=link&utm_source=projectlinksGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                  • 142.250.181.227
                                  Inv#8653763981_2sfgPaymentAdvice.svgGet hashmaliciousHTMLPhisherBrowse
                                  • 142.250.186.67
                                  .svgGet hashmaliciousHTMLPhisherBrowse
                                  • 172.217.18.3
                                  beacons-handoff.gcp.gvt2.comDioxide.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.185.195
                                  http://marina84.com/food/Get hashmaliciousUnknownBrowse
                                  • 142.251.143.67
                                  http://czm11.cavernbeatles.com/rd/4EiHFs5060pdwZ594ueemlltgbq246DXCLIFRFRUUFCZD7792KXRQ15860r19Get hashmaliciousUnknownBrowse
                                  • 142.251.143.35
                                  http://learn-docs-trazure.github.io/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.35
                                  http://s.team-fg.com/p/jjnh-trfg/frmkhpcw/Get hashmaliciousUnknownBrowse
                                  • 142.250.180.67
                                  http://safety-profiles-fb-ads-156388685.vercel.app/Get hashmaliciousUnknownBrowse
                                  • 142.250.180.99
                                  http://help-copyright-issuenow-here.vercel.app/Get hashmaliciousUnknownBrowse
                                  • 142.250.180.99
                                  http://svt-aletaharropact6825.pages.dev/help/contact/200748660570057/Get hashmaliciousUnknownBrowse
                                  • 142.251.143.35
                                  http://whoatscpp.com/Get hashmaliciousUnknownBrowse
                                  • 142.250.180.99
                                  http://get--opportunity-to-be-verified.vercel.app/?fbclid=iwy2xjawi9k6vlehrua2flbqixmqabhugn54ildr55urfs92joaufhbzqvlrtjxjkdczko1udgqyjiqqtdzf10_a_aem_3wblvarwrely9bbom4ncbwGet hashmaliciousUnknownBrowse
                                  • 142.251.143.35
                                  google.comhttp://marina84.com/food/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.100
                                  https://utopiamanali.com/inc/prof.html?login=skhalil@newyorklife.comGet hashmaliciousUnknownBrowse
                                  • 216.58.212.132
                                  http://czm11.cavernbeatles.com/rd/4EiHFs5060pdwZ594ueemlltgbq246DXCLIFRFRUUFCZD7792KXRQ15860r19Get hashmaliciousUnknownBrowse
                                  • 142.250.185.132
                                  https://ghyeminilogin.webflow.io/Get hashmaliciousUnknownBrowse
                                  • 142.250.185.132
                                  https://tagore56.github.io/netflixGet hashmaliciousUnknownBrowse
                                  • 142.250.185.132
                                  http://learn-docs-trazure.github.io/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.132
                                  https://metamskflowgin.webflow.io/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.164
                                  https://app--secure-blockfi-cdnn.webflow.io/Get hashmaliciousUnknownBrowse
                                  • 142.250.181.228
                                  beacons2.gvt2.comDioxide.exeGet hashmaliciousUnknownBrowse
                                  • 172.217.168.35
                                  http://marina84.com/food/Get hashmaliciousUnknownBrowse
                                  • 172.217.19.163
                                  http://allstarteventsmiami.comGet hashmaliciousUnknownBrowse
                                  • 216.58.209.195
                                  http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/tVpHSqKmotAGet hashmaliciousHTMLPhisherBrowse
                                  • 172.217.0.163
                                  https://steanmrcommunity.com/1052917516Get hashmaliciousUnknownBrowse
                                  • 142.250.192.3
                                  https://sites.google.com/view/sysgfdgsfghgfdvvbffdv-hgfdcfb/homeGet hashmaliciousUnknownBrowse
                                  • 216.239.32.3
                                  http://app.plangrid.com/projects/bcb97291-5564-5612-9970-d1b139dcb62d/staple/b1fc2804-67d4-470e-9780-d2d4344b3b93Get hashmaliciousUnknownBrowse
                                  • 216.239.32.3
                                  http://insprocks.com/Insprock289.exeGet hashmaliciousUnknownBrowse
                                  • 172.253.124.94
                                  https://t.co/E2W9evnxEDGet hashmaliciousHTMLPhisherBrowse
                                  • 64.233.168.94
                                  SecuriteInfo.com.FileRepMalware.26489.28570.exeGet hashmaliciousUnknownBrowse
                                  • 216.239.32.3
                                  No context
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dllCANTest_Setup_V2.70.exeGet hashmaliciousUnknownBrowse
                                    WinPEU.exeGet hashmaliciousUnknownBrowse
                                      WhiteDefenderSetup64_20201118.exeGet hashmaliciousGuLoaderBrowse
                                        WhiteDefenderSetup64_20201118.exeGet hashmaliciousGuLoaderBrowse
                                          SecuriteInfo.com.FileRepMalware.20128.24359.exeGet hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.Win32.Malware-gen.27948.29630.exeGet hashmaliciousUnknownBrowse
                                              ExeFile (207).exeGet hashmaliciousUnknownBrowse
                                                ClientSetup.exeGet hashmaliciousUnknownBrowse
                                                  ClientSetup.exeGet hashmaliciousUnknownBrowse
                                                    Unlocker1.9.2.exeGet hashmaliciousUnknownBrowse
                                                      C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dllCursor Commander.exeGet hashmaliciousUnknownBrowse
                                                        Advanced.Installer-15.9.exeGet hashmaliciousUnknownBrowse
                                                          29#Uff09.exeGet hashmaliciousUnknownBrowse
                                                            myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exeGet hashmaliciousUnknownBrowse
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):4096
                                                              Entropy (8bit):3.904876158695173
                                                              Encrypted:false
                                                              SSDEEP:48:qnMpjVitCGEuR+BrUtDQbfwz3Aa3MAAZHMAAJb/Jb9W/Boj:zAwDlUSbIz3Aa33AZH3A5BZW/Boj
                                                              MD5:71C46B663BAA92AD941388D082AF97E7
                                                              SHA1:5A9FCCE065366A526D75CC5DED9AADE7CADD6421
                                                              SHA-256:BB2B9C272B8B66BC1B414675C2ACBA7AFAD03FFF66A63BABEE3EE57ED163D19E
                                                              SHA-512:5965BD3F5369B9A1ED641C479F7B8A14AF27700D0C27D482AA8EB62ACC42F7B702B5947D82F9791B29BCBA4D46E1409244F0A8DDCE4EC75022B5E27F6D671BCE
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: Cursor Commander.exe, Detection: malicious, Browse
                                                              • Filename: Advanced.Installer-15.9.exe, Detection: malicious, Browse
                                                              • Filename: 29#Uff09.exe, Detection: malicious, Browse
                                                              • Filename: myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exe, Detection: malicious, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x...x...x...g...x..)g...x..)g...x..Rich.x..........................PE..L...KThF...........!................Q........ ...............................P......................................."..W...p ..d............................@....................................................... ..p............................text............................... ..`.rdata..G.... ......................@..@.data...P....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14848
                                                              Entropy (8bit):5.550299117674118
                                                              Encrypted:false
                                                              SSDEEP:192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
                                                              MD5:325B008AEC81E5AAA57096F05D4212B5
                                                              SHA1:27A2D89747A20305B6518438EFF5B9F57F7DF5C3
                                                              SHA-256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
                                                              SHA-512:18362B3AEE529A27E85CC087627ECF6E2D21196D725F499C4A185CB3A380999F43FF1833A8EBEC3F5BA1D3A113EF83185770E663854121F2D8B885790115AFDF
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Joe Sandbox View:
                                                              • Filename: CANTest_Setup_V2.70.exe, Detection: malicious, Browse
                                                              • Filename: WinPEU.exe, Detection: malicious, Browse
                                                              • Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse
                                                              • Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.FileRepMalware.20128.24359.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe, Detection: malicious, Browse
                                                              • Filename: ExeFile (207).exe, Detection: malicious, Browse
                                                              • Filename: ClientSetup.exe, Detection: malicious, Browse
                                                              • Filename: ClientSetup.exe, Detection: malicious, Browse
                                                              • Filename: Unlocker1.9.2.exe, Detection: malicious, Browse
                                                              Reputation:moderate, very likely benign file
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L......K...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):5632
                                                              Entropy (8bit):3.951555564830228
                                                              Encrypted:false
                                                              SSDEEP:48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
                                                              MD5:9384F4007C492D4FA040924F31C00166
                                                              SHA1:ABA37FAEF30D7C445584C688A0B5638F5DB31C7B
                                                              SHA-256:60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
                                                              SHA-512:68F158887E24302673227ADFFC688FD3EDABF097D7F5410F983E06C6B9C7344CA1D8A45C7FA05553ADCC5987993DF3A298763477168D4842E554C4EB93B9AAAF
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Reputation:moderate, very likely benign file
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................~..........z.....B....Rich..........PE..L......K...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...l........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..@....P......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14848
                                                              Entropy (8bit):6.054982561433298
                                                              Encrypted:false
                                                              SSDEEP:192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go
                                                              MD5:A5F8399A743AB7F9C88C645C35B1EBB5
                                                              SHA1:168F3C158913B0367BF79FA413357FBE97018191
                                                              SHA-256:DACC88A12D3BA438FDAE3535DC7A5A1D389BCE13ADC993706424874A782E51C9
                                                              SHA-512:824E567F5211BF09C7912537C7836D761B0934207612808E9A191F980375C6A97383DBC6B4A7121C6B5F508CBFD7542A781D6B6B196CA24841F73892EEC5E977
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............lI..lI..lI..bI..lI..mI..lI\.1I..lI.\I..lI.]I..lI`.hI..lIRich..lI........................PE..L......K...........!.....&...p.......".......@.......................................................................D.._....@..d....................................................................................@...............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data....d...P.......0..............@....reloc..D............6..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):11264
                                                              Entropy (8bit):5.568877095847681
                                                              Encrypted:false
                                                              SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
                                                              MD5:C17103AE9072A06DA581DEC998343FC1
                                                              SHA1:B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
                                                              SHA-256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
                                                              SHA-512:D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):17408
                                                              Entropy (8bit):6.099808235627472
                                                              Encrypted:false
                                                              SSDEEP:384:w9JzaeWrF8d22hXAGFkr2WqErkuCYMAWS5Ns8AXXki:wLaBrrTXr3qruCYuS5qk
                                                              MD5:09CAF01BC8D88EEB733ABC161ACFF659
                                                              SHA1:B8C2126D641F88628C632DD2259686DA3776A6DA
                                                              SHA-256:3555AFE95E8BB269240A21520361677B280562B802978FCCFB27490C79B9A478
                                                              SHA-512:EF1E8FC4FC8F5609483B2C459D00A47036699DFB70B6BE6F10A30C5D2FC66BAE174345BFFA9A44ABD9CA029E609FF834D701FF6A769CCA09FE5562365D5010FA
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EH.".)lq.)lq.)lq.)mqP)lq.!1q.)lqU.]q.)lq./jq.)lq..hq.)lqRich.)lq........................PE..L....YzI...........!.....4...........:.......P......................................................................@B..J....:..x....`.......................p..........................................................P............................text....3.......4.................. ..`.data...8....P.......8..............@....rsrc........`.......<..............@..@.reloc.......p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):20480
                                                              Entropy (8bit):5.684576361538191
                                                              Encrypted:false
                                                              SSDEEP:384:jQB2ZUVHUxgoJX0eBA6PcH85db+ya9cC0Ac9khYLMkIX0+G5xgZmT+m//a:j/UFeJ5S6PHLNa9cFam/
                                                              MD5:50FDADDA3E993688401F6F1108FABDB4
                                                              SHA1:04A9AE55D0FB726BE49809582CEA41D75BF22A9A
                                                              SHA-256:6D6DDC0D2B7D59EB91BE44939457858CED5EB23CF4AA93EF33BB600EB28DE6F6
                                                              SHA-512:E9628870FEEA8C3AAEFE22A2AF41CF34B1C1778C4A0E81D069F50553CE1A23F68A0BA74B296420B2BE92425D4995A43E51C018C2E8197EC2EC39305E87C56BE8
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........G.G.G.G._.%...C.....F.(...C.(...D.G...A..F...F....F.RichG.........................PE..L.....H...........!.....*...&.......7.......@.......................................................................I..l...pA..x....`..0....................p..p....................................................@..p............................text...R(.......*.................. ..`.rdata..|....@......................@..@.data........P.......8..............@....rsrc...0....`.......B..............@..@.reloc..8....p.......H..............@..B................................................................................................................................................................................................................................................................................................................
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:Generic INItialization configuration [Field 1]
                                                              Category:dropped
                                                              Size (bytes):1086
                                                              Entropy (8bit):5.030819664305184
                                                              Encrypted:false
                                                              SSDEEP:24:yTdRvA4ehH16fL1Z7CYOJacm/iR5WvEGLOo:UXeB0zrCYOkninGLD
                                                              MD5:0C19DA8182AEE330F78EC7FE6F37C576
                                                              SHA1:9EBF124927BECF7F315CCBBDD0E5BE4F356FD3B3
                                                              SHA-256:04A00D01021ADA2D735EFC977F4AA349CAE9F2202566F3081B963E71F734F16E
                                                              SHA-512:865802732FDE7E110DBA0E8D5D1044566F7E31F5D020006DD21567E68609ED549074DAA1F301BFEE4026CEDDD564DD9315D1A372E158C1F389A28FA8F0A0CADA
                                                              Malicious:false
                                                              Preview:[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\modern-wizard.bmp..HWND=66688..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Nero Burning Rom downloader and installer..Bottom=38..HWND=66690..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=This wizard will guide you through download and installation of Nero Burning Rom. In addition to the Nero Burning Rom our toolbar will also be offered to you as part of the download manager.This download manager is not associated with the creator of Nero Burning Rom in any way and works as an independent entity that certifies its reliability. This download manager forms part of this website's security measures to guarantee the reliability and safety of its downloads. The main objective of this website is to allow you to filter the existing viruses and m
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:PC bitmap, Windows 3.x format, 164 x 314 x 8, image size 51498, resolution 2834 x 2834 px/m, cbSize 52576, bits offset 1078
                                                              Category:dropped
                                                              Size (bytes):52576
                                                              Entropy (8bit):7.181750725113967
                                                              Encrypted:false
                                                              SSDEEP:384:0b5ZBhNII36iwq7VzVpaHsA2vxM+5GVTfoeydiszl:2XR360JzVpaHsAI75GRfovcs5
                                                              MD5:9E4CD80A60DB6947642677BF31A10906
                                                              SHA1:FEEDC432DF18B13FFBA2B7478347D885861701FA
                                                              SHA-256:A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
                                                              SHA-512:A02AE76B7A5DF03A149A0B9C9EFD314B8646B829B930233D0CEA8B619B21720B383F92BE95838310E7F1C4183D256823A96E48866B65AC7D2141ED4254AE471A
                                                              Malicious:false
                                                              Preview:BM`.......6...(.......:...........*.......................qss.}~~.....................................................................5by.k...6by.m...o...p...q...9dz.s...t...w...x...=f{.{.......}...Iw..................@ex.....;\m..HU.m...}...7Tc.........e.......r................................................................................................................................. .....................................$,0.............Z\].;...:...'h...BY.Q...c...h...n...m...7ay.o...o...8cz.k...r...q...q...r...s...t...t...v...;dz.v...y...w...v...`...z...y...z...z...S...~...|...Z...m.......~...}...@g|.....................P....#*.........................b...Go......................Ch|.........w...............................Acu.....................................................................$4=.........a...c...r...............................................................au.......................Ss..|..7...F...[.......+<F.....Pbm.........................................hhi...
                                                              Process:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              File Type:Generic INItialization configuration [Field 2]
                                                              Category:dropped
                                                              Size (bytes):1017
                                                              Entropy (8bit):4.999544240031993
                                                              Encrypted:false
                                                              SSDEEP:24:44vkCYb2ilaRA1ObQJogNobwxzffNU1hok:1uioaRUOs3Ywx7Fw
                                                              MD5:F8457FFA09847C92DD2987F4A4D410C5
                                                              SHA1:6E56AC6D1B5D24E4BD9DACC424800684AE614E48
                                                              SHA-256:2594C5CD66BB413435A9B66E5F66C7D84B1958FEF8A0F94D0D2DE43BC884F0CD
                                                              SHA-512:EBD522449391E99EAA79610553020A14466D51106ED591EF015D012117A5B5586E119E80D1D28C17DC0EF64472E5D3B4D603C662DCDF78160E51C70EEEC0FCA0
                                                              Malicious:false
                                                              Preview:[Settings]..NextButtonText=Next >..[Field 2]..Text=C:\Users\user\AppData\Local\Temp\captura.bmp..[Field 1]..Text=Funmoods is a free add-on for social networks chat that gives you a huge collection of smileys, winks, text effects and more! Get Funmoods smileys for social networks and start sending amazing, fun messages to all your friends!..[Field 4]..Text=Install Funmoods toolbar..[Field 3]..Text=Make Funmoods as my default search engine..[Field 8]..Text=Set Funmoods as my homepage and new tab on my browsers..[Field 6]..State=http://www.funmoods.com/terms..Text=Terms Of Use..[Field 7]..State=http://www.funmoods.com/privacy..Text=Privacy Policy..[Field 5]..Text=By clicking 'Next' button I accept the..[Field 12]..Text=and..[Field 13]..Text=of Funmoods toolbar..[Field 11]..Text=I allow my current homepage and default search settings to be stored for easy reverting later...[Field 9]..Text=Install for free Dealply and pay less while shopping..[Field 10]..Text=Dealply..State=http://www.dea
                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Entropy (8bit):6.069988993142582
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 91.57%
                                                              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.75%
                                                              • UPX compressed Win32 Executable (30571/9) 0.28%
                                                              • Win32 EXE Yoda's Crypter (26571/9) 0.24%
                                                              • Windows Screen Saver (13104/52) 0.12%
                                                              File name:yUgCaQhCIc.exe
                                                              File size:509'160 bytes
                                                              MD5:5da47991f8da648663063560b0182040
                                                              SHA1:a23ba563cd76be2e6324733fd93725365e1af593
                                                              SHA256:faa5c705f7a92dbc2bedd76bb8eb4f0f002389d16d1362ebee36eeffcf969a87
                                                              SHA512:300346f9217da6ae844552e549c7d383057dcfc71ea097abebd804887caa6d89da3aa5159fa13208a14588c7baf668217e17fd224f00621769f1d4e5d9e66c28
                                                              SSDEEP:6144:+e34R2aWNzh36dqXEVTrnCRZG/t7FTBqTzP7n7O7L6K2Bfo7pu:w2Zzh36VVTGf0ZTsnz7O7L6ju7pu
                                                              TLSH:52B48D70BA40E87EC35C88389055DB5997F954B1AF9000A3333E6A8D1E792A25D67FCF
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........
                                                              Icon Hash:0771ccf8d84d2907
                                                              Entrypoint:0x4030fa
                                                              Entrypoint Section:.text
                                                              Digitally signed:true
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:7fa974366048f9c551ef45714595665e
                                                              Signature Valid:false
                                                              Signature Issuer:CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
                                                              Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                                              Error Number:-2146762495
                                                              Not Before, Not After
                                                              • 18/01/2012 01:00:00 18/01/2013 00:59:59
                                                              Subject Chain
                                                              • CN=Inffinity Internet, OU=Internet, O=Inffinity Internet, L=Madrid, S=Madrid, C=ES
                                                              Version:3
                                                              Thumbprint MD5:A8CDD9736D88F45575E5B95637CDC8D0
                                                              Thumbprint SHA-1:E848EDD1A697C297A97C9ABDCF563CDBFF870AC1
                                                              Thumbprint SHA-256:70B243B6B417FB12B43B10F2A41353EBBF4E0CE0C6D5D90090A368ABD4190695
                                                              Serial:1E478AE33382A025ECAE98EF6ADEE5BB
                                                              Instruction
                                                              sub esp, 00000180h
                                                              push ebx
                                                              push ebp
                                                              push esi
                                                              xor ebx, ebx
                                                              push edi
                                                              mov dword ptr [esp+18h], ebx
                                                              mov dword ptr [esp+10h], 00409160h
                                                              xor esi, esi
                                                              mov byte ptr [esp+14h], 00000020h
                                                              call dword ptr [00407030h]
                                                              push 00008001h
                                                              call dword ptr [004070B0h]
                                                              push ebx
                                                              call dword ptr [0040727Ch]
                                                              push 00000008h
                                                              mov dword ptr [0042EC18h], eax
                                                              call 00007FD9553CDB36h
                                                              mov dword ptr [0042EB64h], eax
                                                              push ebx
                                                              lea eax, dword ptr [esp+34h]
                                                              push 00000160h
                                                              push eax
                                                              push ebx
                                                              push 00428F98h
                                                              call dword ptr [00407158h]
                                                              push 00409154h
                                                              push 0042E360h
                                                              call 00007FD9553CD7E9h
                                                              call dword ptr [004070ACh]
                                                              mov edi, 00434000h
                                                              push eax
                                                              push edi
                                                              call 00007FD9553CD7D7h
                                                              push ebx
                                                              call dword ptr [0040710Ch]
                                                              cmp byte ptr [00434000h], 00000022h
                                                              mov dword ptr [0042EB60h], eax
                                                              mov eax, edi
                                                              jne 00007FD9553CAF4Ch
                                                              mov byte ptr [esp+14h], 00000022h
                                                              mov eax, 00434001h
                                                              push dword ptr [esp+14h]
                                                              push eax
                                                              call 00007FD9553CD2CAh
                                                              push eax
                                                              call dword ptr [0040721Ch]
                                                              mov dword ptr [esp+1Ch], eax
                                                              jmp 00007FD9553CAFA5h
                                                              cmp cl, 00000020h
                                                              jne 00007FD9553CAF48h
                                                              inc eax
                                                              cmp byte ptr [eax], 00000020h
                                                              je 00007FD9553CAF3Ch
                                                              cmp byte ptr [eax], 00000022h
                                                              mov byte ptr [eax+eax+00h], 00000000h
                                                              Programming Language:
                                                              • [EXP] VC++ 6.0 SP5 build 8804
                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x40a0.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x7b5500xf98
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x5c4c0x5e00856b32eb77dfd6fb67f21d6543272da5False0.6697140957446809data6.440105549497952IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x70000x129c0x1400dc77f8a1e6985a4361c55642680ddb4fFalse0.43359375data5.046835307909969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x90000x25c580x4007922d4ce117d7d5b3ac2cffe4b0b5e4fFalse0.5849609375data4.801003752715384IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .ndata0x2f0000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x4b0000x40a00x4200cf27236773cd963031f4b0529156af5fFalse0.6234019886363636data5.9631815145141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x4b2b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7213883677298312
                                                              RT_ICON0x4c3580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colorsEnglishUnited States0.6751066098081023
                                                              RT_ICON0x4d2000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colorsEnglishUnited States0.7851985559566786
                                                              RT_ICON0x4daa80x568Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colorsEnglishUnited States0.6560693641618497
                                                              RT_ICON0x4e0100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8031914893617021
                                                              RT_ICON0x4e4780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.3118279569892473
                                                              RT_ICON0x4e7600x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.36824324324324326
                                                              RT_DIALOG0x4e8880x202dataEnglishUnited States0.38910505836575876
                                                              RT_DIALOG0x4ea900xf8dataEnglishUnited States0.6290322580645161
                                                              RT_DIALOG0x4eb880xeedataEnglishUnited States0.6260504201680672
                                                              RT_GROUP_ICON0x4ec780x68dataEnglishUnited States0.6634615384615384
                                                              RT_MANIFEST0x4ece00x3c0XML 1.0 document, ASCII text, with very long lines (960), with no line terminatorsEnglishUnited States0.5197916666666667
                                                              DLLImport
                                                              KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
                                                              Language of compilation systemCountry where language is spokenMap
                                                              EnglishUnited States

                                                              Download Network PCAP: filteredfull

                                                              • Total Packets: 236
                                                              • 443 (HTTPS)
                                                              • 80 (HTTP)
                                                              • 53 (DNS)
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 14, 2025 03:15:09.163387060 CET49676443192.168.2.520.189.173.14
                                                              Mar 14, 2025 03:15:11.569797039 CET49676443192.168.2.520.189.173.14
                                                              Mar 14, 2025 03:15:16.382087946 CET49676443192.168.2.520.189.173.14
                                                              Mar 14, 2025 03:15:17.663455963 CET49672443192.168.2.5204.79.197.203
                                                              Mar 14, 2025 03:15:25.991816044 CET49676443192.168.2.520.189.173.14
                                                              Mar 14, 2025 03:15:26.625998974 CET58546443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.626048088 CET44358546216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:26.626102924 CET58546443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.626494884 CET58546443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.626513004 CET44358546216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:26.825311899 CET44358546216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:26.826029062 CET58547443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.826087952 CET44358547216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:26.826181889 CET58547443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.826574087 CET58547443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:15:26.826590061 CET44358547216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:27.025101900 CET44358547216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:15:30.488056898 CET49675443192.168.2.52.23.227.208
                                                              Mar 14, 2025 03:15:30.488133907 CET443496752.23.227.208192.168.2.5
                                                              Mar 14, 2025 03:15:30.597317934 CET58552443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.597362041 CET44358552150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.597424030 CET58552443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.603605032 CET58552443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.603626013 CET44358552150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.604336977 CET44358552150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.610100985 CET58553443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.610142946 CET44358553150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.610210896 CET58553443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.610980034 CET58553443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.610992908 CET44358553150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.611494064 CET44358553150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.629314899 CET58554443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.629352093 CET44358554150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.629411936 CET58554443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.629555941 CET58554443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.629595995 CET44358554150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.629643917 CET58554443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.662182093 CET58555443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.662225962 CET44358555150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.662292004 CET58555443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.662733078 CET58555443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.662745953 CET44358555150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.663276911 CET44358555150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.664060116 CET58556443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.664082050 CET44358556150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.664129019 CET58556443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.664549112 CET58556443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.664560080 CET44358556150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.664948940 CET44358556150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.665297985 CET58557443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.665314913 CET44358557150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.665364027 CET58557443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.665564060 CET58557443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.665595055 CET44358557150.171.27.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.665635109 CET58557443192.168.2.5150.171.27.254
                                                              Mar 14, 2025 03:15:30.679104090 CET58558443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.679138899 CET44358558150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.679199934 CET58558443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.680682898 CET58558443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.680697918 CET44358558150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.681157112 CET44358558150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.681735039 CET58559443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.681767941 CET44358559150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.681821108 CET58559443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.682145119 CET58559443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.682157993 CET44358559150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.682540894 CET44358559150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.682867050 CET58560443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.682877064 CET44358560150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.682925940 CET58560443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.683056116 CET58560443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.683095932 CET44358560150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.683141947 CET58560443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.686280966 CET58561443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.686295986 CET44358561150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.686347961 CET58561443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.686700106 CET58561443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.686711073 CET44358561150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.687103987 CET44358561150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.687381029 CET58562443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.687428951 CET44358562150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.687482119 CET58562443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.687792063 CET58562443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.687812090 CET44358562150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.688153982 CET44358562150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.688431025 CET58563443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.688442945 CET44358563150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.688504934 CET58563443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.688551903 CET58563443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.688575029 CET44358563150.171.31.254192.168.2.5
                                                              Mar 14, 2025 03:15:30.688618898 CET58563443192.168.2.5150.171.31.254
                                                              Mar 14, 2025 03:15:30.693034887 CET49678443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.693075895 CET44349678204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.693459034 CET58564443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.693495989 CET44358564204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.693543911 CET58564443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.693996906 CET58564443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.694010973 CET44358564204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.694387913 CET44358564204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.695050001 CET58565443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.695059061 CET44358565204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.695116043 CET58565443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.695322037 CET58565443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.695333958 CET44358565204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.695683956 CET44358565204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.696207047 CET58566443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.696239948 CET44358566204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.696295023 CET58566443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.696336985 CET58566443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:30.696360111 CET44358566204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:30.696398973 CET58566443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.676518917 CET58567443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.676579952 CET44358567204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.676666021 CET58567443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.677004099 CET58567443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.677015066 CET44358567204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.677704096 CET44358567204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.678165913 CET58568443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.678201914 CET44358568204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.678255081 CET58568443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.678533077 CET58568443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.678545952 CET44358568204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.678957939 CET44358568204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.679227114 CET58569443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.679266930 CET44358569204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.679315090 CET58569443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.679399014 CET58569443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.679418087 CET44358569204.79.197.222192.168.2.5
                                                              Mar 14, 2025 03:15:32.679460049 CET58569443192.168.2.5204.79.197.222
                                                              Mar 14, 2025 03:15:32.862390995 CET58570443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.862427950 CET443585704.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.862497091 CET58570443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.910939932 CET58570443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.910965919 CET443585704.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.911715031 CET443585704.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.954714060 CET58571443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.954777956 CET443585714.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.954843998 CET58571443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.955234051 CET58571443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.955252886 CET443585714.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.955979109 CET443585714.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.986973047 CET58572443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.987010002 CET443585724.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.987128019 CET58572443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.987545013 CET58572443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:32.987557888 CET443585724.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:32.988034964 CET443585724.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.009327888 CET58573443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.009362936 CET443585734.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.009438992 CET58573443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.009773016 CET58573443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.009789944 CET443585734.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.010251999 CET443585734.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.044847965 CET58574443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.044872999 CET443585744.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.045036077 CET58574443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.045468092 CET58574443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.045480013 CET443585744.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.045949936 CET443585744.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.065910101 CET58575443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.065942049 CET443585754.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.066055059 CET58575443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.066488981 CET58575443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.066499949 CET443585754.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.066909075 CET443585754.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.105330944 CET58576443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.105376959 CET443585764.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.105447054 CET58576443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.105750084 CET58576443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.105762005 CET443585764.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.106184006 CET443585764.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.127130985 CET58577443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.127156973 CET443585774.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.127249956 CET58577443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.127605915 CET58577443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:15:33.127620935 CET443585774.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:33.128046989 CET443585774.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:15:35.782434940 CET58580443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.782469988 CET44358580150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.782588005 CET58580443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.784569979 CET58580443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.784583092 CET44358580150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.785177946 CET44358580150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.785567999 CET58581443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.785604954 CET44358581150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.785715103 CET58581443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.785921097 CET58581443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.785931110 CET44358581150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.786308050 CET44358581150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.786668062 CET58582443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.786705017 CET44358582150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.786861897 CET58582443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.786910057 CET58582443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:35.786930084 CET44358582150.171.28.10192.168.2.5
                                                              Mar 14, 2025 03:15:35.786974907 CET58582443192.168.2.5150.171.28.10
                                                              Mar 14, 2025 03:15:59.149116039 CET5849880192.168.2.523.203.176.101
                                                              Mar 14, 2025 03:15:59.149183989 CET5850080192.168.2.5184.30.131.114
                                                              Mar 14, 2025 03:15:59.149190903 CET5849980192.168.2.5184.30.131.114
                                                              Mar 14, 2025 03:15:59.154217005 CET805849823.203.176.101192.168.2.5
                                                              Mar 14, 2025 03:15:59.154284000 CET5849880192.168.2.523.203.176.101
                                                              Mar 14, 2025 03:15:59.154838085 CET8058500184.30.131.114192.168.2.5
                                                              Mar 14, 2025 03:15:59.154887915 CET5850080192.168.2.5184.30.131.114
                                                              Mar 14, 2025 03:15:59.154905081 CET8058499184.30.131.114192.168.2.5
                                                              Mar 14, 2025 03:15:59.154952049 CET5849980192.168.2.5184.30.131.114
                                                              Mar 14, 2025 03:16:06.136387110 CET58517443192.168.2.5184.86.251.27
                                                              Mar 14, 2025 03:16:06.136632919 CET5852380192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:06.508131981 CET5851680192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:06.508187056 CET5852580192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:06.510839939 CET5851880192.168.2.5172.217.16.131
                                                              Mar 14, 2025 03:16:06.515834093 CET805851688.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:06.516014099 CET5851680192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:06.516242027 CET805852588.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:06.516459942 CET5852580192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:06.517930031 CET8058518172.217.16.131192.168.2.5
                                                              Mar 14, 2025 03:16:06.518831015 CET5851880192.168.2.5172.217.16.131
                                                              Mar 14, 2025 03:16:09.481349945 CET58589443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.481400013 CET443585894.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.481565952 CET58589443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.482064962 CET58589443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.482076883 CET443585894.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.482690096 CET443585894.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.509371996 CET58590443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.509422064 CET443585904.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.509515047 CET58590443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.509834051 CET58590443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.509849072 CET443585904.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.510226011 CET443585904.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.536818981 CET58591443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.536853075 CET443585914.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.536930084 CET58591443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.537292004 CET58591443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.537305117 CET443585914.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.537623882 CET443585914.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.554198980 CET58592443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.554209948 CET443585924.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.554270983 CET58592443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.554627895 CET58592443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.554636955 CET443585924.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.555010080 CET443585924.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.596812963 CET58593443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.596868992 CET443585934.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.596966028 CET58593443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.597404003 CET58593443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.597418070 CET443585934.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.597762108 CET443585934.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.613548994 CET58594443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.613605976 CET443585944.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.613683939 CET58594443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.614070892 CET58594443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.614087105 CET443585944.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.614474058 CET443585944.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.647711992 CET58595443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.647739887 CET443585954.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.647814035 CET58595443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.648140907 CET58595443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.648153067 CET443585954.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.648493052 CET443585954.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.670454979 CET58596443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.670478106 CET443585964.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.670547009 CET58596443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.670918941 CET58596443192.168.2.54.175.87.197
                                                              Mar 14, 2025 03:16:09.670929909 CET443585964.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:09.671258926 CET443585964.175.87.197192.168.2.5
                                                              Mar 14, 2025 03:16:26.680672884 CET58606443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.680716991 CET44358606216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:26.680778980 CET58606443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.681106091 CET58606443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.681117058 CET44358606216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:26.881050110 CET44358606216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:26.881870985 CET58607443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.881912947 CET44358607216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:26.881992102 CET58607443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.882332087 CET58607443192.168.2.5216.58.212.164
                                                              Mar 14, 2025 03:16:26.882344961 CET44358607216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:27.081847906 CET44358607216.58.212.164192.168.2.5
                                                              Mar 14, 2025 03:16:51.476022959 CET5851280192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.476025105 CET58503443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.476104975 CET5851480192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.476119995 CET58506443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.476171017 CET58504443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.476177931 CET5851580192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.476233006 CET5851380192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.476233959 CET58505443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.476279020 CET5850780192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.476330996 CET5850880192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.476372004 CET5850980192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.476413012 CET5851080192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.480885029 CET8058512184.30.131.245192.168.2.5
                                                              Mar 14, 2025 03:16:51.480954885 CET5851280192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.482279062 CET4435850320.190.159.64192.168.2.5
                                                              Mar 14, 2025 03:16:51.482351065 CET4435850620.190.159.64192.168.2.5
                                                              Mar 14, 2025 03:16:51.482351065 CET58503443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.482362032 CET8058514184.30.131.245192.168.2.5
                                                              Mar 14, 2025 03:16:51.482371092 CET4435850420.190.159.64192.168.2.5
                                                              Mar 14, 2025 03:16:51.482383966 CET8058515184.30.131.245192.168.2.5
                                                              Mar 14, 2025 03:16:51.482414007 CET58506443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.482420921 CET5851480192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.482444048 CET4435850520.190.159.64192.168.2.5
                                                              Mar 14, 2025 03:16:51.482449055 CET58504443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.482455015 CET8058513184.30.131.245192.168.2.5
                                                              Mar 14, 2025 03:16:51.482461929 CET5851580192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.482465029 CET805850788.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:51.482502937 CET58505443192.168.2.520.190.159.64
                                                              Mar 14, 2025 03:16:51.482511997 CET5851380192.168.2.5184.30.131.245
                                                              Mar 14, 2025 03:16:51.482526064 CET5850780192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.482542038 CET805850888.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:51.482552052 CET805850988.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:51.482585907 CET5850880192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.482599974 CET5850980192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:51.485512018 CET805851088.221.110.91192.168.2.5
                                                              Mar 14, 2025 03:16:51.485579014 CET5851080192.168.2.588.221.110.91
                                                              Mar 14, 2025 03:16:54.840775967 CET58522443192.168.2.595.100.70.200
                                                              Mar 14, 2025 03:16:54.845773935 CET4435852295.100.70.200192.168.2.5
                                                              Mar 14, 2025 03:16:54.845863104 CET58522443192.168.2.595.100.70.200
                                                              Mar 14, 2025 03:16:56.366710901 CET58526443192.168.2.595.100.70.200
                                                              Mar 14, 2025 03:16:56.371653080 CET4435852695.100.70.200192.168.2.5
                                                              Mar 14, 2025 03:16:56.371805906 CET58526443192.168.2.595.100.70.200
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 14, 2025 03:15:14.964776993 CET4995853192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:15.264983892 CET53499581.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:19.860661030 CET5313753192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:20.166873932 CET53531371.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:20.829895020 CET5985953192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:21.135047913 CET53598591.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:22.745270967 CET5976953192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:22.745466948 CET4945453192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:22.755367041 CET53517821.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:22.766645908 CET5634753192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:22.766971111 CET5359253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:22.777095079 CET53511411.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:22.887590885 CET53563471.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:22.958163023 CET53535921.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:23.044043064 CET53494541.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:23.498348951 CET53597691.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:23.529731035 CET4955553192.168.2.58.8.8.8
                                                              Mar 14, 2025 03:15:23.530112028 CET5874253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:23.536802053 CET53587421.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:23.537969112 CET53495558.8.8.8192.168.2.5
                                                              Mar 14, 2025 03:15:24.545804977 CET5531553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:24.546878099 CET5920253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:25.306487083 CET53553151.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:25.322149038 CET53592021.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:25.343938112 CET5725653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:25.351205111 CET53572561.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:26.617966890 CET6495053192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:26.618110895 CET6367653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:26.624716997 CET53636761.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:26.625142097 CET53649501.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:30.366430044 CET6534453192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:30.368498087 CET5484353192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:30.657355070 CET53548431.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:30.669070005 CET53653441.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:15:30.669673920 CET5321153192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:15:30.786345005 CET53532111.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:00.805152893 CET5179653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:00.805681944 CET6026353192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:00.834919930 CET53517961.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:00.855663061 CET6348853192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:00.984278917 CET53634881.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:01.069494009 CET53602631.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:10.309853077 CET138138192.168.2.5192.168.2.255
                                                              Mar 14, 2025 03:16:21.848036051 CET53558271.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:22.258670092 CET53523391.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:25.006356001 CET53623841.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:25.600832939 CET5871853192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:25.601433992 CET5444153192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:25.607650042 CET53587181.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:25.609020948 CET53544411.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:26.617157936 CET6496853192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:26.617387056 CET6411453192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:26.624516964 CET53641141.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:26.624530077 CET53649681.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:28.649167061 CET6504553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:28.655793905 CET53650451.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:29.648024082 CET6504553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:29.654654026 CET53650451.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:30.648092985 CET6504553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:30.655666113 CET53650451.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:32.648684978 CET6504553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:32.655342102 CET53650451.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:35.073980093 CET5563953192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:35.882735014 CET53556391.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:36.649220943 CET6504553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:36.656953096 CET53650451.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:40.996323109 CET5212053192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:40.996464968 CET5212153192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:41.002969980 CET53521201.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:41.003210068 CET53521211.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:42.008470058 CET6337453192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:42.015206099 CET53633741.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:44.040020943 CET5880653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:44.046930075 CET53588061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:45.046279907 CET5880653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:45.052892923 CET53588061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:46.055119038 CET5880653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:46.062477112 CET53588061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:48.054909945 CET5880653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:48.061573029 CET53588061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:52.060384989 CET5880653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:52.067624092 CET53588061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:56.070322037 CET6184153192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:56.563759089 CET53618411.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:56.996674061 CET6528053192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:56.996831894 CET6229153192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:57.003637075 CET53652801.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:57.004213095 CET53622911.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:16:58.034878016 CET6014653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:16:58.041868925 CET53601461.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:00.070868015 CET6023253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:00.077379942 CET53602321.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:00.999180079 CET5549553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:00.999377012 CET4977353192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:01.072144985 CET6023253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:01.079123974 CET53602321.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:01.117578030 CET53554951.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:01.149990082 CET5247353192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:01.174298048 CET53497731.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:01.403352022 CET53524731.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:02.086262941 CET6023253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:02.092756987 CET53602321.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:04.101401091 CET6023253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:04.108159065 CET53602321.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:08.101166964 CET6023253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:08.107637882 CET53602321.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:12.996423960 CET5169753192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:12.996586084 CET5011553192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:13.003863096 CET53516971.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:13.003875017 CET53501151.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:14.011300087 CET5940653192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:14.018727064 CET53594061.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:16.039084911 CET5696253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:16.045909882 CET53569621.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:17.038602114 CET5696253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:17.045258999 CET53569621.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:18.039849043 CET5696253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:18.046650887 CET53569621.1.1.1192.168.2.5
                                                              Mar 14, 2025 03:17:20.044713974 CET5696253192.168.2.51.1.1.1
                                                              Mar 14, 2025 03:17:20.051840067 CET53569621.1.1.1192.168.2.5
                                                              TimestampSource IPDest IPChecksumCodeType
                                                              Mar 14, 2025 03:15:22.958230019 CET192.168.2.51.1.1.1c23e(Port unreachable)Destination Unreachable
                                                              Mar 14, 2025 03:16:01.069555998 CET192.168.2.51.1.1.1c23e(Port unreachable)Destination Unreachable
                                                              Mar 14, 2025 03:17:01.174407005 CET192.168.2.51.1.1.1c23e(Port unreachable)Destination Unreachable
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 14, 2025 03:15:14.964776993 CET192.168.2.51.1.1.10x8383Standard query (0)download.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:19.860661030 CET192.168.2.51.1.1.10xe4a0Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:20.829895020 CET192.168.2.51.1.1.10xc14Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.745270967 CET192.168.2.51.1.1.10x9747Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.745466948 CET192.168.2.51.1.1.10x1271Standard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.766645908 CET192.168.2.51.1.1.10x4cf8Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.766971111 CET192.168.2.51.1.1.10xa676Standard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.529731035 CET192.168.2.58.8.8.80xb90aStandard query (0)google.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.530112028 CET192.168.2.51.1.1.10xaff7Standard query (0)google.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:24.545804977 CET192.168.2.51.1.1.10x113eStandard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:24.546878099 CET192.168.2.51.1.1.10x331dStandard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:25.343938112 CET192.168.2.51.1.1.10x904bStandard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:26.617966890 CET192.168.2.51.1.1.10xaf4cStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:26.618110895 CET192.168.2.51.1.1.10x59bStandard query (0)www.google.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.366430044 CET192.168.2.51.1.1.10xed84Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.368498087 CET192.168.2.51.1.1.10x5755Standard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.669673920 CET192.168.2.51.1.1.10x7dd4Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:00.805152893 CET192.168.2.51.1.1.10x86beStandard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:00.805681944 CET192.168.2.51.1.1.10xb0e3Standard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:16:00.855663061 CET192.168.2.51.1.1.10xc58Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:25.600832939 CET192.168.2.51.1.1.10xaad3Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:25.601433992 CET192.168.2.51.1.1.10x3f4dStandard query (0)beacons.gcp.gvt2.com65IN (0x0001)false
                                                              Mar 14, 2025 03:16:26.617157936 CET192.168.2.51.1.1.10xe56dStandard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:26.617387056 CET192.168.2.51.1.1.10x39b8Standard query (0)beacons.gcp.gvt2.com65IN (0x0001)false
                                                              Mar 14, 2025 03:16:28.649167061 CET192.168.2.51.1.1.10xe922Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:29.648024082 CET192.168.2.51.1.1.10xe922Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:30.648092985 CET192.168.2.51.1.1.10xe922Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:32.648684978 CET192.168.2.51.1.1.10xe922Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:35.073980093 CET192.168.2.51.1.1.10x1d1dStandard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:36.649220943 CET192.168.2.51.1.1.10xe922Standard query (0)beacons.gcp.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:40.996323109 CET192.168.2.51.1.1.10x2e4aStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:40.996464968 CET192.168.2.51.1.1.10xf807Standard query (0)beacons.gvt2.com65IN (0x0001)false
                                                              Mar 14, 2025 03:16:42.008470058 CET192.168.2.51.1.1.10x8f93Standard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:44.040020943 CET192.168.2.51.1.1.10xf22eStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:45.046279907 CET192.168.2.51.1.1.10xf22eStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:46.055119038 CET192.168.2.51.1.1.10xf22eStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:48.054909945 CET192.168.2.51.1.1.10xf22eStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:52.060384989 CET192.168.2.51.1.1.10xf22eStandard query (0)beacons.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:56.070322037 CET192.168.2.51.1.1.10x27d4Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:56.996674061 CET192.168.2.51.1.1.10xa0dcStandard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:56.996831894 CET192.168.2.51.1.1.10xe507Standard query (0)beacons2.gvt2.com65IN (0x0001)false
                                                              Mar 14, 2025 03:16:58.034878016 CET192.168.2.51.1.1.10x4395Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:00.070868015 CET192.168.2.51.1.1.10xbbd4Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:00.999180079 CET192.168.2.51.1.1.10xb636Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:00.999377012 CET192.168.2.51.1.1.10xfd17Standard query (0)pf.toggle.com65IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.072144985 CET192.168.2.51.1.1.10xbbd4Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.149990082 CET192.168.2.51.1.1.10x12a5Standard query (0)pf.toggle.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:02.086262941 CET192.168.2.51.1.1.10xbbd4Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:04.101401091 CET192.168.2.51.1.1.10xbbd4Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:08.101166964 CET192.168.2.51.1.1.10xbbd4Standard query (0)beacons2.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:12.996423960 CET192.168.2.51.1.1.10x4e81Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:12.996586084 CET192.168.2.51.1.1.10xa536Standard query (0)beacons3.gvt2.com65IN (0x0001)false
                                                              Mar 14, 2025 03:17:14.011300087 CET192.168.2.51.1.1.10x8d48Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:16.039084911 CET192.168.2.51.1.1.10xfdc9Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:17.038602114 CET192.168.2.51.1.1.10xfdc9Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:18.039849043 CET192.168.2.51.1.1.10xfdc9Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:20.044713974 CET192.168.2.51.1.1.10xfdc9Standard query (0)beacons3.gvt2.comA (IP address)IN (0x0001)false
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 14, 2025 03:15:15.264983892 CET1.1.1.1192.168.2.50x8383Name error (3)download.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:20.166873932 CET1.1.1.1192.168.2.50xe4a0Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:21.135047913 CET1.1.1.1192.168.2.50xc14Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.887590885 CET1.1.1.1192.168.2.50x4cf8Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:22.958163023 CET1.1.1.1192.168.2.50xa676Name error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.044043064 CET1.1.1.1192.168.2.50x1271Name error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.498348951 CET1.1.1.1192.168.2.50x9747Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.536802053 CET1.1.1.1192.168.2.50xaff7No error (0)google.com142.250.185.78A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:23.537969112 CET8.8.8.8192.168.2.50xb90aNo error (0)google.com142.251.36.78A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:25.306487083 CET1.1.1.1192.168.2.50x113eName error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:25.322149038 CET1.1.1.1192.168.2.50x331dName error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:15:25.351205111 CET1.1.1.1192.168.2.50x904bName error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:26.624716997 CET1.1.1.1192.168.2.50x59bNo error (0)www.google.com65IN (0x0001)false
                                                              Mar 14, 2025 03:15:26.625142097 CET1.1.1.1192.168.2.50xaf4cNo error (0)www.google.com216.58.212.164A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.657355070 CET1.1.1.1192.168.2.50x5755Name error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.669070005 CET1.1.1.1192.168.2.50xed84Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:15:30.786345005 CET1.1.1.1192.168.2.50x7dd4Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:00.834919930 CET1.1.1.1192.168.2.50x86beName error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:00.984278917 CET1.1.1.1192.168.2.50xc58Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:01.069494009 CET1.1.1.1192.168.2.50xb0e3Name error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:16:25.607650042 CET1.1.1.1192.168.2.50xaad3No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:25.607650042 CET1.1.1.1192.168.2.50xaad3No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:25.609020948 CET1.1.1.1192.168.2.50x3f4dNo error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:26.624516964 CET1.1.1.1192.168.2.50x39b8No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:26.624530077 CET1.1.1.1192.168.2.50xe56dNo error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:26.624530077 CET1.1.1.1192.168.2.50xe56dNo error (0)beacons-handoff.gcp.gvt2.com142.250.186.163A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:28.655793905 CET1.1.1.1192.168.2.50xe922No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:28.655793905 CET1.1.1.1192.168.2.50xe922No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:29.654654026 CET1.1.1.1192.168.2.50xe922No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:29.654654026 CET1.1.1.1192.168.2.50xe922No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:30.655666113 CET1.1.1.1192.168.2.50xe922No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:30.655666113 CET1.1.1.1192.168.2.50xe922No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:32.655342102 CET1.1.1.1192.168.2.50xe922No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:32.655342102 CET1.1.1.1192.168.2.50xe922No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:35.882735014 CET1.1.1.1192.168.2.50x1d1dName error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:36.656953096 CET1.1.1.1192.168.2.50xe922No error (0)beacons.gcp.gvt2.combeacons-handoff.gcp.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:36.656953096 CET1.1.1.1192.168.2.50xe922No error (0)beacons-handoff.gcp.gvt2.com142.251.143.67A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:41.002969980 CET1.1.1.1192.168.2.50x2e4aNo error (0)beacons.gvt2.combeacons6.gvt2.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2025 03:16:41.002969980 CET1.1.1.1192.168.2.50x2e4aNo error (0)beacons6.gvt2.com216.58.206.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:42.015206099 CET1.1.1.1192.168.2.50x8f93No error (0)beacons.gvt2.com142.250.180.99A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:44.046930075 CET1.1.1.1192.168.2.50xf22eNo error (0)beacons.gvt2.com142.251.143.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:45.052892923 CET1.1.1.1192.168.2.50xf22eNo error (0)beacons.gvt2.com142.251.143.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:46.062477112 CET1.1.1.1192.168.2.50xf22eNo error (0)beacons.gvt2.com142.251.143.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:48.061573029 CET1.1.1.1192.168.2.50xf22eNo error (0)beacons.gvt2.com142.251.143.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:52.067624092 CET1.1.1.1192.168.2.50xf22eNo error (0)beacons.gvt2.com142.251.143.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:56.563759089 CET1.1.1.1192.168.2.50x27d4Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:57.003637075 CET1.1.1.1192.168.2.50xa0dcNo error (0)beacons2.gvt2.com216.239.32.3A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:16:58.041868925 CET1.1.1.1192.168.2.50x4395No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:00.077379942 CET1.1.1.1192.168.2.50xbbd4No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.079123974 CET1.1.1.1192.168.2.50xbbd4No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.117578030 CET1.1.1.1192.168.2.50xb636Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.174298048 CET1.1.1.1192.168.2.50xfd17Name error (3)pf.toggle.comnonenone65IN (0x0001)false
                                                              Mar 14, 2025 03:17:01.403352022 CET1.1.1.1192.168.2.50x12a5Name error (3)pf.toggle.comnonenoneA (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:02.092756987 CET1.1.1.1192.168.2.50xbbd4No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:04.108159065 CET1.1.1.1192.168.2.50xbbd4No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:08.107637882 CET1.1.1.1192.168.2.50xbbd4No error (0)beacons2.gvt2.com142.251.186.94A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:13.003863096 CET1.1.1.1192.168.2.50x4e81No error (0)beacons3.gvt2.com142.250.186.35A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:14.018727064 CET1.1.1.1192.168.2.50x8d48No error (0)beacons3.gvt2.com142.250.185.131A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:16.045909882 CET1.1.1.1192.168.2.50xfdc9No error (0)beacons3.gvt2.com142.250.184.195A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:17.045258999 CET1.1.1.1192.168.2.50xfdc9No error (0)beacons3.gvt2.com142.250.184.195A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:18.046650887 CET1.1.1.1192.168.2.50xfdc9No error (0)beacons3.gvt2.com142.250.184.195A (IP address)IN (0x0001)false
                                                              Mar 14, 2025 03:17:20.051840067 CET1.1.1.1192.168.2.50xfdc9No error (0)beacons3.gvt2.com142.250.184.195A (IP address)IN (0x0001)false

                                                              Click to jump to process

                                                              Click to jump to process

                                                              • File
                                                              • Registry

                                                              Click to dive into process behavior distribution

                                                              Target ID:0
                                                              Start time:22:15:13
                                                              Start date:13/03/2025
                                                              Path:C:\Users\user\Desktop\yUgCaQhCIc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\yUgCaQhCIc.exe"
                                                              Imagebase:0x400000
                                                              File size:509'160 bytes
                                                              MD5 hash:5DA47991F8DA648663063560B0182040
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                              Target ID:1
                                                              Start time:22:15:19
                                                              Start date:13/03/2025
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
                                                              Imagebase:0x7ff68cc40000
                                                              File size:3'388'000 bytes
                                                              MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:2
                                                              Start time:22:15:20
                                                              Start date:13/03/2025
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3
                                                              Imagebase:0x7ff68cc40000
                                                              File size:3'388'000 bytes
                                                              MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Target ID:3
                                                              Start time:22:15:24
                                                              Start date:13/03/2025
                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8
                                                              Imagebase:0x7ff68cc40000
                                                              File size:3'388'000 bytes
                                                              MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              Execution Graph

                                                              Execution Coverage

                                                              Dynamic/Packed Code Coverage

                                                              Signature Coverage

                                                              Execution Coverage:25%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:22.6%
                                                              Total number of Nodes:1216
                                                              Total number of Limit Nodes:43
                                                              Show Legend
                                                              Hide Nodes/Edges
                                                              execution_graph 2618 401dc1 2630 4029f6 2618->2630 2621 4029f6 18 API calls 2622 401dd0 2621->2622 2623 4029f6 18 API calls 2622->2623 2624 401dd9 2623->2624 2625 4029f6 18 API calls 2624->2625 2626 401de2 2625->2626 2636 401423 2626->2636 2629 401e16 2631 402a02 2630->2631 2639 405a2e 2631->2639 2634 401dc7 2634->2621 2678 404daa 2636->2678 2654 405a3b 2639->2654 2640 405c55 2641 402a23 2640->2641 2673 405a0c lstrcpynA 2640->2673 2641->2634 2657 405c6e 2641->2657 2643 405ad3 GetVersion 2643->2654 2644 405c2c lstrlenA 2644->2654 2647 405a2e 10 API calls 2647->2644 2649 405b4b GetSystemDirectoryA 2649->2654 2650 405b5e GetWindowsDirectoryA 2650->2654 2651 405c6e 5 API calls 2651->2654 2652 405a2e 10 API calls 2652->2654 2653 405bd5 lstrcatA 2653->2654 2654->2640 2654->2643 2654->2644 2654->2647 2654->2649 2654->2650 2654->2651 2654->2652 2654->2653 2655 405b92 SHGetSpecialFolderLocation 2654->2655 2666 4058f3 RegOpenKeyExA 2654->2666 2671 40596a wsprintfA 2654->2671 2672 405a0c lstrcpynA 2654->2672 2655->2654 2656 405baa SHGetPathFromIDListA CoTaskMemFree 2655->2656 2656->2654 2663 405c7a 2657->2663 2658 405ce6 CharPrevA 2661 405ce2 2658->2661 2659 405cd7 CharNextA 2659->2661 2659->2663 2661->2658 2662 405d01 2661->2662 2662->2634 2663->2659 2663->2661 2664 405cc5 CharNextA 2663->2664 2665 405cd2 CharNextA 2663->2665 2674 40552a 2663->2674 2664->2663 2665->2659 2667 405964 2666->2667 2668 405926 RegQueryValueExA 2666->2668 2667->2654 2669 405947 RegCloseKey 2668->2669 2669->2667 2671->2654 2672->2654 2673->2641 2675 405530 2674->2675 2676 405543 2675->2676 2677 405536 CharNextA 2675->2677 2676->2663 2677->2675 2679 404dc5 2678->2679 2688 401431 ShellExecuteA 2678->2688 2680 404de2 lstrlenA 2679->2680 2681 405a2e 18 API calls 2679->2681 2682 404df0 lstrlenA 2680->2682 2683 404e0b 2680->2683 2681->2680 2684 404e02 lstrcatA 2682->2684 2682->2688 2685 404e11 SetWindowTextA 2683->2685 2686 404e1e 2683->2686 2684->2683 2685->2686 2687 404e24 SendMessageA SendMessageA SendMessageA 2686->2687 2686->2688 2687->2688 2688->2629 3372 401cc1 GetDlgItem GetClientRect 3373 4029f6 18 API calls 3372->3373 3374 401cf1 LoadImageA SendMessageA 3373->3374 3375 40288b 3374->3375 3376 401d0f DeleteObject 3374->3376 3376->3375 3377 401645 3378 4029f6 18 API calls 3377->3378 3379 40164c 3378->3379 3380 4029f6 18 API calls 3379->3380 3381 401655 3380->3381 3382 4029f6 18 API calls 3381->3382 3383 40165e MoveFileA 3382->3383 3384 401671 3383->3384 3385 40166a 3383->3385 3386 405d07 2 API calls 3384->3386 3389 402169 3384->3389 3387 401423 25 API calls 3385->3387 3388 401680 3386->3388 3387->3389 3388->3389 3390 40575a 38 API calls 3388->3390 3390->3385 3391 401ec5 3392 4029f6 18 API calls 3391->3392 3393 401ecc GetFileVersionInfoSizeA 3392->3393 3394 401eef GlobalAlloc 3393->3394 3401 401f45 3393->3401 3395 401f03 GetFileVersionInfoA 3394->3395 3394->3401 3396 401f14 VerQueryValueA 3395->3396 3395->3401 3397 401f2d 3396->3397 3396->3401 3402 40596a wsprintfA 3397->3402 3399 401f39 3403 40596a wsprintfA 3399->3403 3402->3399 3403->3401 3404 4014ca 3405 404daa 25 API calls 3404->3405 3406 4014d1 3405->3406 3407 4025cc 3408 4025d3 3407->3408 3414 402838 3407->3414 3409 4029d9 18 API calls 3408->3409 3410 4025de 3409->3410 3411 4025e5 SetFilePointer 3410->3411 3412 4025f5 3411->3412 3411->3414 3415 40596a wsprintfA 3412->3415 3415->3414 3049 401f51 3050 401f63 3049->3050 3051 402012 3049->3051 3052 4029f6 18 API calls 3050->3052 3054 401423 25 API calls 3051->3054 3053 401f6a 3052->3053 3055 4029f6 18 API calls 3053->3055 3059 402169 3054->3059 3056 401f73 3055->3056 3057 401f88 LoadLibraryExA 3056->3057 3058 401f7b GetModuleHandleA 3056->3058 3057->3051 3060 401f98 GetProcAddress 3057->3060 3058->3057 3058->3060 3061 401fe5 3060->3061 3062 401fa8 3060->3062 3063 404daa 25 API calls 3061->3063 3064 401423 25 API calls 3062->3064 3065 401fb8 3062->3065 3063->3065 3064->3065 3065->3059 3066 402006 FreeLibrary 3065->3066 3066->3059 3416 403ed2 lstrcpynA lstrlenA 3417 4014d6 3418 4029d9 18 API calls 3417->3418 3419 4014dc Sleep 3418->3419 3421 40288b 3419->3421 3427 4018d8 3428 40190f 3427->3428 3429 4029f6 18 API calls 3428->3429 3430 401914 3429->3430 3431 405331 68 API calls 3430->3431 3432 40191d 3431->3432 3433 4018db 3434 4029f6 18 API calls 3433->3434 3435 4018e2 3434->3435 3436 4052cd MessageBoxIndirectA 3435->3436 3437 4018eb 3436->3437 3438 401ae5 3439 4029f6 18 API calls 3438->3439 3440 401aec 3439->3440 3441 4029d9 18 API calls 3440->3441 3442 401af5 wsprintfA 3441->3442 3443 40288b 3442->3443 2709 402866 SendMessageA 2710 402880 InvalidateRect 2709->2710 2711 40288b 2709->2711 2710->2711 3444 4019e6 3445 4029f6 18 API calls 3444->3445 3446 4019ef ExpandEnvironmentStringsA 3445->3446 3447 401a03 3446->3447 3449 401a16 3446->3449 3448 401a08 lstrcmpA 3447->3448 3447->3449 3448->3449 2739 402267 2740 4029f6 18 API calls 2739->2740 2741 402275 2740->2741 2742 4029f6 18 API calls 2741->2742 2743 40227e 2742->2743 2744 4029f6 18 API calls 2743->2744 2745 402288 GetPrivateProfileStringA 2744->2745 2746 404ee8 2747 405094 2746->2747 2748 404f09 GetDlgItem GetDlgItem GetDlgItem 2746->2748 2749 4050c5 2747->2749 2750 40509d GetDlgItem CreateThread CloseHandle 2747->2750 2792 403df3 SendMessageA 2748->2792 2752 4050f0 2749->2752 2754 405112 2749->2754 2755 4050dc ShowWindow ShowWindow 2749->2755 2750->2749 2815 404e7c OleInitialize 2750->2815 2756 40514e 2752->2756 2759 405101 2752->2759 2760 405127 ShowWindow 2752->2760 2753 404f7a 2757 404f81 GetClientRect GetSystemMetrics SendMessageA SendMessageA 2753->2757 2801 403e25 2754->2801 2797 403df3 SendMessageA 2755->2797 2756->2754 2764 405159 SendMessageA 2756->2764 2762 404ff0 2757->2762 2763 404fd4 SendMessageA SendMessageA 2757->2763 2798 403d97 2759->2798 2767 405147 2760->2767 2768 405139 2760->2768 2770 405003 2762->2770 2771 404ff5 SendMessageA 2762->2771 2763->2762 2766 405120 2764->2766 2772 405172 CreatePopupMenu 2764->2772 2769 403d97 SendMessageA 2767->2769 2773 404daa 25 API calls 2768->2773 2769->2756 2793 403dbe 2770->2793 2771->2770 2774 405a2e 18 API calls 2772->2774 2773->2767 2776 405182 AppendMenuA 2774->2776 2778 405195 GetWindowRect 2776->2778 2779 4051a8 2776->2779 2777 405013 2780 405050 GetDlgItem SendMessageA 2777->2780 2781 40501c ShowWindow 2777->2781 2782 4051b1 TrackPopupMenu 2778->2782 2779->2782 2780->2766 2785 405077 SendMessageA SendMessageA 2780->2785 2783 405032 ShowWindow 2781->2783 2784 40503f 2781->2784 2782->2766 2786 4051cf 2782->2786 2783->2784 2796 403df3 SendMessageA 2784->2796 2785->2766 2787 4051eb SendMessageA 2786->2787 2787->2787 2789 405208 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2787->2789 2790 40522a SendMessageA 2789->2790 2790->2790 2791 40524b GlobalUnlock SetClipboardData CloseClipboard 2790->2791 2791->2766 2792->2753 2794 405a2e 18 API calls 2793->2794 2795 403dc9 SetDlgItemTextA 2794->2795 2795->2777 2796->2780 2797->2752 2799 403da4 SendMessageA 2798->2799 2800 403d9e 2798->2800 2799->2754 2800->2799 2802 403e3d GetWindowLongA 2801->2802 2812 403ec6 2801->2812 2803 403e4e 2802->2803 2802->2812 2804 403e60 2803->2804 2805 403e5d GetSysColor 2803->2805 2806 403e70 SetBkMode 2804->2806 2807 403e66 SetTextColor 2804->2807 2805->2804 2808 403e88 GetSysColor 2806->2808 2809 403e8e 2806->2809 2807->2806 2808->2809 2810 403e95 SetBkColor 2809->2810 2811 403e9f 2809->2811 2810->2811 2811->2812 2813 403eb2 DeleteObject 2811->2813 2814 403eb9 CreateBrushIndirect 2811->2814 2812->2766 2813->2814 2814->2812 2822 403e0a 2815->2822 2817 404e9f 2821 404ec6 2817->2821 2825 401389 2817->2825 2818 403e0a SendMessageA 2819 404ed8 OleUninitialize 2818->2819 2821->2818 2823 403e22 2822->2823 2824 403e13 SendMessageA 2822->2824 2823->2817 2824->2823 2827 401390 2825->2827 2826 4013fe 2826->2817 2827->2826 2828 4013cb MulDiv SendMessageA 2827->2828 2828->2827 2829 4038eb 2830 403903 2829->2830 2831 403a3e 2829->2831 2830->2831 2832 40390f 2830->2832 2833 403a8f 2831->2833 2834 403a4f GetDlgItem GetDlgItem 2831->2834 2835 40391a SetWindowPos 2832->2835 2836 40392d 2832->2836 2838 403ae9 2833->2838 2846 401389 2 API calls 2833->2846 2837 403dbe 19 API calls 2834->2837 2835->2836 2840 403932 ShowWindow 2836->2840 2841 40394a 2836->2841 2842 403a79 SetClassLongA 2837->2842 2839 403e0a SendMessageA 2838->2839 2889 403a39 2838->2889 2887 403afb 2839->2887 2840->2841 2843 403952 DestroyWindow 2841->2843 2844 40396c 2841->2844 2845 40140b 2 API calls 2842->2845 2850 403d47 2843->2850 2847 403971 SetWindowLongA 2844->2847 2848 403982 2844->2848 2845->2833 2849 403ac1 2846->2849 2847->2889 2853 4039f9 2848->2853 2854 40398e GetDlgItem 2848->2854 2849->2838 2855 403ac5 SendMessageA 2849->2855 2857 403d78 ShowWindow 2850->2857 2850->2889 2851 40140b 2 API calls 2851->2887 2852 403d49 DestroyWindow KiUserCallbackDispatcher 2852->2850 2856 403e25 8 API calls 2853->2856 2858 4039a1 SendMessageA IsWindowEnabled 2854->2858 2859 4039be 2854->2859 2855->2889 2856->2889 2857->2889 2858->2859 2858->2889 2861 4039cb 2859->2861 2862 403a12 SendMessageA 2859->2862 2863 4039de 2859->2863 2870 4039c3 2859->2870 2860 405a2e 18 API calls 2860->2887 2861->2862 2861->2870 2862->2853 2865 4039e6 2863->2865 2866 4039fb 2863->2866 2864 403d97 SendMessageA 2864->2853 2900 40140b 2865->2900 2868 40140b 2 API calls 2866->2868 2868->2870 2869 403dbe 19 API calls 2869->2887 2870->2853 2870->2864 2871 403dbe 19 API calls 2872 403b76 GetDlgItem 2871->2872 2873 403b93 ShowWindow KiUserCallbackDispatcher 2872->2873 2874 403b8b 2872->2874 2897 403de0 KiUserCallbackDispatcher 2873->2897 2874->2873 2876 403bbd KiUserCallbackDispatcher 2879 403bd1 2876->2879 2877 403bd6 GetSystemMenu EnableMenuItem SendMessageA 2878 403c06 SendMessageA 2877->2878 2877->2879 2878->2879 2879->2877 2898 403df3 SendMessageA 2879->2898 2899 405a0c lstrcpynA 2879->2899 2882 403c34 lstrlenA 2883 405a2e 18 API calls 2882->2883 2884 403c45 SetWindowTextA 2883->2884 2885 401389 2 API calls 2884->2885 2885->2887 2886 403c89 DestroyWindow 2886->2850 2888 403ca3 CreateDialogParamA 2886->2888 2887->2851 2887->2852 2887->2860 2887->2869 2887->2871 2887->2886 2887->2889 2888->2850 2890 403cd6 2888->2890 2891 403dbe 19 API calls 2890->2891 2892 403ce1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2891->2892 2893 401389 2 API calls 2892->2893 2894 403d27 2893->2894 2894->2889 2895 403d2f ShowWindow 2894->2895 2896 403e0a SendMessageA 2895->2896 2896->2850 2897->2876 2898->2879 2899->2882 2901 401389 2 API calls 2900->2901 2902 401420 2901->2902 2902->2870 3450 401c6d 3451 4029d9 18 API calls 3450->3451 3452 401c73 IsWindow 3451->3452 3453 4019d6 3452->3453 3454 4014f0 SetForegroundWindow 3455 40288b 3454->3455 3456 402172 3457 4029f6 18 API calls 3456->3457 3458 402178 3457->3458 3459 4029f6 18 API calls 3458->3459 3460 402181 3459->3460 3461 4029f6 18 API calls 3460->3461 3462 40218a 3461->3462 3463 405d07 2 API calls 3462->3463 3464 402193 3463->3464 3465 4021a4 lstrlenA lstrlenA 3464->3465 3469 402197 3464->3469 3467 404daa 25 API calls 3465->3467 3466 404daa 25 API calls 3470 40219f 3466->3470 3468 4021e0 SHFileOperationA 3467->3468 3468->3469 3468->3470 3469->3466 3469->3470 3471 4021f4 3472 4021fb 3471->3472 3475 40220e 3471->3475 3473 405a2e 18 API calls 3472->3473 3474 402208 3473->3474 3476 4052cd MessageBoxIndirectA 3474->3476 3476->3475 3477 4046f9 GetDlgItem GetDlgItem 3478 40474d 7 API calls 3477->3478 3490 40496a 3477->3490 3479 4047f3 DeleteObject 3478->3479 3480 4047e6 SendMessageA 3478->3480 3481 4047fe 3479->3481 3480->3479 3483 404835 3481->3483 3484 405a2e 18 API calls 3481->3484 3482 404a54 3486 404b03 3482->3486 3492 40495d 3482->3492 3497 404aad SendMessageA 3482->3497 3485 403dbe 19 API calls 3483->3485 3487 404817 SendMessageA SendMessageA 3484->3487 3491 404849 3485->3491 3488 404b18 3486->3488 3489 404b0c SendMessageA 3486->3489 3487->3481 3499 404b31 3488->3499 3500 404b2a ImageList_Destroy 3488->3500 3507 404b41 3488->3507 3489->3488 3490->3482 3511 4049de 3490->3511 3530 404679 SendMessageA 3490->3530 3496 403dbe 19 API calls 3491->3496 3493 403e25 8 API calls 3492->3493 3498 404cf3 3493->3498 3494 404a46 SendMessageA 3494->3482 3512 404857 3496->3512 3497->3492 3502 404ac2 SendMessageA 3497->3502 3503 404b3a GlobalFree 3499->3503 3499->3507 3500->3499 3501 404ca7 3501->3492 3508 404cb9 ShowWindow GetDlgItem ShowWindow 3501->3508 3505 404ad5 3502->3505 3503->3507 3504 40492b GetWindowLongA SetWindowLongA 3506 404944 3504->3506 3514 404ae6 SendMessageA 3505->3514 3509 404962 3506->3509 3510 40494a ShowWindow 3506->3510 3507->3501 3513 40140b 2 API calls 3507->3513 3524 404b73 3507->3524 3508->3492 3529 403df3 SendMessageA 3509->3529 3528 403df3 SendMessageA 3510->3528 3511->3482 3511->3494 3512->3504 3515 404925 3512->3515 3518 4048a6 SendMessageA 3512->3518 3519 4048e2 SendMessageA 3512->3519 3520 4048f3 SendMessageA 3512->3520 3513->3524 3514->3486 3515->3504 3515->3506 3518->3512 3519->3512 3520->3512 3521 404c7d InvalidateRect 3521->3501 3522 404c93 3521->3522 3535 404597 3522->3535 3523 404ba1 SendMessageA 3525 404bb7 3523->3525 3524->3523 3524->3525 3525->3521 3527 404c2b SendMessageA SendMessageA 3525->3527 3527->3525 3528->3492 3529->3490 3531 4046d8 SendMessageA 3530->3531 3532 40469c GetMessagePos ScreenToClient SendMessageA 3530->3532 3534 4046d0 3531->3534 3533 4046d5 3532->3533 3532->3534 3533->3531 3534->3511 3536 4045b1 3535->3536 3537 405a2e 18 API calls 3536->3537 3538 4045e6 3537->3538 3539 405a2e 18 API calls 3538->3539 3540 4045f1 3539->3540 3541 405a2e 18 API calls 3540->3541 3542 404622 lstrlenA wsprintfA SetDlgItemTextA 3541->3542 3542->3501 3159 4030fa #17 SetErrorMode OleInitialize 3160 405d2e 3 API calls 3159->3160 3161 40313d SHGetFileInfoA 3160->3161 3229 405a0c lstrcpynA 3161->3229 3163 403168 GetCommandLineA 3230 405a0c lstrcpynA 3163->3230 3165 40317a GetModuleHandleA 3166 403191 3165->3166 3167 40552a CharNextA 3166->3167 3168 4031a5 CharNextA 3167->3168 3173 4031b2 3168->3173 3169 40321b 3170 40322e GetTempPathA 3169->3170 3231 4030c6 3170->3231 3172 403244 3174 403268 DeleteFileA 3172->3174 3175 403248 GetWindowsDirectoryA lstrcatA 3172->3175 3173->3169 3176 40552a CharNextA 3173->3176 3180 40321d 3173->3180 3239 402c22 GetTickCount GetModuleFileNameA 3174->3239 3177 4030c6 11 API calls 3175->3177 3176->3173 3179 403264 3177->3179 3179->3174 3183 4032e6 ExitProcess CoUninitialize 3179->3183 3321 405a0c lstrcpynA 3180->3321 3181 403279 3181->3183 3184 4032d2 3181->3184 3190 40552a CharNextA 3181->3190 3185 4033e0 3183->3185 3186 4032fb 3183->3186 3267 403555 3184->3267 3188 403463 ExitProcess 3185->3188 3192 405d2e 3 API calls 3185->3192 3187 4052cd MessageBoxIndirectA 3186->3187 3191 403309 ExitProcess 3187->3191 3195 403290 3190->3195 3196 4033ef 3192->3196 3193 4032e2 3193->3183 3198 403311 lstrcatA lstrcmpiA 3195->3198 3199 4032ad 3195->3199 3197 405d2e 3 API calls 3196->3197 3200 4033f8 3197->3200 3198->3183 3201 40332d CreateDirectoryA SetCurrentDirectoryA 3198->3201 3202 4055e0 18 API calls 3199->3202 3203 405d2e 3 API calls 3200->3203 3205 403344 3201->3205 3206 40334f 3201->3206 3207 4032b8 3202->3207 3204 403401 3203->3204 3208 40344f ExitWindowsEx 3204->3208 3213 40340f GetCurrentProcess 3204->3213 3324 405a0c lstrcpynA 3205->3324 3325 405a0c lstrcpynA 3206->3325 3207->3183 3322 405a0c lstrcpynA 3207->3322 3208->3188 3212 40345c 3208->3212 3215 40140b 2 API calls 3212->3215 3218 40341f 3213->3218 3214 4032c7 3323 405a0c lstrcpynA 3214->3323 3215->3188 3217 405a2e 18 API calls 3219 40337f DeleteFileA 3217->3219 3218->3208 3220 40338c CopyFileA 3219->3220 3226 40335d 3219->3226 3220->3226 3221 4033d4 3222 40575a 38 API calls 3221->3222 3224 4033db 3222->3224 3223 40575a 38 API calls 3223->3226 3224->3183 3225 405a2e 18 API calls 3225->3226 3226->3217 3226->3221 3226->3223 3226->3225 3228 4033c0 CloseHandle 3226->3228 3326 40526c CreateProcessA 3226->3326 3228->3226 3229->3163 3230->3165 3232 405c6e 5 API calls 3231->3232 3233 4030d2 3232->3233 3234 4030dc 3233->3234 3235 4054ff 3 API calls 3233->3235 3234->3172 3236 4030e4 CreateDirectoryA 3235->3236 3237 405712 2 API calls 3236->3237 3238 4030f8 3237->3238 3238->3172 3329 4056e3 GetFileAttributesA CreateFileA 3239->3329 3241 402c62 3262 402c72 3241->3262 3330 405a0c lstrcpynA 3241->3330 3243 402c88 3244 405546 2 API calls 3243->3244 3245 402c8e 3244->3245 3331 405a0c lstrcpynA 3245->3331 3247 402c99 GetFileSize 3248 402d95 3247->3248 3260 402cb0 3247->3260 3332 402bbe 3248->3332 3250 402d9e 3252 402dce GlobalAlloc 3250->3252 3250->3262 3343 4030af SetFilePointer 3250->3343 3251 40307d ReadFile 3251->3260 3344 4030af SetFilePointer 3252->3344 3254 402e01 3258 402bbe 6 API calls 3254->3258 3256 402db7 3259 40307d ReadFile 3256->3259 3257 402de9 3261 402e5b 33 API calls 3257->3261 3258->3262 3263 402dc2 3259->3263 3260->3248 3260->3251 3260->3254 3260->3262 3264 402bbe 6 API calls 3260->3264 3265 402df5 3261->3265 3262->3181 3263->3252 3263->3262 3264->3260 3265->3262 3265->3265 3266 402e32 SetFilePointer 3265->3266 3266->3262 3268 405d2e 3 API calls 3267->3268 3269 403569 3268->3269 3270 403581 3269->3270 3271 40356f 3269->3271 3272 4058f3 3 API calls 3270->3272 3358 40596a wsprintfA 3271->3358 3273 4035a2 3272->3273 3275 4035c0 lstrcatA 3273->3275 3277 4058f3 3 API calls 3273->3277 3276 40357f 3275->3276 3349 40381e 3276->3349 3277->3275 3280 4055e0 18 API calls 3281 4035f2 3280->3281 3282 40367b 3281->3282 3284 4058f3 3 API calls 3281->3284 3283 4055e0 18 API calls 3282->3283 3285 403681 3283->3285 3286 40361e 3284->3286 3287 403691 LoadImageA 3285->3287 3288 405a2e 18 API calls 3285->3288 3286->3282 3291 40363a lstrlenA 3286->3291 3295 40552a CharNextA 3286->3295 3289 403745 3287->3289 3290 4036bc RegisterClassA 3287->3290 3288->3287 3294 40140b 2 API calls 3289->3294 3292 40374f 3290->3292 3293 4036f8 SystemParametersInfoA CreateWindowExA 3290->3293 3296 403648 lstrcmpiA 3291->3296 3297 40366e 3291->3297 3292->3193 3293->3289 3298 40374b 3294->3298 3300 403638 3295->3300 3296->3297 3301 403658 GetFileAttributesA 3296->3301 3299 4054ff 3 API calls 3297->3299 3298->3292 3302 40381e 19 API calls 3298->3302 3303 403674 3299->3303 3300->3291 3304 403664 3301->3304 3305 40375c 3302->3305 3359 405a0c lstrcpynA 3303->3359 3304->3297 3307 405546 2 API calls 3304->3307 3308 403768 ShowWindow LoadLibraryA 3305->3308 3309 4037eb 3305->3309 3307->3297 3310 403787 LoadLibraryA 3308->3310 3311 40378e GetClassInfoA 3308->3311 3312 404e7c 5 API calls 3309->3312 3310->3311 3313 4037a2 GetClassInfoA RegisterClassA 3311->3313 3314 4037b8 DialogBoxParamA 3311->3314 3315 4037f1 3312->3315 3313->3314 3316 40140b 2 API calls 3314->3316 3317 40380d 3315->3317 3319 4037f5 3315->3319 3316->3292 3318 40140b 2 API calls 3317->3318 3318->3292 3319->3292 3320 40140b 2 API calls 3319->3320 3320->3292 3321->3170 3322->3214 3323->3184 3324->3206 3325->3226 3327 4052a7 3326->3327 3328 40529b CloseHandle 3326->3328 3327->3226 3328->3327 3329->3241 3330->3243 3331->3247 3333 402bc7 3332->3333 3334 402bdf 3332->3334 3335 402bd0 DestroyWindow 3333->3335 3336 402bd7 3333->3336 3337 402be7 3334->3337 3338 402bef GetTickCount 3334->3338 3335->3336 3336->3250 3345 405d67 3337->3345 3339 402c20 3338->3339 3340 402bfd CreateDialogParamA ShowWindow 3338->3340 3339->3250 3340->3339 3343->3256 3344->3257 3346 405d84 PeekMessageA 3345->3346 3347 402bed 3346->3347 3348 405d7a DispatchMessageA 3346->3348 3347->3250 3348->3346 3350 403832 3349->3350 3360 40596a wsprintfA 3350->3360 3352 4038a3 3353 405a2e 18 API calls 3352->3353 3354 4038af SetWindowTextA 3353->3354 3355 4035d0 3354->3355 3356 4038cb 3354->3356 3355->3280 3356->3355 3357 405a2e 18 API calls 3356->3357 3357->3356 3358->3276 3359->3282 3360->3352 3543 404cfa 3544 404d08 3543->3544 3545 404d1f 3543->3545 3546 404d0e 3544->3546 3561 404d88 3544->3561 3547 404d2d IsWindowVisible 3545->3547 3553 404d44 3545->3553 3548 403e0a SendMessageA 3546->3548 3550 404d3a 3547->3550 3547->3561 3551 404d18 3548->3551 3549 404d8e CallWindowProcA 3549->3551 3552 404679 5 API calls 3550->3552 3552->3553 3553->3549 3562 405a0c lstrcpynA 3553->3562 3555 404d73 3563 40596a wsprintfA 3555->3563 3557 404d7a 3558 40140b 2 API calls 3557->3558 3559 404d81 3558->3559 3564 405a0c lstrcpynA 3559->3564 3561->3549 3562->3555 3563->3557 3564->3561 3565 4016fa 3566 4029f6 18 API calls 3565->3566 3567 401701 SearchPathA 3566->3567 3568 40171c 3567->3568 3361 40347b 3362 403493 3361->3362 3363 403485 CloseHandle 3361->3363 3368 4034c0 3362->3368 3363->3362 3366 405331 68 API calls 3367 4034a4 3366->3367 3369 4034ce 3368->3369 3370 4034d3 FreeLibrary GlobalFree 3369->3370 3371 403498 3369->3371 3370->3370 3370->3371 3371->3366 3569 4025fb 3570 402602 3569->3570 3571 40288b 3569->3571 3572 402608 FindClose 3570->3572 3572->3571 3573 40267c 3574 4029f6 18 API calls 3573->3574 3576 40268a 3574->3576 3575 4026a0 3578 4056c4 2 API calls 3575->3578 3576->3575 3577 4029f6 18 API calls 3576->3577 3577->3575 3579 4026a6 3578->3579 3599 4056e3 GetFileAttributesA CreateFileA 3579->3599 3581 4026b3 3582 40275c 3581->3582 3583 4026bf GlobalAlloc 3581->3583 3586 402764 DeleteFileA 3582->3586 3587 402777 3582->3587 3584 402753 CloseHandle 3583->3584 3585 4026d8 3583->3585 3584->3582 3600 4030af SetFilePointer 3585->3600 3586->3587 3589 4026de 3590 40307d ReadFile 3589->3590 3591 4026e7 GlobalAlloc 3590->3591 3592 4026f7 3591->3592 3593 40272b WriteFile GlobalFree 3591->3593 3594 402e5b 33 API calls 3592->3594 3595 402e5b 33 API calls 3593->3595 3598 402704 3594->3598 3596 402750 3595->3596 3596->3584 3597 402722 GlobalFree 3597->3593 3598->3597 3599->3581 3600->3589 3601 4041fc 3602 40423a 3601->3602 3603 40422d 3601->3603 3605 404243 GetDlgItem 3602->3605 3610 4042a6 3602->3610 3662 4052b1 GetDlgItemTextA 3603->3662 3607 404257 3605->3607 3606 404234 3609 405c6e 5 API calls 3606->3609 3612 40426b SetWindowTextA 3607->3612 3618 405593 4 API calls 3607->3618 3608 40438a 3613 404516 3608->3613 3664 4052b1 GetDlgItemTextA 3608->3664 3609->3602 3610->3608 3610->3613 3614 405a2e 18 API calls 3610->3614 3616 403dbe 19 API calls 3612->3616 3617 403e25 8 API calls 3613->3617 3619 40431c SHBrowseForFolderA 3614->3619 3615 4043b6 3620 4055e0 18 API calls 3615->3620 3621 404289 3616->3621 3622 40452a 3617->3622 3623 404261 3618->3623 3619->3608 3624 404334 CoTaskMemFree 3619->3624 3625 4043bc 3620->3625 3626 403dbe 19 API calls 3621->3626 3623->3612 3629 4054ff 3 API calls 3623->3629 3627 4054ff 3 API calls 3624->3627 3665 405a0c lstrcpynA 3625->3665 3628 404297 3626->3628 3630 404341 3627->3630 3663 403df3 SendMessageA 3628->3663 3629->3612 3633 404378 SetDlgItemTextA 3630->3633 3638 405a2e 18 API calls 3630->3638 3633->3608 3634 40429f 3636 405d2e 3 API calls 3634->3636 3635 4043d3 3637 405d2e 3 API calls 3635->3637 3636->3610 3645 4043db 3637->3645 3639 404360 lstrcmpiA 3638->3639 3639->3633 3642 404371 lstrcatA 3639->3642 3640 404415 3666 405a0c lstrcpynA 3640->3666 3642->3633 3643 40441e 3644 405593 4 API calls 3643->3644 3646 404424 GetDiskFreeSpaceA 3644->3646 3645->3640 3648 405546 2 API calls 3645->3648 3650 404468 3645->3650 3649 404446 MulDiv 3646->3649 3646->3650 3648->3645 3649->3650 3651 4044c5 3650->3651 3652 404597 21 API calls 3650->3652 3653 4044e8 3651->3653 3655 40140b 2 API calls 3651->3655 3654 4044b7 3652->3654 3667 403de0 KiUserCallbackDispatcher 3653->3667 3657 4044c7 SetDlgItemTextA 3654->3657 3658 4044bc 3654->3658 3655->3653 3657->3651 3660 404597 21 API calls 3658->3660 3659 404504 3659->3613 3668 404191 3659->3668 3660->3651 3662->3606 3663->3634 3664->3615 3665->3635 3666->3643 3667->3659 3669 4041a4 SendMessageA 3668->3669 3670 40419f 3668->3670 3669->3613 3670->3669 3671 4014fe 3672 401506 3671->3672 3674 401519 3671->3674 3673 4029d9 18 API calls 3672->3673 3673->3674 3675 401000 3676 401037 BeginPaint GetClientRect 3675->3676 3677 40100c DefWindowProcA 3675->3677 3679 4010f3 3676->3679 3680 401179 3677->3680 3681 401073 CreateBrushIndirect FillRect DeleteObject 3679->3681 3682 4010fc 3679->3682 3681->3679 3683 401102 CreateFontIndirectA 3682->3683 3684 401167 EndPaint 3682->3684 3683->3684 3685 401112 6 API calls 3683->3685 3684->3680 3685->3684 3686 402303 3687 402309 3686->3687 3688 4029f6 18 API calls 3687->3688 3689 40231b 3688->3689 3690 4029f6 18 API calls 3689->3690 3691 402325 RegCreateKeyExA 3690->3691 3692 40288b 3691->3692 3693 40234f 3691->3693 3694 402367 3693->3694 3695 4029f6 18 API calls 3693->3695 3696 402373 3694->3696 3699 4029d9 18 API calls 3694->3699 3698 402360 lstrlenA 3695->3698 3697 40238e RegSetValueExA 3696->3697 3700 402e5b 33 API calls 3696->3700 3701 4023a4 RegCloseKey 3697->3701 3698->3694 3699->3696 3700->3697 3701->3692 3703 402803 3704 4029d9 18 API calls 3703->3704 3705 402809 3704->3705 3706 40283a 3705->3706 3707 40265c 3705->3707 3709 402817 3705->3709 3706->3707 3708 405a2e 18 API calls 3706->3708 3708->3707 3709->3707 3711 40596a wsprintfA 3709->3711 3711->3707 2712 401b06 2713 401b57 2712->2713 2716 401b13 2712->2716 2714 401b80 GlobalAlloc 2713->2714 2717 401b5b 2713->2717 2719 405a2e 18 API calls 2714->2719 2715 4021fb 2720 405a2e 18 API calls 2715->2720 2716->2715 2721 401b2a 2716->2721 2718 401b9b 2717->2718 2733 405a0c lstrcpynA 2717->2733 2719->2718 2723 402208 2720->2723 2731 405a0c lstrcpynA 2721->2731 2734 4052cd 2723->2734 2725 401b6d GlobalFree 2725->2718 2727 401b39 2732 405a0c lstrcpynA 2727->2732 2729 401b48 2738 405a0c lstrcpynA 2729->2738 2731->2727 2732->2729 2733->2725 2735 4052e2 2734->2735 2736 4052f6 MessageBoxIndirectA 2735->2736 2737 40532e 2735->2737 2736->2737 2737->2718 2738->2718 3712 403f06 3713 403f1c 3712->3713 3716 404029 3712->3716 3717 403dbe 19 API calls 3713->3717 3714 404098 3715 40416c 3714->3715 3718 4040a2 GetDlgItem 3714->3718 3723 403e25 8 API calls 3715->3723 3716->3714 3716->3715 3722 40406d GetDlgItem SendMessageA 3716->3722 3719 403f72 3717->3719 3720 4040b8 3718->3720 3721 40412a 3718->3721 3724 403dbe 19 API calls 3719->3724 3720->3721 3725 4040de 6 API calls 3720->3725 3721->3715 3726 40413c 3721->3726 3743 403de0 KiUserCallbackDispatcher 3722->3743 3728 404167 3723->3728 3729 403f7f CheckDlgButton 3724->3729 3725->3721 3730 404142 SendMessageA 3726->3730 3731 404153 3726->3731 3741 403de0 KiUserCallbackDispatcher 3729->3741 3730->3731 3731->3728 3734 404159 SendMessageA 3731->3734 3732 404093 3735 404191 SendMessageA 3732->3735 3734->3728 3735->3714 3736 403f9d GetDlgItem 3742 403df3 SendMessageA 3736->3742 3738 403fb3 SendMessageA 3739 403fd1 GetSysColor 3738->3739 3740 403fda SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3738->3740 3739->3740 3740->3728 3741->3736 3742->3738 3743->3732 3744 402506 3745 4029d9 18 API calls 3744->3745 3748 402510 3745->3748 3746 402586 3747 402544 ReadFile 3747->3746 3747->3748 3748->3746 3748->3747 3749 402588 3748->3749 3751 402598 3748->3751 3753 40596a wsprintfA 3749->3753 3751->3746 3752 4025ae SetFilePointer 3751->3752 3752->3746 3753->3746 3754 401c8a 3755 4029d9 18 API calls 3754->3755 3756 401c91 3755->3756 3757 4029d9 18 API calls 3756->3757 3758 401c99 GetDlgItem 3757->3758 3759 4024b8 3758->3759 2903 40190d 2904 40190f 2903->2904 2905 4029f6 18 API calls 2904->2905 2906 401914 2905->2906 2909 405331 2906->2909 2950 4055e0 2909->2950 2912 405365 2915 40549a 2912->2915 2964 405a0c lstrcpynA 2912->2964 2913 40534e DeleteFileA 2914 40191d 2913->2914 2915->2914 2969 405d07 FindFirstFileA 2915->2969 2917 40538f 2918 4053a0 2917->2918 2919 405393 lstrcatA 2917->2919 2975 405546 lstrlenA 2918->2975 2921 4053a6 2919->2921 2923 4053b4 lstrcatA 2921->2923 2925 4053bf lstrlenA FindFirstFileA 2921->2925 2923->2925 2925->2915 2940 4053e3 2925->2940 2927 40552a CharNextA 2927->2940 2929 4056c4 2 API calls 2930 4054cf RemoveDirectoryA 2929->2930 2931 4054f1 2930->2931 2932 4054da 2930->2932 2933 404daa 25 API calls 2931->2933 2932->2914 2936 4054e0 2932->2936 2933->2914 2934 405479 FindNextFileA 2937 405491 FindClose 2934->2937 2934->2940 2938 404daa 25 API calls 2936->2938 2937->2915 2939 4054e8 2938->2939 2941 40575a 38 API calls 2939->2941 2940->2927 2940->2934 2943 405331 59 API calls 2940->2943 2946 404daa 25 API calls 2940->2946 2949 405457 2940->2949 2965 405a0c lstrcpynA 2940->2965 2966 4056c4 GetFileAttributesA 2940->2966 2944 4054ef 2941->2944 2943->2940 2944->2914 2946->2934 2947 404daa 25 API calls 2947->2949 2949->2934 2949->2947 2979 40575a 2949->2979 3005 405a0c lstrcpynA 2950->3005 2952 4055f1 3006 405593 CharNextA CharNextA 2952->3006 2955 405345 2955->2912 2955->2913 2956 405c6e 5 API calls 2962 405607 2956->2962 2957 405632 lstrlenA 2958 40563d 2957->2958 2957->2962 2960 4054ff 3 API calls 2958->2960 2959 405d07 2 API calls 2959->2962 2961 405642 GetFileAttributesA 2960->2961 2961->2955 2962->2955 2962->2957 2962->2959 2963 405546 2 API calls 2962->2963 2963->2957 2964->2917 2965->2940 2967 405446 DeleteFileA 2966->2967 2968 4056d3 SetFileAttributesA 2966->2968 2967->2940 2968->2967 2970 4054bf 2969->2970 2971 405d1d FindClose 2969->2971 2970->2914 2972 4054ff lstrlenA CharPrevA 2970->2972 2971->2970 2973 4054c9 2972->2973 2974 405519 lstrcatA 2972->2974 2973->2929 2974->2973 2976 405553 2975->2976 2977 405564 2976->2977 2978 405558 CharPrevA 2976->2978 2977->2921 2978->2976 2978->2977 3012 405d2e GetModuleHandleA 2979->3012 2982 4057c2 GetShortPathNameA 2984 4057d7 2982->2984 2985 4058b7 2982->2985 2984->2985 2987 4057df wsprintfA 2984->2987 2985->2949 2986 4057a6 CloseHandle GetShortPathNameA 2986->2985 2988 4057ba 2986->2988 2989 405a2e 18 API calls 2987->2989 2988->2982 2988->2985 2990 405807 2989->2990 3017 4056e3 GetFileAttributesA CreateFileA 2990->3017 2992 405814 2992->2985 2993 405823 GetFileSize GlobalAlloc 2992->2993 2994 4058b0 CloseHandle 2993->2994 2995 405841 ReadFile 2993->2995 2994->2985 2995->2994 2996 405855 2995->2996 2996->2994 3018 405658 lstrlenA 2996->3018 2999 4058c4 3002 405658 4 API calls 2999->3002 3000 40586a 3023 405a0c lstrcpynA 3000->3023 3003 405878 3002->3003 3004 40588b SetFilePointer WriteFile GlobalFree 3003->3004 3004->2994 3005->2952 3007 4055ad 3006->3007 3011 4055b9 3006->3011 3008 4055b4 CharNextA 3007->3008 3007->3011 3009 4055d6 3008->3009 3009->2955 3009->2956 3010 40552a CharNextA 3010->3011 3011->3009 3011->3010 3013 405d55 GetProcAddress 3012->3013 3014 405d4a LoadLibraryA 3012->3014 3015 405765 3013->3015 3014->3013 3014->3015 3015->2982 3015->2985 3016 4056e3 GetFileAttributesA CreateFileA 3015->3016 3016->2986 3017->2992 3019 40568e lstrlenA 3018->3019 3020 405698 3019->3020 3021 40566c lstrcmpiA 3019->3021 3020->2999 3020->3000 3021->3020 3022 405685 CharNextA 3021->3022 3022->3019 3023->3003 3760 403513 3761 40351e 3760->3761 3762 403522 3761->3762 3763 403525 GlobalAlloc 3761->3763 3763->3762 3151 401d95 3152 4029d9 18 API calls 3151->3152 3153 401d9b 3152->3153 3154 4029d9 18 API calls 3153->3154 3155 401da4 3154->3155 3156 401db6 EnableWindow 3155->3156 3157 401dab ShowWindow 3155->3157 3158 40288b 3156->3158 3157->3158 3764 402615 3765 402618 3764->3765 3769 402630 3764->3769 3766 402625 FindNextFileA 3765->3766 3767 40266f 3766->3767 3766->3769 3770 405a0c lstrcpynA 3767->3770 3770->3769 3771 401595 3772 4029f6 18 API calls 3771->3772 3773 40159c SetFileAttributesA 3772->3773 3774 4015ae 3773->3774 3775 401e95 3776 4029f6 18 API calls 3775->3776 3777 401e9c 3776->3777 3778 405d07 2 API calls 3777->3778 3779 401ea2 3778->3779 3781 401eb4 3779->3781 3782 40596a wsprintfA 3779->3782 3782->3781 3783 401696 3784 4029f6 18 API calls 3783->3784 3785 40169c GetFullPathNameA 3784->3785 3788 4016b3 3785->3788 3792 4016d4 3785->3792 3786 4016e8 GetShortPathNameA 3787 40288b 3786->3787 3789 405d07 2 API calls 3788->3789 3788->3792 3790 4016c4 3789->3790 3790->3792 3793 405a0c lstrcpynA 3790->3793 3792->3786 3792->3787 3793->3792 3794 401d1b GetDC GetDeviceCaps 3795 4029d9 18 API calls 3794->3795 3796 401d37 MulDiv 3795->3796 3797 4029d9 18 API calls 3796->3797 3798 401d4c 3797->3798 3799 405a2e 18 API calls 3798->3799 3800 401d85 CreateFontIndirectA 3799->3800 3801 4024b8 3800->3801 3802 401e1b 3803 4029f6 18 API calls 3802->3803 3804 401e21 3803->3804 3805 404daa 25 API calls 3804->3805 3806 401e2b 3805->3806 3807 40526c 2 API calls 3806->3807 3808 401e31 3807->3808 3809 40265c 3808->3809 3810 401e87 CloseHandle 3808->3810 3811 401e50 WaitForSingleObject 3808->3811 3813 405d67 2 API calls 3808->3813 3810->3809 3811->3808 3812 401e5e GetExitCodeProcess 3811->3812 3814 401e70 3812->3814 3815 401e79 3812->3815 3813->3811 3817 40596a wsprintfA 3814->3817 3815->3810 3817->3815 3818 40249c 3819 4029f6 18 API calls 3818->3819 3820 4024a3 3819->3820 3823 4056e3 GetFileAttributesA CreateFileA 3820->3823 3822 4024af 3823->3822 3824 402020 3825 4029f6 18 API calls 3824->3825 3826 402027 3825->3826 3827 4029f6 18 API calls 3826->3827 3828 402031 3827->3828 3829 4029f6 18 API calls 3828->3829 3830 40203a 3829->3830 3831 4029f6 18 API calls 3830->3831 3832 402044 3831->3832 3833 4029f6 18 API calls 3832->3833 3835 40204e 3833->3835 3834 402062 CoCreateInstance 3839 402081 3834->3839 3840 402137 3834->3840 3835->3834 3836 4029f6 18 API calls 3835->3836 3836->3834 3837 401423 25 API calls 3838 402169 3837->3838 3839->3840 3841 402116 MultiByteToWideChar 3839->3841 3840->3837 3840->3838 3841->3840 2689 401721 2690 4029f6 18 API calls 2689->2690 2691 401728 2690->2691 2695 405712 2691->2695 2693 40172f 2694 405712 2 API calls 2693->2694 2694->2693 2696 40571d GetTickCount GetTempFileNameA 2695->2696 2697 405749 2696->2697 2698 40574d 2696->2698 2697->2696 2697->2698 2698->2693 3842 401922 3843 4029f6 18 API calls 3842->3843 3844 401929 lstrlenA 3843->3844 3845 4024b8 3844->3845 2699 402223 2700 402231 2699->2700 2701 40222b 2699->2701 2703 4029f6 18 API calls 2700->2703 2705 402241 2700->2705 2702 4029f6 18 API calls 2701->2702 2702->2700 2703->2705 2704 40224f 2707 4029f6 18 API calls 2704->2707 2705->2704 2706 4029f6 18 API calls 2705->2706 2706->2704 2708 402258 WritePrivateProfileStringA 2707->2708 3846 401ca5 3847 4029d9 18 API calls 3846->3847 3848 401cb5 SetWindowLongA 3847->3848 3849 40288b 3848->3849 3850 401a26 3851 4029d9 18 API calls 3850->3851 3852 401a2c 3851->3852 3853 4029d9 18 API calls 3852->3853 3854 4019d6 3853->3854 3855 402427 3865 402b00 3855->3865 3857 402431 3858 4029d9 18 API calls 3857->3858 3859 40243a 3858->3859 3860 402451 RegEnumKeyA 3859->3860 3861 40245d RegEnumValueA 3859->3861 3863 40265c 3859->3863 3862 402476 RegCloseKey 3860->3862 3861->3862 3861->3863 3862->3863 3866 4029f6 18 API calls 3865->3866 3867 402b19 3866->3867 3868 402b27 RegOpenKeyExA 3867->3868 3868->3857 3869 4022a7 3870 4022d7 3869->3870 3871 4022ac 3869->3871 3873 4029f6 18 API calls 3870->3873 3872 402b00 19 API calls 3871->3872 3874 4022b3 3872->3874 3876 4022de 3873->3876 3875 4029f6 18 API calls 3874->3875 3879 4022f4 3874->3879 3877 4022c4 RegDeleteValueA RegCloseKey 3875->3877 3880 402a36 RegOpenKeyExA 3876->3880 3877->3879 3883 402a61 3880->3883 3889 402aad 3880->3889 3881 402a87 RegEnumKeyA 3882 402a99 RegCloseKey 3881->3882 3881->3883 3885 405d2e 3 API calls 3882->3885 3883->3881 3883->3882 3884 402abe RegCloseKey 3883->3884 3886 402a36 3 API calls 3883->3886 3884->3889 3887 402aa9 3885->3887 3886->3883 3888 402ad9 RegDeleteKeyA 3887->3888 3887->3889 3888->3889 3889->3879 3024 401bad 3046 4029d9 3024->3046 3026 401bb4 3027 4029d9 18 API calls 3026->3027 3028 401bbe 3027->3028 3029 4029f6 18 API calls 3028->3029 3030 401bce 3028->3030 3029->3030 3031 4029f6 18 API calls 3030->3031 3035 401bde 3030->3035 3031->3035 3032 401be9 3036 4029d9 18 API calls 3032->3036 3033 401c2d 3034 4029f6 18 API calls 3033->3034 3038 401c32 3034->3038 3035->3032 3035->3033 3037 401bee 3036->3037 3039 4029d9 18 API calls 3037->3039 3040 4029f6 18 API calls 3038->3040 3041 401bf7 3039->3041 3042 401c3b FindWindowExA 3040->3042 3043 401c1d SendMessageA 3041->3043 3044 401bff SendMessageTimeoutA 3041->3044 3045 401c59 3042->3045 3043->3045 3044->3045 3047 405a2e 18 API calls 3046->3047 3048 4029ed 3047->3048 3048->3026 3890 4023af 3891 402b00 19 API calls 3890->3891 3892 4023b9 3891->3892 3893 4029f6 18 API calls 3892->3893 3894 4023c2 3893->3894 3895 4023cc RegQueryValueExA 3894->3895 3897 40265c 3894->3897 3896 4023ec 3895->3896 3900 4023f2 RegCloseKey 3895->3900 3896->3900 3901 40596a wsprintfA 3896->3901 3900->3897 3901->3900 3902 404531 3903 404541 3902->3903 3904 40455d 3902->3904 3913 4052b1 GetDlgItemTextA 3903->3913 3906 404590 3904->3906 3907 404563 SHGetPathFromIDListA 3904->3907 3909 40457a SendMessageA 3907->3909 3910 404573 3907->3910 3908 40454e SendMessageA 3908->3904 3909->3906 3912 40140b 2 API calls 3910->3912 3912->3909 3913->3908 3067 4015b3 3068 4029f6 18 API calls 3067->3068 3069 4015ba 3068->3069 3070 405593 4 API calls 3069->3070 3081 4015c2 3070->3081 3071 40160a 3073 40162d 3071->3073 3074 40160f 3071->3074 3072 40552a CharNextA 3075 4015d0 CreateDirectoryA 3072->3075 3079 401423 25 API calls 3073->3079 3076 401423 25 API calls 3074->3076 3077 4015e5 GetLastError 3075->3077 3075->3081 3078 401616 3076->3078 3080 4015f2 GetFileAttributesA 3077->3080 3077->3081 3085 405a0c lstrcpynA 3078->3085 3083 402169 3079->3083 3080->3081 3081->3071 3081->3072 3084 401621 SetCurrentDirectoryA 3084->3083 3085->3084 3086 401734 3087 4029f6 18 API calls 3086->3087 3088 40173b 3087->3088 3089 401761 3088->3089 3090 401759 3088->3090 3147 405a0c lstrcpynA 3089->3147 3146 405a0c lstrcpynA 3090->3146 3093 40175f 3097 405c6e 5 API calls 3093->3097 3094 40176c 3095 4054ff 3 API calls 3094->3095 3096 401772 lstrcatA 3095->3096 3096->3093 3103 40177e 3097->3103 3098 405d07 2 API calls 3098->3103 3099 4056c4 2 API calls 3099->3103 3101 401795 CompareFileTime 3101->3103 3102 401859 3104 404daa 25 API calls 3102->3104 3103->3098 3103->3099 3103->3101 3103->3102 3106 405a0c lstrcpynA 3103->3106 3112 405a2e 18 API calls 3103->3112 3120 4052cd MessageBoxIndirectA 3103->3120 3123 401830 3103->3123 3124 4056e3 GetFileAttributesA CreateFileA 3103->3124 3107 401863 3104->3107 3105 404daa 25 API calls 3111 401845 3105->3111 3106->3103 3125 402e5b 3107->3125 3110 40188a SetFileTime 3113 40189c CloseHandle 3110->3113 3112->3103 3113->3111 3114 4018ad 3113->3114 3115 4018b2 3114->3115 3116 4018c5 3114->3116 3118 405a2e 18 API calls 3115->3118 3117 405a2e 18 API calls 3116->3117 3119 4018cd 3117->3119 3121 4018ba lstrcatA 3118->3121 3122 4052cd MessageBoxIndirectA 3119->3122 3120->3103 3121->3119 3122->3111 3123->3105 3123->3111 3124->3103 3126 402e71 3125->3126 3127 402e9f 3126->3127 3150 4030af SetFilePointer 3126->3150 3148 40307d ReadFile 3127->3148 3131 403011 3133 403015 3131->3133 3139 40302d 3131->3139 3132 402ebc GetTickCount 3134 401876 3132->3134 3137 402f0b 3132->3137 3136 40307d ReadFile 3133->3136 3134->3110 3134->3113 3135 40307d ReadFile 3135->3137 3136->3134 3137->3134 3137->3135 3141 402f61 GetTickCount 3137->3141 3142 402f86 MulDiv wsprintfA 3137->3142 3143 402ffc 3137->3143 3145 402fc4 WriteFile 3137->3145 3138 40307d ReadFile 3138->3139 3139->3134 3139->3138 3140 403048 WriteFile 3139->3140 3140->3134 3140->3139 3141->3137 3144 404daa 25 API calls 3142->3144 3143->3134 3144->3137 3145->3134 3145->3137 3146->3093 3147->3094 3149 402eaa 3148->3149 3149->3131 3149->3132 3149->3134 3150->3127 3914 401634 3915 4029f6 18 API calls 3914->3915 3916 40163a 3915->3916 3917 405d07 2 API calls 3916->3917 3918 401640 3917->3918 3919 401934 3920 4029d9 18 API calls 3919->3920 3921 40193b 3920->3921 3922 4029d9 18 API calls 3921->3922 3923 401945 3922->3923 3924 4029f6 18 API calls 3923->3924 3925 40194e 3924->3925 3926 401961 lstrlenA 3925->3926 3927 40199c 3925->3927 3928 40196b 3926->3928 3928->3927 3932 405a0c lstrcpynA 3928->3932 3930 401985 3930->3927 3931 401992 lstrlenA 3930->3931 3931->3927 3932->3930 3933 4041b5 3934 4041c5 3933->3934 3935 4041eb 3933->3935 3936 403dbe 19 API calls 3934->3936 3937 403e25 8 API calls 3935->3937 3938 4041d2 SetDlgItemTextA 3936->3938 3939 4041f7 3937->3939 3938->3935 3940 4019b5 3941 4029f6 18 API calls 3940->3941 3942 4019bc 3941->3942 3943 4029f6 18 API calls 3942->3943 3944 4019c5 3943->3944 3945 4019cc lstrcmpiA 3944->3945 3946 4019de lstrcmpA 3944->3946 3947 4019d2 3945->3947 3946->3947 3948 4014b7 3949 4014bd 3948->3949 3950 401389 2 API calls 3949->3950 3951 4014c5 3950->3951 3952 402b3b 3953 402b63 3952->3953 3954 402b4a SetTimer 3952->3954 3955 402bb8 3953->3955 3956 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3953->3956 3954->3953 3956->3955 3957 40263e 3958 4029f6 18 API calls 3957->3958 3959 402645 FindFirstFileA 3958->3959 3960 402668 3959->3960 3963 402658 3959->3963 3961 40266f 3960->3961 3965 40596a wsprintfA 3960->3965 3966 405a0c lstrcpynA 3961->3966 3965->3961 3966->3963 3967 4024be 3968 4024c3 3967->3968 3969 4024d4 3967->3969 3970 4029d9 18 API calls 3968->3970 3971 4029f6 18 API calls 3969->3971 3973 4024ca 3970->3973 3972 4024db lstrlenA 3971->3972 3972->3973 3974 4024fa WriteFile 3973->3974 3975 40265c 3973->3975 3974->3975

                                                              Executed Functions

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 4030fa-40318f #17 SetErrorMode OleInitialize call 405d2e SHGetFileInfoA call 405a0c GetCommandLineA call 405a0c GetModuleHandleA 7 403191-403196 0->7 8 40319b-4031b0 call 40552a CharNextA 0->8 7->8 11 403215-403219 8->11 12 4031b2-4031b5 11->12 13 40321b 11->13 15 4031b7-4031bb 12->15 16 4031bd-4031c5 12->16 14 40322e-403246 GetTempPathA call 4030c6 13->14 25 403268-40327f DeleteFileA call 402c22 14->25 26 403248-403266 GetWindowsDirectoryA lstrcatA call 4030c6 14->26 15->15 15->16 17 4031c7-4031c8 16->17 18 4031cd-4031d0 16->18 17->18 20 4031d2-4031d6 18->20 21 403205-403212 call 40552a 18->21 23 4031e6-4031ec 20->23 24 4031d8-4031e1 20->24 21->11 38 403214 21->38 30 4031fc-403203 23->30 31 4031ee-4031f7 23->31 24->23 28 4031e3 24->28 40 4032e6-4032f5 ExitProcess CoUninitialize 25->40 41 403281-403287 25->41 26->25 26->40 28->23 30->21 36 40321d-403229 call 405a0c 30->36 31->30 35 4031f9 31->35 35->30 36->14 38->11 44 4033e0-4033e6 40->44 45 4032fb-40330b call 4052cd ExitProcess 40->45 42 4032d6-4032dd call 403555 41->42 43 403289-403292 call 40552a 41->43 53 4032e2 42->53 58 40329d-40329f 43->58 47 403463-40346b 44->47 48 4033e8-403405 call 405d2e * 3 44->48 54 403471-403475 ExitProcess 47->54 55 40346d 47->55 73 403407-403409 48->73 74 40344f-40345a ExitWindowsEx 48->74 53->40 55->54 59 4032a1-4032ab 58->59 60 403294-40329a 58->60 63 403311-40332b lstrcatA lstrcmpiA 59->63 64 4032ad-4032ba call 4055e0 59->64 60->59 62 40329c 60->62 62->58 63->40 66 40332d-403342 CreateDirectoryA SetCurrentDirectoryA 63->66 64->40 76 4032bc-4032d2 call 405a0c * 2 64->76 70 403344-40334a call 405a0c 66->70 71 40334f-403369 call 405a0c 66->71 70->71 84 40336e-40338a call 405a2e DeleteFileA 71->84 73->74 78 40340b-40340d 73->78 74->47 81 40345c-40345e call 40140b 74->81 76->42 78->74 82 40340f-403421 GetCurrentProcess 78->82 81->47 82->74 91 403423-403445 82->91 92 4033cb-4033d2 84->92 93 40338c-40339c CopyFileA 84->93 91->74 92->84 94 4033d4-4033db call 40575a 92->94 93->92 95 40339e-4033be call 40575a call 405a2e call 40526c 93->95 94->40 95->92 105 4033c0-4033c7 CloseHandle 95->105 105->92
                                                              APIs
                                                              • #17.COMCTL32 ref: 00403119
                                                              • SetErrorMode.KERNEL32(00008001), ref: 00403124
                                                              • OleInitialize.OLE32(00000000), ref: 0040312B
                                                                • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                • Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                              • SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153
                                                                • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19
                                                              • GetCommandLineA.KERNEL32(Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00403168
                                                              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 0040317B
                                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000020), ref: 004031A6
                                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
                                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
                                                              • DeleteFileA.KERNEL32(1033), ref: 0040326D
                                                              • ExitProcess.KERNEL32(00000000), ref: 004032E6
                                                              • CoUninitialize.COMBASE(00000000), ref: 004032EB
                                                              • ExitProcess.KERNEL32 ref: 0040330B
                                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,00000000), ref: 00403317
                                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403323
                                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
                                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
                                                              • DeleteFileA.KERNEL32(00428B98,00428B98,?,8174224,?), ref: 00403380
                                                              • CopyFileA.KERNEL32(C:\Users\user\Desktop\yUgCaQhCIc.exe,00428B98,00000001), ref: 00403394
                                                              • CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
                                                              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
                                                              • ExitProcess.KERNEL32 ref: 00403475
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                              • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\yUgCaQhCIc.exe"$1033$8174224$Bibado Installer - Nero Burning Rom Setup$C:\Program Files (x86)\Nero Burning Rom$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yUgCaQhCIc.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                              • API String ID: 553446912-4104674120
                                                              • Opcode ID: 45d42ed5c4d876ad97725e9f6e03eadd888ac50b64b28f7db70aa7e7231c680b
                                                              • Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
                                                              • Opcode Fuzzy Hash: 45d42ed5c4d876ad97725e9f6e03eadd888ac50b64b28f7db70aa7e7231c680b
                                                              • Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 106 404ee8-404f03 107 405094-40509b 106->107 108 404f09-404fd2 GetDlgItem * 3 call 403df3 call 40464c GetClientRect GetSystemMetrics SendMessageA * 2 106->108 109 4050c5-4050d2 107->109 110 40509d-4050bf GetDlgItem CreateThread CloseHandle 107->110 126 404ff0-404ff3 108->126 127 404fd4-404fee SendMessageA * 2 108->127 112 4050f0-4050f7 109->112 113 4050d4-4050da 109->113 110->109 118 4050f9-4050ff 112->118 119 40514e-405152 112->119 116 405112-40511b call 403e25 113->116 117 4050dc-4050eb ShowWindow * 2 call 403df3 113->117 130 405120-405124 116->130 117->112 123 405101-40510d call 403d97 118->123 124 405127-405137 ShowWindow 118->124 119->116 121 405154-405157 119->121 121->116 128 405159-40516c SendMessageA 121->128 123->116 131 405147-405149 call 403d97 124->131 132 405139-405142 call 404daa 124->132 134 405003-40501a call 403dbe 126->134 135 404ff5-405001 SendMessageA 126->135 127->126 136 405172-405193 CreatePopupMenu call 405a2e AppendMenuA 128->136 137 405265-405267 128->137 131->119 132->131 145 405050-405071 GetDlgItem SendMessageA 134->145 146 40501c-405030 ShowWindow 134->146 135->134 143 405195-4051a6 GetWindowRect 136->143 144 4051a8-4051ae 136->144 137->130 147 4051b1-4051c9 TrackPopupMenu 143->147 144->147 145->137 150 405077-40508f SendMessageA * 2 145->150 148 405032-40503d ShowWindow 146->148 149 40503f 146->149 147->137 151 4051cf-4051e6 147->151 152 405045-40504b call 403df3 148->152 149->152 150->137 153 4051eb-405206 SendMessageA 151->153 152->145 153->153 155 405208-405228 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 153->155 156 40522a-405249 SendMessageA 155->156 156->156 157 40524b-40525f GlobalUnlock SetClipboardData CloseClipboard 156->157 157->137
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00404F47
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00404F56
                                                              • GetClientRect.USER32(?,?), ref: 00404F93
                                                              • GetSystemMetrics.USER32(00000015), ref: 00404F9B
                                                              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FBC
                                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FCD
                                                              • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FE0
                                                              • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FEE
                                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405001
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
                                                              • ShowWindow.USER32(?,00000008), ref: 00405037
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405058
                                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405068
                                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405081
                                                              • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040508D
                                                              • GetDlgItem.USER32(?,000003F8), ref: 00404F65
                                                                • Part of subcall function 00403DF3: SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004050AA
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
                                                              • CloseHandle.KERNEL32(00000000), ref: 004050BF
                                                              • ShowWindow.USER32(00000000), ref: 004050E3
                                                              • ShowWindow.USER32(00030488,00000008), ref: 004050E8
                                                              • ShowWindow.USER32(00000008), ref: 0040512F
                                                              • SendMessageA.USER32(00030488,00001004,00000000,00000000), ref: 00405161
                                                              • CreatePopupMenu.USER32 ref: 00405172
                                                              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
                                                              • GetWindowRect.USER32(00030488,?), ref: 0040519A
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051F9
                                                              • OpenClipboard.USER32(00000000), ref: 00405209
                                                              • EmptyClipboard.USER32 ref: 0040520F
                                                              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405222
                                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405236
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040524E
                                                              • SetClipboardData.USER32(00000001,00000000), ref: 00405259
                                                              • CloseClipboard.USER32 ref: 0040525F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: {
                                                              • API String ID: 590372296-366298937
                                                              • Opcode ID: 8c42101e40be803c13c5f71ff1e8168cbe0923005c36041f7ba334d44b22fede
                                                              • Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
                                                              • Opcode Fuzzy Hash: 8c42101e40be803c13c5f71ff1e8168cbe0923005c36041f7ba334d44b22fede
                                                              • Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 399 405a2e-405a39 400 405a3b-405a4a 399->400 401 405a4c-405a69 399->401 400->401 402 405c4b-405c4f 401->402 403 405a6f-405a76 401->403 404 405c55-405c5f 402->404 405 405a7b-405a85 402->405 403->402 407 405c61-405c65 call 405a0c 404->407 408 405c6a-405c6b 404->408 405->404 406 405a8b-405a92 405->406 410 405a98-405acd 406->410 411 405c3e 406->411 407->408 412 405ad3-405ade GetVersion 410->412 413 405be8-405beb 410->413 414 405c40-405c46 411->414 415 405c48-405c4a 411->415 416 405ae0-405ae4 412->416 417 405af8 412->417 418 405c1b-405c1e 413->418 419 405bed-405bf0 413->419 414->402 415->402 416->417 423 405ae6-405aea 416->423 420 405aff-405b06 417->420 421 405c20-405c27 call 405a2e 418->421 422 405c2c-405c3c lstrlenA 418->422 424 405c00-405c0c call 405a0c 419->424 425 405bf2-405bfe call 40596a 419->425 427 405b08-405b0a 420->427 428 405b0b-405b0d 420->428 421->422 422->402 423->417 431 405aec-405af0 423->431 435 405c11-405c17 424->435 425->435 427->428 433 405b46-405b49 428->433 434 405b0f-405b2a call 4058f3 428->434 431->417 436 405af2-405af6 431->436 439 405b59-405b5c 433->439 440 405b4b-405b57 GetSystemDirectoryA 433->440 441 405b2f-405b32 434->441 435->422 438 405c19 435->438 436->420 442 405be0-405be6 call 405c6e 438->442 444 405bc6-405bc8 439->444 445 405b5e-405b6c GetWindowsDirectoryA 439->445 443 405bca-405bcd 440->443 446 405b38-405b41 call 405a2e 441->446 447 405bcf-405bd3 441->447 442->422 443->442 443->447 444->443 448 405b6e-405b78 444->448 445->444 446->443 447->442 451 405bd5-405bdb lstrcatA 447->451 453 405b92-405ba8 SHGetSpecialFolderLocation 448->453 454 405b7a-405b7d 448->454 451->442 456 405bc3 453->456 457 405baa-405bc1 SHGetPathFromIDListA CoTaskMemFree 453->457 454->453 455 405b7f-405b86 454->455 459 405b8e-405b90 455->459 456->444 457->443 457->456 459->443 459->453
                                                              APIs
                                                              • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000), ref: 00405AD6
                                                              • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B51
                                                              • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B64
                                                              • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405BA0
                                                              • SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 00405BAE
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00405BB9
                                                              • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
                                                              • lstrlenA.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000), ref: 00405C2D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                              • String ID: 8174224$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 900638850-1744765625
                                                              • Opcode ID: 0d14f094528aed849df2af9f937b6990b4eadfafe30509a4d4a4b34282f77478
                                                              • Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
                                                              • Opcode Fuzzy Hash: 0d14f094528aed849df2af9f937b6990b4eadfafe30509a4d4a4b34282f77478
                                                              • Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 460 405331-40534c call 4055e0 463 405365-40536f 460->463 464 40534e-405360 DeleteFileA 460->464 466 405371-405373 463->466 467 405383-405391 call 405a0c 463->467 465 4054f9-4054fc 464->465 468 4054a4-4054aa 466->468 469 405379-40537d 466->469 475 4053a0-4053a1 call 405546 467->475 476 405393-40539e lstrcatA 467->476 468->465 471 4054ac-4054af 468->471 469->467 469->468 473 4054b1-4054b7 471->473 474 4054b9-4054c1 call 405d07 471->474 473->465 474->465 484 4054c3-4054d8 call 4054ff call 4056c4 RemoveDirectoryA 474->484 478 4053a6-4053a9 475->478 476->478 480 4053b4-4053ba lstrcatA 478->480 481 4053ab-4053b2 478->481 483 4053bf-4053dd lstrlenA FindFirstFileA 480->483 481->480 481->483 485 4053e3-4053fa call 40552a 483->485 486 40549a-40549e 483->486 499 4054f1-4054f4 call 404daa 484->499 500 4054da-4054de 484->500 493 405405-405408 485->493 494 4053fc-405400 485->494 486->468 488 4054a0 486->488 488->468 497 40540a-40540f 493->497 498 40541b-405429 call 405a0c 493->498 494->493 496 405402 494->496 496->493 502 405411-405413 497->502 503 405479-40548b FindNextFileA 497->503 511 405440-40544f call 4056c4 DeleteFileA 498->511 512 40542b-405433 498->512 499->465 500->473 505 4054e0-4054ef call 404daa call 40575a 500->505 502->498 508 405415-405419 502->508 503->485 506 405491-405494 FindClose 503->506 505->465 506->486 508->498 508->503 520 405471-405474 call 404daa 511->520 521 405451-405455 511->521 512->503 513 405435-40543e call 405331 512->513 513->503 520->503 522 405457-405467 call 404daa call 40575a 521->522 523 405469-40546f 521->523 522->503 523->503
                                                              APIs
                                                              • DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 0040534F
                                                              • lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405399
                                                              • lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053BA
                                                              • lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053C0
                                                              • FindFirstFileA.KERNEL32(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053D1
                                                              • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405483
                                                              • FindClose.KERNEL32(?), ref: 00405494
                                                              Strings
                                                              • \*.*, xrefs: 00405393
                                                              • "C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 0040533B
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405331
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                              • API String ID: 2035342205-3369879357
                                                              • Opcode ID: 6e16baadad6b95f5c0866290d486e1e1d7ac722db6f4b6144940dcbc5fdab850
                                                              • Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
                                                              • Opcode Fuzzy Hash: 6e16baadad6b95f5c0866290d486e1e1d7ac722db6f4b6144940dcbc5fdab850
                                                              • Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(?,0042C030,C:\,00405623,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405D12
                                                              • FindClose.KERNEL32(00000000), ref: 00405D1E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: C:\
                                                              • API String ID: 2295610775-3404278061
                                                              • Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
                                                              • Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
                                                              • Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
                                                              • Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                              • LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleLibraryLoadModuleProc
                                                              • String ID:
                                                              • API String ID: 310444273-0
                                                              • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                                              • Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
                                                              • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
                                                              • Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 158 4038eb-4038fd 159 403903-403909 158->159 160 403a3e-403a4d 158->160 159->160 161 40390f-403918 159->161 162 403a9c-403ab1 160->162 163 403a4f-403a97 GetDlgItem * 2 call 403dbe SetClassLongA call 40140b 160->163 164 40391a-403927 SetWindowPos 161->164 165 40392d-403930 161->165 167 403af1-403af6 call 403e0a 162->167 168 403ab3-403ab6 162->168 163->162 164->165 170 403932-403944 ShowWindow 165->170 171 40394a-403950 165->171 176 403afb-403b16 167->176 173 403ab8-403ac3 call 401389 168->173 174 403ae9-403aeb 168->174 170->171 177 403952-403967 DestroyWindow 171->177 178 40396c-40396f 171->178 173->174 195 403ac5-403ae4 SendMessageA 173->195 174->167 175 403d8b 174->175 183 403d8d-403d94 175->183 181 403b18-403b1a call 40140b 176->181 182 403b1f-403b25 176->182 184 403d68-403d6e 177->184 186 403971-40397d SetWindowLongA 178->186 187 403982-403988 178->187 181->182 191 403d49-403d62 DestroyWindow KiUserCallbackDispatcher 182->191 192 403b2b-403b36 182->192 184->175 189 403d70-403d76 184->189 186->183 193 403a2b-403a39 call 403e25 187->193 194 40398e-40399f GetDlgItem 187->194 189->175 197 403d78-403d81 ShowWindow 189->197 191->184 192->191 198 403b3c-403b89 call 405a2e call 403dbe * 3 GetDlgItem 192->198 193->183 199 4039a1-4039b8 SendMessageA IsWindowEnabled 194->199 200 4039be-4039c1 194->200 195->183 197->175 228 403b93-403bcf ShowWindow KiUserCallbackDispatcher call 403de0 KiUserCallbackDispatcher 198->228 229 403b8b-403b90 198->229 199->175 199->200 203 4039c3-4039c4 200->203 204 4039c6-4039c9 200->204 208 4039f4-4039f9 call 403d97 203->208 205 4039d7-4039dc 204->205 206 4039cb-4039d1 204->206 209 403a12-403a25 SendMessageA 205->209 211 4039de-4039e4 205->211 206->209 210 4039d3-4039d5 206->210 208->193 209->193 210->208 214 4039e6-4039ec call 40140b 211->214 215 4039fb-403a04 call 40140b 211->215 224 4039f2 214->224 215->193 225 403a06-403a10 215->225 224->208 225->224 232 403bd1-403bd2 228->232 233 403bd4 228->233 229->228 234 403bd6-403c04 GetSystemMenu EnableMenuItem SendMessageA 232->234 233->234 235 403c06-403c17 SendMessageA 234->235 236 403c19 234->236 237 403c1f-403c58 call 403df3 call 405a0c lstrlenA call 405a2e SetWindowTextA call 401389 235->237 236->237 237->176 246 403c5e-403c60 237->246 246->176 247 403c66-403c6a 246->247 248 403c89-403c9d DestroyWindow 247->248 249 403c6c-403c72 247->249 248->184 251 403ca3-403cd0 CreateDialogParamA 248->251 249->175 250 403c78-403c7e 249->250 250->176 252 403c84 250->252 251->184 253 403cd6-403d2d call 403dbe GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 251->253 252->175 253->175 258 403d2f-403d42 ShowWindow call 403e0a 253->258 260 403d47 258->260 260->184
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
                                                              • ShowWindow.USER32(?), ref: 00403944
                                                              • DestroyWindow.USER32 ref: 00403958
                                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
                                                              • GetDlgItem.USER32(?,?), ref: 00403995
                                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039A9
                                                              • IsWindowEnabled.USER32(00000000), ref: 004039B0
                                                              • GetDlgItem.USER32(?,00000001), ref: 00403A5E
                                                              • GetDlgItem.USER32(?,00000002), ref: 00403A68
                                                              • SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
                                                              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AD3
                                                              • GetDlgItem.USER32(?,00000003), ref: 00403B79
                                                              • ShowWindow.USER32(00000000,?), ref: 00403B9A
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BAC
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BC7
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
                                                              • EnableMenuItem.USER32(00000000), ref: 00403BE4
                                                              • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BFC
                                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C0F
                                                              • lstrlenA.KERNEL32(00429FE0,?,00429FE0,Bibado Installer - Nero Burning Rom Setup), ref: 00403C38
                                                              • SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
                                                              • ShowWindow.USER32(?,0000000A), ref: 00403D7B
                                                              Strings
                                                              • Bibado Installer - Nero Burning Rom Setup, xrefs: 00403C29
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                                              • String ID: Bibado Installer - Nero Burning Rom Setup
                                                              • API String ID: 1252290697-210263014
                                                              • Opcode ID: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
                                                              • Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
                                                              • Opcode Fuzzy Hash: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
                                                              • Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 261 403555-40356d call 405d2e 264 403581-4035a8 call 4058f3 261->264 265 40356f-40357f call 40596a 261->265 270 4035c0-4035c6 lstrcatA 264->270 271 4035aa-4035bb call 4058f3 264->271 274 4035cb-4035f4 call 40381e call 4055e0 265->274 270->274 271->270 279 4035fa-4035ff 274->279 280 40367b-403683 call 4055e0 274->280 279->280 281 403601-403625 call 4058f3 279->281 286 403691-4036b6 LoadImageA 280->286 287 403685-40368c call 405a2e 280->287 281->280 288 403627-403629 281->288 290 403745-40374d call 40140b 286->290 291 4036bc-4036f2 RegisterClassA 286->291 287->286 292 40363a-403646 lstrlenA 288->292 293 40362b-403638 call 40552a 288->293 305 403757-403762 call 40381e 290->305 306 40374f-403752 290->306 294 403814 291->294 295 4036f8-403740 SystemParametersInfoA CreateWindowExA 291->295 299 403648-403656 lstrcmpiA 292->299 300 40366e-403676 call 4054ff call 405a0c 292->300 293->292 297 403816-40381d 294->297 295->290 299->300 304 403658-403662 GetFileAttributesA 299->304 300->280 309 403664-403666 304->309 310 403668-403669 call 405546 304->310 314 403768-403785 ShowWindow LoadLibraryA 305->314 315 4037eb-4037ec call 404e7c 305->315 306->297 309->300 309->310 310->300 316 403787-40378c LoadLibraryA 314->316 317 40378e-4037a0 GetClassInfoA 314->317 321 4037f1-4037f3 315->321 316->317 319 4037a2-4037b2 GetClassInfoA RegisterClassA 317->319 320 4037b8-4037db DialogBoxParamA call 40140b 317->320 319->320 326 4037e0-4037e9 call 4034a5 320->326 323 4037f5-4037fb 321->323 324 40380d-40380f call 40140b 321->324 323->306 327 403801-403808 call 40140b 323->327 324->294 326->297 327->306
                                                              APIs
                                                                • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                • Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                              • lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
                                                              • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\Nero Burning Rom,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\yUgCaQhCIc.exe"), ref: 0040363B
                                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 0040364E
                                                              • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 00403659
                                                              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Nero Burning Rom), ref: 004036A2
                                                                • Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977
                                                              • RegisterClassA.USER32 ref: 004036E9
                                                              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
                                                              • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040373A
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403770
                                                              • LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
                                                              • LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
                                                              • GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
                                                              • GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
                                                              • RegisterClassA.USER32(0042E300), ref: 004037B2
                                                              • DialogBoxParamA.USER32(?,00000000,004038EB,00000000), ref: 004037D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Nero Burning Rom$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                              • API String ID: 914957316-3563394334
                                                              • Opcode ID: 1461fe52c76a6e820ee1ef65736cb2314b449e2a4b5a01a29c53df08a85d2756
                                                              • Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
                                                              • Opcode Fuzzy Hash: 1461fe52c76a6e820ee1ef65736cb2314b449e2a4b5a01a29c53df08a85d2756
                                                              • Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 332 402c22-402c70 GetTickCount GetModuleFileNameA call 4056e3 335 402c72-402c77 332->335 336 402c7c-402caa call 405a0c call 405546 call 405a0c GetFileSize 332->336 337 402e54-402e58 335->337 344 402cb0 336->344 345 402d97-402da5 call 402bbe 336->345 346 402cb5-402ccc 344->346 351 402da7-402daa 345->351 352 402dfa-402dff 345->352 348 402cd0-402cd2 call 40307d 346->348 349 402cce 346->349 356 402cd7-402cd9 348->356 349->348 354 402dac-402dbd call 4030af call 40307d 351->354 355 402dce-402df8 GlobalAlloc call 4030af call 402e5b 351->355 352->337 372 402dc2-402dc4 354->372 355->352 383 402e0b-402e1c 355->383 358 402e01-402e09 call 402bbe 356->358 359 402cdf-402ce6 356->359 358->352 362 402d62-402d66 359->362 363 402ce8-402cfc call 4056a4 359->363 367 402d70-402d76 362->367 368 402d68-402d6f call 402bbe 362->368 363->367 381 402cfe-402d05 363->381 374 402d85-402d8f 367->374 375 402d78-402d82 call 405d9a 367->375 368->367 372->352 378 402dc6-402dcc 372->378 374->346 382 402d95 374->382 375->374 378->352 378->355 381->367 387 402d07-402d0e 381->387 382->345 384 402e24-402e29 383->384 385 402e1e 383->385 388 402e2a-402e30 384->388 385->384 387->367 389 402d10-402d17 387->389 388->388 390 402e32-402e4d SetFilePointer call 4056a4 388->390 389->367 391 402d19-402d20 389->391 394 402e52 390->394 391->367 393 402d22-402d42 391->393 393->352 395 402d48-402d4c 393->395 394->337 396 402d54-402d5c 395->396 397 402d4e-402d52 395->397 396->367 398 402d5e-402d60 396->398 397->382 397->396 398->367
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402C33
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yUgCaQhCIc.exe,00000400), ref: 00402C4F
                                                                • Part of subcall function 004056E3: GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 004056E7
                                                                • Part of subcall function 004056E3: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709
                                                              • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 00402C9B
                                                              Strings
                                                              • C:\Users\user\Desktop\yUgCaQhCIc.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
                                                              • "C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 00402C2C
                                                              • soft, xrefs: 00402D10
                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
                                                              • Null, xrefs: 00402D19
                                                              • Inst, xrefs: 00402D07
                                                              • Error launching installer, xrefs: 00402C72
                                                              • C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yUgCaQhCIc.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                              • API String ID: 4283519449-2542861797
                                                              • Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
                                                              • Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
                                                              • Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
                                                              • Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 529 401734-401757 call 4029f6 call 40556c 534 401761-401773 call 405a0c call 4054ff lstrcatA 529->534 535 401759-40175f call 405a0c 529->535 540 401778-40177e call 405c6e 534->540 535->540 545 401783-401787 540->545 546 401789-401793 call 405d07 545->546 547 4017ba-4017bd 545->547 554 4017a5-4017b7 546->554 555 401795-4017a3 CompareFileTime 546->555 549 4017c5-4017e1 call 4056e3 547->549 550 4017bf-4017c0 call 4056c4 547->550 557 4017e3-4017e6 549->557 558 401859-401882 call 404daa call 402e5b 549->558 550->549 554->547 555->554 559 4017e8-40182a call 405a0c * 2 call 405a2e call 405a0c call 4052cd 557->559 560 40183b-401845 call 404daa 557->560 572 401884-401888 558->572 573 40188a-401896 SetFileTime 558->573 559->545 593 401830-401831 559->593 570 40184e-401854 560->570 574 402894 570->574 572->573 576 40189c-4018a7 CloseHandle 572->576 573->576 577 402896-40289a 574->577 579 40288b-40288e 576->579 580 4018ad-4018b0 576->580 579->574 582 4018b2-4018c3 call 405a2e lstrcatA 580->582 583 4018c5-4018c8 call 405a2e 580->583 587 4018cd-402213 call 4052cd 582->587 583->587 587->577 596 40265c-402663 587->596 593->570 595 401833-401834 593->595 595->560 596->579
                                                              APIs
                                                              • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\,00434800,00000000,00000000,00000031), ref: 00401773
                                                              • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00434800,00000000,00000000,00000031), ref: 0040179D
                                                                • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19
                                                                • Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                • Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                • Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
                                                                • Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: 8174224$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Toolbar
                                                              • API String ID: 1941528284-2294010849
                                                              • Opcode ID: f677182cd7597cfd306baf5213bbf490efafa294cece3d8a58661fe224b296f1
                                                              • Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
                                                              • Opcode Fuzzy Hash: f677182cd7597cfd306baf5213bbf490efafa294cece3d8a58661fe224b296f1
                                                              • Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 597 404daa-404dbf 598 404e75-404e79 597->598 599 404dc5-404dd7 597->599 600 404de2-404dee lstrlenA 599->600 601 404dd9-404ddd call 405a2e 599->601 603 404df0-404e00 lstrlenA 600->603 604 404e0b-404e0f 600->604 601->600 603->598 605 404e02-404e06 lstrcatA 603->605 606 404e11-404e18 SetWindowTextA 604->606 607 404e1e-404e22 604->607 605->604 606->607 608 404e24-404e66 SendMessageA * 3 607->608 609 404e68-404e6a 607->609 608->609 609->598 610 404e6c-404e6f 609->610 610->598
                                                              APIs
                                                              • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                              • lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                              • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
                                                              • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
                                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\
                                                              • API String ID: 2531174081-454612145
                                                              • Opcode ID: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
                                                              • Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
                                                              • Opcode Fuzzy Hash: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
                                                              • Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 611 402e5b-402e6f 612 402e71 611->612 613 402e78-402e81 611->613 612->613 614 402e83 613->614 615 402e8a-402e8f 613->615 614->615 616 402e91-402e9a call 4030af 615->616 617 402e9f-402eac call 40307d 615->617 616->617 621 402eb2-402eb6 617->621 622 403028 617->622 624 403011-403013 621->624 625 402ebc-402f05 GetTickCount 621->625 623 40302a-40302b 622->623 626 403076-40307a 623->626 627 403015-403018 624->627 628 403068-40306c 624->628 629 403073 625->629 630 402f0b-402f13 625->630 633 40301a 627->633 634 40301d-403026 call 40307d 627->634 631 40302d-403033 628->631 632 40306e 628->632 629->626 635 402f15 630->635 636 402f18-402f26 call 40307d 630->636 638 403035 631->638 639 403038-403046 call 40307d 631->639 632->629 633->634 634->622 646 403070 634->646 635->636 636->622 644 402f2c-402f35 636->644 638->639 639->622 648 403048-40305b WriteFile 639->648 647 402f3b-402f5b call 405e08 644->647 646->629 654 402f61-402f74 GetTickCount 647->654 655 403009-40300b 647->655 650 40300d-40300f 648->650 651 40305d-403060 648->651 650->623 651->650 653 403062-403065 651->653 653->628 656 402f76-402f7e 654->656 657 402fb9-402fbd 654->657 655->623 658 402f80-402f84 656->658 659 402f86-402fb6 MulDiv wsprintfA call 404daa 656->659 660 402ffe-403001 657->660 661 402fbf-402fc2 657->661 658->657 658->659 659->657 660->630 662 403007 660->662 664 402fe4-402fef 661->664 665 402fc4-402fd8 WriteFile 661->665 662->629 667 402ff2-402ff6 664->667 665->650 666 402fda-402fdd 665->666 666->650 669 402fdf-402fe2 666->669 667->647 670 402ffc 667->670 669->667 670->629
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402EC2
                                                              • GetTickCount.KERNEL32 ref: 00402F69
                                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
                                                              • wsprintfA.USER32 ref: 00402FA2
                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,7FFFFFFF,00000000), ref: 00402FD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CountTick$FileWritewsprintf
                                                              • String ID: ... %d%%
                                                              • API String ID: 4209647438-2449383134
                                                              • Opcode ID: 787522d49fa5e6cbb185d9a46a8dfd7f8e2c103290e6532508a1672770904cea
                                                              • Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
                                                              • Opcode Fuzzy Hash: 787522d49fa5e6cbb185d9a46a8dfd7f8e2c103290e6532508a1672770904cea
                                                              • Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 671 401f51-401f5d 672 401f63-401f79 call 4029f6 * 2 671->672 673 402019-40201b 671->673 683 401f88-401f96 LoadLibraryExA 672->683 684 401f7b-401f86 GetModuleHandleA 672->684 675 402164-402169 call 401423 673->675 680 40288b-40289a 675->680 686 401f98-401fa6 GetProcAddress 683->686 687 402012-402014 683->687 684->683 684->686 688 401fe5-401fea call 404daa 686->688 689 401fa8-401fae 686->689 687->675 693 401fef-401ff2 688->693 691 401fb0-401fbc call 401423 689->691 692 401fc7-401fdb 689->692 691->693 702 401fbe-401fc5 691->702 695 401fe0-401fe3 692->695 693->680 696 401ff8-402000 call 4034f5 693->696 695->693 696->680 701 402006-40200d FreeLibrary 696->701 701->680 702->693
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C
                                                                • Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
                                                                • Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
                                                                • Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
                                                                • Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
                                                                • Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66
                                                              • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                                              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                              • String ID: 8174224$B
                                                              • API String ID: 2987980305-3798258468
                                                              • Opcode ID: 551f093684186f84c7c1f62f32051f5768313c863a04f8ea7071731246c8ad6e
                                                              • Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
                                                              • Opcode Fuzzy Hash: 551f093684186f84c7c1f62f32051f5768313c863a04f8ea7071731246c8ad6e
                                                              • Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 703 405712-40571c 704 40571d-405747 GetTickCount GetTempFileNameA 703->704 705 405756-405758 704->705 706 405749-40574b 704->706 708 405750-405753 705->708 706->704 707 40574d 706->707 707->708
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405725
                                                              • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040573F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-2928232156
                                                              • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                              • Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
                                                              • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                                              • Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 709 401bad-401bc5 call 4029d9 * 2 714 401bd1-401bd5 709->714 715 401bc7-401bce call 4029f6 709->715 717 401be1-401be7 714->717 718 401bd7-401bde call 4029f6 714->718 715->714 721 401be9-401bfd call 4029d9 * 2 717->721 722 401c2d-401c53 call 4029f6 * 2 FindWindowExA 717->722 718->717 732 401c1d-401c2b SendMessageA 721->732 733 401bff-401c1b SendMessageTimeoutA 721->733 734 401c59 722->734 732->734 735 401c5c-401c5f 733->735 734->735 736 401c65 735->736 737 40288b-40289a 735->737 736->737
                                                              APIs
                                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
                                                              • Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
                                                              • Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
                                                              • Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 740 4015b3-4015c6 call 4029f6 call 405593 745 4015c8-4015e3 call 40552a CreateDirectoryA 740->745 746 40160a-40160d 740->746 753 401600-401608 745->753 754 4015e5-4015f0 GetLastError 745->754 748 40162d-402169 call 401423 746->748 749 40160f-401628 call 401423 call 405a0c SetCurrentDirectoryA 746->749 761 40288b-40289a 748->761 749->761 753->745 753->746 758 4015f2-4015fb GetFileAttributesA 754->758 759 4015fd 754->759 758->753 758->759 759->753
                                                              APIs
                                                                • Part of subcall function 00405593: CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
                                                                • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
                                                                • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5
                                                              • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                              • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                              • SetCurrentDirectoryA.KERNEL32(00000000,00434800,00000000,00000000,000000F0), ref: 00401622
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3751793516-0
                                                              • Opcode ID: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
                                                              • Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
                                                              • Opcode Fuzzy Hash: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
                                                              • Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 765 4055e0-4055fb call 405a0c call 405593 770 405601-40560e call 405c6e 765->770 771 4055fd-4055ff 765->771 775 405610-405614 770->775 776 40561a-40561c 770->776 772 405653-405655 771->772 775->771 777 405616-405618 775->777 778 405632-40563b lstrlenA 776->778 777->771 777->776 779 40563d-405651 call 4054ff GetFileAttributesA 778->779 780 40561e-405625 call 405d07 778->780 779->772 785 405627-40562a 780->785 786 40562c-40562d call 405546 780->786 785->771 785->786 786->778
                                                              APIs
                                                                • Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19
                                                                • Part of subcall function 00405593: CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
                                                                • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
                                                                • Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5
                                                              • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405633
                                                              • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405643
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: C:\
                                                              • API String ID: 3248276644-3404278061
                                                              • Opcode ID: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
                                                              • Instruction ID: cbb7be82a93a6dd192d11d13e0df5a6c8cbb76871d8c278764bccb9a445afede
                                                              • Opcode Fuzzy Hash: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
                                                              • Instruction Fuzzy Hash: B5F02825205D6132D622363A1C49BAF1A56CD833247980D3BF854B12C6DB3D8943EE6E
                                                              APIs
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                                • Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$CreateDirectoryPrev
                                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 4115351271-2030658151
                                                              • Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
                                                              • Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
                                                              • Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
                                                              • Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
                                                              • GlobalFree.KERNEL32(00000000), ref: 004034E1
                                                              Strings
                                                              • "C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 004034D2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Free$GlobalLibrary
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"
                                                              • API String ID: 1100898210-1484012235
                                                              • Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
                                                              • Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
                                                              • Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
                                                              • Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD
                                                              APIs
                                                              • GlobalFree.KERNEL32(007B7810), ref: 00401B75
                                                              • GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401B87
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 3394109436-823278215
                                                              • Opcode ID: 0f8e336cfa202ebd74b4841c9e5fcfc62dd7a51da43063299facde2bddfebbd9
                                                              • Instruction ID: 02e27a443d0c975bd2d35078e55c9ecbb47b75263e9a7029776e4410220f8425
                                                              • Opcode Fuzzy Hash: 0f8e336cfa202ebd74b4841c9e5fcfc62dd7a51da43063299facde2bddfebbd9
                                                              • Instruction Fuzzy Hash: C821C3B67002029BC710EB94DEC595F73A8EB84368724463BF502F32D0DB78AC019B5E
                                                              APIs
                                                              • RegOpenKeyExA.KERNEL32(80000002,00405B2F,00000000,00000002,?,00000002,0036A419,?,00405B2F,80000002,Software\Microsoft\Windows\CurrentVersion,0036A419,Remove folder: ,00798FB1), ref: 0040591C
                                                              • RegQueryValueExA.KERNEL32(0036A419,?,00000000,00405B2F,0036A419,00405B2F), ref: 0040593D
                                                              • RegCloseKey.KERNEL32(?), ref: 0040595E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                                              • Instruction ID: 7f29002dde4dac3a19eb3905e2141cfc53fc6fe5580d4c3066aa5286193c6294
                                                              • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                                                              • Instruction Fuzzy Hash: 16015AB104020AEFDF128F64EC44AEB3FACEF153A4F004436F954E6220D235D968DBA5
                                                              APIs
                                                              • GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString
                                                              • String ID: !N~
                                                              • API String ID: 1096422788-529124213
                                                              • Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                                              • Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
                                                              • Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
                                                              • Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55
                                                              APIs
                                                              • SendMessageA.USER32(00000408,?,00000000,004039F9), ref: 00403DB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: x
                                                              • API String ID: 3850602802-2363233923
                                                              • Opcode ID: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
                                                              • Instruction ID: ab0c8c299765955ccbfa59721f842daf732f2f91f0a416ba9cb054cc648477c1
                                                              • Opcode Fuzzy Hash: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
                                                              • Instruction Fuzzy Hash: 4FC01271A84201EADA209B02DE00B06BA71EBA4702F508039F385200B186706822DB0D
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                              • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                                                              • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                                              • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                                                              APIs
                                                              • SendMessageA.USER32(?,0000000B,?), ref: 00402875
                                                              • InvalidateRect.USER32(?), ref: 00402885
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: InvalidateMessageRectSend
                                                              • String ID:
                                                              • API String ID: 909852535-0
                                                              • Opcode ID: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
                                                              • Instruction ID: 5d37e61976acf5bdbec0b869d18ae9d7eae5027ec9d1abcfdb12a567b3c3e37f
                                                              • Opcode Fuzzy Hash: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
                                                              • Instruction Fuzzy Hash: 7AE08CB2B40104AFEB10DB94EE85DAE7BBAEB40349B14007AF602F0060D2341D10CA28
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401DB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableShow
                                                              • String ID:
                                                              • API String ID: 1136574915-0
                                                              • Opcode ID: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
                                                              • Instruction ID: 9da135c70202b86661629657fe57a258e31507742a425f579c1fc233a54c13c2
                                                              • Opcode Fuzzy Hash: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
                                                              • Instruction Fuzzy Hash: 62E0CD72B08110DBD710F7B45D8995D3664DB40369B10453BF503F50C1D2789C4196EE
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 004056E7
                                                              • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                              • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                                              • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                                              • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\, xrefs: 0040349A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\
                                                              • API String ID: 2962429428-3446665066
                                                              • Opcode ID: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
                                                              • Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
                                                              • Opcode Fuzzy Hash: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
                                                              • Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E
                                                              APIs
                                                              • GetFileAttributesA.KERNEL32(?,004054CF,?,?,?), ref: 004056C8
                                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 004056DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                              • Instruction ID: 8174f72b6c2f00669cb3d5f93c0fb6c6646d93779de37800628d5af5c47e1667
                                                              • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                                              • Instruction Fuzzy Hash: C7C002B1808501AAD6015B24DF0D81E7A66EB50361B508F25F569A00F0C7355866DA1A
                                                              APIs
                                                              • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,00434800,?), ref: 00401E07
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID:
                                                              • API String ID: 587946157-0
                                                              • Opcode ID: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
                                                              • Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
                                                              • Opcode Fuzzy Hash: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
                                                              • Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318
                                                              APIs
                                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040225C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite
                                                              • String ID:
                                                              • API String ID: 390214022-0
                                                              • Opcode ID: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                                              • Instruction ID: 7f0f3d0bfb11d3a69440f7e30d7772d63b8707f304f836d716d69bda9ce5b450
                                                              • Opcode Fuzzy Hash: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
                                                              • Instruction Fuzzy Hash: 31E04871F002656BDBA07AF14F8D97F115C7B84344F14027EBA15762C6E9BC4D416169
                                                              APIs
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                                              • Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
                                                              • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
                                                              • Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5
                                                              APIs
                                                              • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403DD8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ItemText
                                                              • String ID:
                                                              • API String ID: 3367045223-0
                                                              • Opcode ID: 127803520696b4f43e8fc6f5d9bd0ca07d8143994230ac30ebc5eaf9d6967234
                                                              • Instruction ID: 1da1af2c7098a7a5c47cb9e65cfb44b89bee0289569f32b065f15b06c39939a7
                                                              • Opcode Fuzzy Hash: 127803520696b4f43e8fc6f5d9bd0ca07d8143994230ac30ebc5eaf9d6967234
                                                              • Instruction Fuzzy Hash: 79C04C79248604BFD641A759DC42F1FB79DEF94315F00C52EB19CE11D1C63984209E26
                                                              APIs
                                                              • SendMessageA.USER32(0002047E,00000000,00000000,00000000), ref: 00403E1C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
                                                              • Instruction ID: 4a69275ab6afdcc9dd23c2635c3fa87663c4bda3d9f509ac91b66b343a6ea2c2
                                                              • Opcode Fuzzy Hash: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
                                                              • Instruction Fuzzy Hash: 0FC04C717443016AEA20DB51DE45F0777589754B01F548465B604A50D0C674E410D65D
                                                              APIs
                                                              • SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
                                                              • Instruction ID: d5eec3387bf9f2af87c3deac1be3c081a68759b5cbc5052c90a1cd046c0f3978
                                                              • Opcode Fuzzy Hash: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
                                                              • Instruction Fuzzy Hash: BCB01275BC4201FBEE219B01DE09F457E62E764701F008074B305240F0C6B210A1DF0D
                                                              APIs
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,0000BBE4), ref: 004030BD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                                              • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
                                                              • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
                                                              • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,00403BBD), ref: 00403DEA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
                                                              • Instruction ID: 5393fb3fd4ec66336373a3cea7bd514d8462fd9d014250aae94180e38f4c2131
                                                              • Opcode Fuzzy Hash: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
                                                              • Instruction Fuzzy Hash: AFA002755051009BCA515B50DF048457A61A754701B458475F1459017487315861EB6A

                                                              Non-executed Functions

                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404710
                                                              • GetDlgItem.USER32(?,00000408), ref: 0040471D
                                                              • GlobalAlloc.KERNEL32(00000040,00000002), ref: 00404769
                                                              • LoadBitmapA.USER32(0000006E), ref: 0040477C
                                                              • SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
                                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
                                                              • SendMessageA.USER32(?,00001109,00000002), ref: 004047D3
                                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047DF
                                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047F1
                                                              • DeleteObject.GDI32(?), ref: 004047F6
                                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404821
                                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040482D
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C2
                                                              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048ED
                                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404901
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00404930
                                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
                                                              • ShowWindow.USER32(?,00000005), ref: 0040494F
                                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A52
                                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AB7
                                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ACC
                                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AF0
                                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B16
                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 00404B2B
                                                              • GlobalFree.KERNEL32(00000000), ref: 00404B3B
                                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BAB
                                                              • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C54
                                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C63
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
                                                              • ShowWindow.USER32(?,00000000), ref: 00404CD1
                                                              • GetDlgItem.USER32(?,000003FE), ref: 00404CDC
                                                              • ShowWindow.USER32(00000000), ref: 00404CE3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 1638840714-813528018
                                                              • Opcode ID: 59eb1809f78b2e22b71ab630a4b4117a288a05a336703e358dd51402bec2e6c3
                                                              • Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
                                                              • Opcode Fuzzy Hash: 59eb1809f78b2e22b71ab630a4b4117a288a05a336703e358dd51402bec2e6c3
                                                              • Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404248
                                                              • SetWindowTextA.USER32(?,?), ref: 00404275
                                                              • SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00404335
                                                              • lstrcmpiA.KERNEL32(Remove folder: ,00429FE0), ref: 00404367
                                                              • lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404373
                                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383
                                                                • Part of subcall function 004052B1: GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                                • Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                                • Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                              • GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
                                                              • SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                              • String ID: 8174224$A$C:\Program Files (x86)\Nero Burning Rom$Remove folder:
                                                              • API String ID: 2246997448-946158102
                                                              • Opcode ID: ff348560b6faec50659af313b3d2a2111afe001c507a4e4cf48385b70e4cb693
                                                              • Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
                                                              • Opcode Fuzzy Hash: ff348560b6faec50659af313b3d2a2111afe001c507a4e4cf48385b70e4cb693
                                                              • Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59
                                                              APIs
                                                              • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
                                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ByteCharCreateInstanceMultiWide
                                                              • String ID:
                                                              • API String ID: 123533781-0
                                                              • Opcode ID: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
                                                              • Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
                                                              • Opcode Fuzzy Hash: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
                                                              • Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
                                                              APIs
                                                              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
                                                              • Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
                                                              • Opcode Fuzzy Hash: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
                                                              • Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
                                                              • Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
                                                              • Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
                                                              • Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
                                                              • Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
                                                              • Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
                                                              • Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94
                                                              APIs
                                                              • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
                                                              • GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
                                                              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC3
                                                              • GetSysColor.USER32(?), ref: 00403FD4
                                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE3
                                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF2
                                                              • lstrlenA.KERNEL32(?), ref: 00403FFC
                                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400A
                                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404019
                                                              • GetDlgItem.USER32(?,0000040A), ref: 0040407C
                                                              • SendMessageA.USER32(00000000), ref: 0040407F
                                                              • GetDlgItem.USER32(?,000003E8), ref: 004040AA
                                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EA
                                                              • LoadCursorA.USER32(00000000,00007F02), ref: 004040F9
                                                              • SetCursor.USER32(00000000), ref: 00404102
                                                              • ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
                                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404122
                                                              • SetCursor.USER32(00000000), ref: 00404125
                                                              • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404151
                                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404165
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                              • String ID: N$Remove folder: $open
                                                              • API String ID: 3615053054-3278287247
                                                              • Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
                                                              • Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
                                                              • Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
                                                              • Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98
                                                              APIs
                                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextA.USER32(00000000,Bibado Installer - Nero Burning Rom Setup,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: Bibado Installer - Nero Burning Rom Setup$F
                                                              • API String ID: 941294808-3675506530
                                                              • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                              • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                                                              • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                                              • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                                                              APIs
                                                                • Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
                                                                • Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
                                                                • Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
                                                              • GetShortPathNameA.KERNEL32(?,0042C170,00000400), ref: 004057B0
                                                              • GetShortPathNameA.KERNEL32(00000000,0042BBE8,00000400), ref: 004057CD
                                                              • wsprintfA.USER32 ref: 004057EB
                                                              • GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
                                                              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
                                                              • GlobalFree.KERNEL32(00000000), ref: 004058AA
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1
                                                                • Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
                                                                • Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                                              • String ID: %s=%s$[Rename]
                                                              • API String ID: 3772915668-1727408572
                                                              • Opcode ID: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
                                                              • Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
                                                              • Opcode Fuzzy Hash: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
                                                              • Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD
                                                              APIs
                                                              • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
                                                              • CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
                                                              • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
                                                              • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-1722615944
                                                              • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                                              • Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
                                                              • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
                                                              • Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D
                                                              APIs
                                                              • GetWindowLongA.USER32(?,000000EB), ref: 00403E42
                                                              • GetSysColor.USER32(00000000), ref: 00403E5E
                                                              • SetTextColor.GDI32(?,00000000), ref: 00403E6A
                                                              • SetBkMode.GDI32(?,?), ref: 00403E76
                                                              • GetSysColor.USER32(?), ref: 00403E89
                                                              • SetBkColor.GDI32(?,?), ref: 00403E99
                                                              • DeleteObject.GDI32(?), ref: 00403EB3
                                                              • CreateBrushIndirect.GDI32(?), ref: 00403EBD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                              • Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
                                                              • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                                              • Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,0000BC00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
                                                              • GlobalFree.KERNEL32(?), ref: 00402725
                                                              • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
                                                              • GlobalFree.KERNEL32(00000000), ref: 0040273E
                                                              • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
                                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                              • String ID:
                                                              • API String ID: 3294113728-0
                                                              • Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
                                                              • Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
                                                              • Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
                                                              • Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9
                                                              APIs
                                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404694
                                                              • GetMessagePos.USER32 ref: 0040469C
                                                              • ScreenToClient.USER32(?,?), ref: 004046B6
                                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 004046C8
                                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046EE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                              • Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
                                                              • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                                              • Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
                                                              • MulDiv.KERNEL32(0007B546,00000064,0007C4E8), ref: 00402B81
                                                              • wsprintfA.USER32 ref: 00402B91
                                                              • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 00402B8B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
                                                              • Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
                                                              • Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
                                                              • Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99
                                                              APIs
                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402A9C
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402AC1
                                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Close$DeleteEnumOpen
                                                              • String ID:
                                                              • API String ID: 1912718029-0
                                                              • Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
                                                              • Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
                                                              • Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
                                                              • Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69
                                                              APIs
                                                              • GetDlgItem.USER32(?), ref: 00401CC5
                                                              • GetClientRect.USER32(00000000,?), ref: 00401CD2
                                                              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
                                                              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                                                              • DeleteObject.GDI32(00000000), ref: 00401D10
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
                                                              • Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
                                                              • Opcode Fuzzy Hash: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
                                                              • Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69
                                                              APIs
                                                              • CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
                                                              • CharNextA.USER32(00000000), ref: 004055A6
                                                              • CharNextA.USER32(00000000), ref: 004055B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharNext
                                                              • String ID: C:\$ES@
                                                              • API String ID: 3213498283-247893726
                                                              • Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                                              • Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
                                                              • Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
                                                              • Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA
                                                              APIs
                                                              • lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
                                                              • wsprintfA.USER32 ref: 0040462D
                                                              • SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s
                                                              • API String ID: 3540041739-3551169577
                                                              • Opcode ID: 74831606c9b093612702591a57e7d7575a57c61aed7505950e70be9150aef9cb
                                                              • Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
                                                              • Opcode Fuzzy Hash: 74831606c9b093612702591a57e7d7575a57c61aed7505950e70be9150aef9cb
                                                              • Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8
                                                              APIs
                                                              • SetWindowTextA.USER32(00000000,Bibado Installer - Nero Burning Rom Setup), ref: 004038B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: TextWindow
                                                              • String ID: 1033$Bibado Installer - Nero Burning Rom Setup$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 530164218-3834516452
                                                              • Opcode ID: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
                                                              • Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
                                                              • Opcode Fuzzy Hash: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
                                                              • Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00404D30
                                                              • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E
                                                                • Part of subcall function 00403E0A: SendMessageA.USER32(0002047E,00000000,00000000,00000000), ref: 00403E1C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID: $8174224
                                                              • API String ID: 3748168415-3389874118
                                                              • Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
                                                              • Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
                                                              • Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
                                                              • Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9
                                                              APIs
                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
                                                              • CloseHandle.KERNEL32(?), ref: 0040529E
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
                                                              • Error launching installer, xrefs: 0040527F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                                              • API String ID: 3712363035-7751565
                                                              • Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
                                                              • Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
                                                              • Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
                                                              • Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9
                                                              APIs
                                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
                                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
                                                              • lstrcatA.KERNEL32(?,00409010), ref: 0040551F
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-823278215
                                                              • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                                              • Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
                                                              • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
                                                              • Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE
                                                              APIs
                                                              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
                                                              • lstrlenA.KERNEL32(0040A380,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
                                                              • RegSetValueExA.ADVAPI32(?,?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
                                                              • RegCloseKey.ADVAPI32(?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateValuelstrlen
                                                              • String ID:
                                                              • API String ID: 1356686001-0
                                                              • Opcode ID: feee39b2995d5713698e39181d4267c001e0350d88117aa5d933f9716d921611
                                                              • Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
                                                              • Opcode Fuzzy Hash: feee39b2995d5713698e39181d4267c001e0350d88117aa5d933f9716d921611
                                                              • Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669
                                                              APIs
                                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                                              • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                                                                • Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                              • String ID:
                                                              • API String ID: 1404258612-0
                                                              • Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
                                                              • Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
                                                              • Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
                                                              • Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401D22
                                                              • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                                              • CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirect
                                                              • String ID:
                                                              • API String ID: 3272661963-0
                                                              • Opcode ID: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
                                                              • Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
                                                              • Opcode Fuzzy Hash: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
                                                              • Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
                                                              • GetTickCount.KERNEL32 ref: 00402BEF
                                                              • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
                                                              • Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
                                                              • Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
                                                              • Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
                                                              • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\Toolbar,00000000,?,?,00000000,00000011), ref: 004024FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: FileWritelstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\Toolbar
                                                              • API String ID: 427699356-3936352603
                                                              • Opcode ID: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
                                                              • Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
                                                              • Opcode Fuzzy Hash: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
                                                              • Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D
                                                              APIs
                                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 0040554C
                                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 0040555A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1246513382
                                                              • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                              • Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
                                                              • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                                              • Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405678
                                                              • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
                                                              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                              • Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
                                                              • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                                              • Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF