Edit tour

Windows Analysis Report
Setup (1).exe

Overview

General Information

Sample name:	Setup (1).exe
Analysis ID:	1459003
MD5:	98bf362b34475d3757430ba89833f3be
SHA1:	73e7982f3df186d24ef81597e2f8b3ca1704f4da
SHA256:	a74f9c40ffa5d7ac67acfd5dcf93cdb351866105dfb6050e5bef181421aa7666
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Creates multiple autostart registry keys

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Drops PE files

EXE planting / hijacking vulnerabilities found

Found dropped PE file which has not been started or loaded

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

Setup (1).exe (PID: 7080 cmdline: "C:\Users\user\Desktop\Setup (1).exe" MD5: 98BF362B34475D3757430BA89833F3BE)

chrome.exe (PID: 3348 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04&winver=19045&version=fa.1091o&nocache=20240618121312.538&_fcid=1718724052798659 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6504 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7476 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

nsgBA2E.tmp (PID: 7680 cmdline: "C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp" /internal 1718724052798659 /force MD5: F748BC5CB1445E361CA987ED89BECABA)

PcAppStore.exe (PID: 608 cmdline: "C:\Users\user\PCAppStore\PcAppStore.exe" /init default MD5: FCEFC6099C1265E7F7B703C7A0154C5A)

explorer.exe (PID: 4380 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

PcAppStore.exe (PID: 2524 cmdline: "C:\Users\user\PCAppStore\PcAppStore.exe" /init default showM MD5: FCEFC6099C1265E7F7B703C7A0154C5A)

NW_store.exe (PID: 6488 cmdline: .\nwjs\NW_store.exe .\ui\. MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 4636 cmdline: C:\Users\user\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x238,0x23c,0x240,0x234,0x244,0x7fff3c53a960,0x7fff3c53a970,0x7fff3c53a980 MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 4212 cmdline: C:\Users\user\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x1a4,0x1a8,0x1ac,0x138,0x1b0,0x7ff6f6438a60,0x7ff6f6438a70,0x7ff6f6438a80 MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 4836 cmdline: "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1940 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2 MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 4868 cmdline: "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2976 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:3 MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 4668 cmdline: "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:8 MD5: E472E46BDFD736351D4B086B4C4CA134)

NW_store.exe (PID: 3704 cmdline: "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --nwjs --extension-process --no-appcompat-clear --no-sandbox --file-url-path-alias="/gen=C:\Users\user\PCAppStore\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1718721378693304 --launch-time-ticks=5930592217 --mojo-platform-channel-handle=3316 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2 MD5: E472E46BDFD736351D4B086B4C4CA134)

PcAppStoreWatchdog.exe (PID: 5644 cmdline: "C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe" /guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04 /rid=20240618121451.6735912812 /ver=fa.1091o MD5: 5E28DD3006A64174FF0F82469540712E)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\PCAppStore\PCAppStore.exe" /init default, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp, ProcessId: 7680, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCAppStore

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	ReversingLabs: Detection: 13%
Source: C:\Users\user\PCAppStore\AutoUpdater.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\PCAppStore\PcAppStore.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\PCAppStore\Uninstaller.exe	ReversingLabs: Detection: 58%

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\nwjs\notification_helper.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\AutoUpdater.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\nwjs\NW_store.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\Uninstaller.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\PcAppStore.exe

Phishing

Source: https://td.doubleclick.net/td/rul/858128210?random=1718727198449&cv=11&fst=1718727198449&fmt=3&bg=ffffff&guid=ON&async=1&gtm=45be46c0v9103256652za200&gcd=13l3l3l3l1&dma=0&tag_exp=0&u_w=1280&u_h=1024&url=https%3A%2F%2Fpcapp.store%2F%3Fp%3Dlpd_installing_r2%26guid%3D0CC82742-52E4-CC1D-A08F-D3A4823E8F04%26_fcid%3D1718724052798659%26_winver%3D19045%26version%3Dfa.1091o&hn=www.googleadservices.com&frm=0&tiba=APP%20STORE%3A%20Installing&npa=0&pscdl=noapi&auid=1341384014.1718727198&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&fledge=1&data=event%3Dgtag.config	HTTP Parser: No favicon
Source: https://td.doubleclick.net/td/rul/858128210?random=1718727198468&cv=11&fst=1718727198468&fmt=3&bg=ffffff&guid=ON&async=1&gtm=45be46c0v9103256652za200&gcd=13l3l3l3l1&dma=0&tag_exp=0&u_w=1280&u_h=1024&url=https%3A%2F%2Fpcapp.store%2F%3Fp%3Dlpd_installing_r2%26guid%3D0CC82742-52E4-CC1D-A08F-D3A4823E8F04%26_fcid%3D1718724052798659%26_winver%3D19045%26version%3Dfa.1091o&hn=www.googleadservices.com&frm=0&tiba=APP%20STORE%3A%20Installing&npa=0&pscdl=noapi&auid=1341384014.1718727198&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&fledge=1&data=event%3Dpage_view	HTTP Parser: No favicon
Source: https://td.doubleclick.net/td/rul/858128210?random=1718727198863&cv=11&fst=1718727198863&fmt=3&bg=ffffff&guid=ON&async=1&gtm=45be46c0v9103256652za200&gcd=13l3l3l3l1&dma=0&tag_exp=0&u_w=1280&u_h=1024&url=https%3A%2F%2Fpcapp.store%2F%3Fp%3Dlpd_installing_r2%26guid%3D0CC82742-52E4-CC1D-A08F-D3A4823E8F04%26_fcid%3D1718724052798659%26_winver%3D19045%26version%3Dfa.1091o&label=kTaFCIuq0YYZENL-l5kD&hn=www.googleadservices.com&frm=0&tiba=APP%20STORE%3A%20Installing&value=1&currency_code=USD&npa=0&pscdl=noapi&auid=1341384014.1718727198&uaa=x86&uab=64&uafvl=Google%2520Chrome%3B117.0.5938.132%7CNot%253BA%253DBrand%3B8.0.0.0%7CChromium%3B117.0.5938.132&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&fledge=1&data=event%3Dconversion	HTTP Parser: No favicon

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\nwjs\notification_helper.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\AutoUpdater.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\nwjs\NW_store.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\Uninstaller.exe
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	EXE: C:\Users\user\PCAppStore\PcAppStore.exe

Uses 32bit PE files

Source: Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCAppStore

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\ui\static\js\2.0e8f1429.chunk.js.LICENSE.txt
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\ReadMe.txt

PE / OLE file has a valid certificate

Source: Setup (1).exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 156.146.33.138:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.239.94.126:443 -> 192.168.2.16:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.16:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49834 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Software Vulnerabilities

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 33MB

Networking

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.64
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.8.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108

Source: global traffic	DNS traffic detected: DNS query: pcapp.store
Source: global traffic	DNS traffic detected: DNS query: delivery.pcapp.store
Source: global traffic	DNS traffic detected: DNS query: googleads.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: td.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: repository.pcapp.store
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: analytics.google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: stats.g.doubleclick.net
Source: global traffic	DNS traffic detected: DNS query: d74queuslupub.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: 48bd8c19a5fd0a97afed493c575e3391.azr.footprintdns.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 156.146.33.138:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.211.8.90:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49794 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.239.94.126:443 -> 192.168.2.16:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.4.254:443 -> 192.168.2.16:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.254:443 -> 192.168.2.16:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.248.126.225:443 -> 192.168.2.16:49834 version: TLS 1.2

System Summary

Uses 32bit PE files

Source: Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.evad.winEXE@34/190@30/150

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Users\user\Desktop\Setup (1).exe

File created: C:\Users\user\AppData\Local\Temp\nsg94B2.tmp

Source: Setup (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup (1).exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Setup (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Setup (1).exe

File read: C:\Users\user\Desktop\Setup (1).exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup (1).exe "C:\Users\user\Desktop\Setup (1).exe"
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04&winver=19045&version=fa.1091o&nocache=20240618121312.538&_fcid=1718724052798659
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04&winver=19045&version=fa.1091o&nocache=20240618121312.538&_fcid=1718724052798659
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 --field-trial-handle=1904,i,1090450300907648637,15811627045702687244,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp "C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp" /internal 1718724052798659 /force
Source: C:\Users\user\Desktop\Setup (1).exe	Process created: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp "C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp" /internal 1718724052798659 /force
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PcAppStore.exe" /init default
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process created: C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe "C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe" /guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04 /rid=20240618121451.6735912812 /ver=fa.1091o
Source: C:\Users\user\PCAppStore\PcAppStore.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe .\nwjs\NW_store.exe .\ui\.
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe C:\Users\user\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x238,0x23c,0x240,0x234,0x244,0x7fff3c53a960,0x7fff3c53a970,0x7fff3c53a980
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe C:\Users\user\PCAppStore\nwjs\NW_store.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\pc_app_store\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x1a4,0x1a8,0x1ac,0x138,0x1b0,0x7ff6f6438a60,0x7ff6f6438a70,0x7ff6f6438a80
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1940 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PcAppStore.exe" /init default showM
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2976 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:3
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:8
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "C:\Users\user\PCAppStore\nwjs\NW_store.exe" --type=renderer --user-data-dir="C:\Users\user\AppData\Local\pc_app_store\User Data" --nwapp-path=".\ui\." --nwjs --extension-process --no-appcompat-clear --no-sandbox --file-url-path-alias="/gen=C:\Users\user\PCAppStore\nwjs\gen" --no-zygote --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1718721378693304 --launch-time-ticks=5930592217 --mojo-platform-channel-handle=3316 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process created: C:\Users\user\PCAppStore\PcAppStore.exe "C:\Users\user\PCAppStore\PcAppStore.exe" /init default
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process created: C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe "C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe" /guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04 /rid=20240618121451.6735912812 /ver=fa.1091o

Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: ieframe.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: mlang.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: policymanager.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Desktop\Setup (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Section loaded: cscapi.dll

Source: C:\Users\user\Desktop\Setup (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCAppStore

PE / OLE file has a valid certificate

Source: Setup (1).exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup (1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

PE file contains an invalid checksum

Source: Setup (1).exe

Static PE information: real checksum: 0x281af should be: 0x22e57

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\node.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\nw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\AppData\Local\Temp\nseCD34.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	File created: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\PcAppStore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	Jump to dropped file

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\ui\static\js\2.0e8f1429.chunk.js.LICENSE.txt
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\PCAppStore\ReadMe.txt

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreWatchdog
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PCAppStore
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreUpdater
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreWatchdog
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PcAppStoreWatchdog

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Caption from Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Size from Win32_DiskDrive

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\nw_elf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\node.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\nw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseCD34.tmp\Math.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\AutoUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup (1).exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\Uninstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	Dropped PE file which has not been started: C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	Jump to dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select ReleaseDate from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select UUID from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Vendor from Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Version from Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select MaxClockSpeed from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfCores from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select NumberOfLogicalProcessors from Win32_Processor

Source: C:\Users\user\Desktop\Setup (1).exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Setup (1).exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pcapp.store/installing.php?guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04&winver=19045&version=fa.1091o&nocache=20240618121312.538&_fcid=1718724052798659

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe c:\users\user\pcappstore\nwjs\nw_store.exe --type=crashpad-handler "--user-data-dir=c:\users\user\appdata\local\pc_app_store\user data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=c:\users\user\appdata\local\pc_app_store\user data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\pc_app_store\user data\crashpad" "--metrics-dir=c:\users\user\appdata\local\pc_app_store\user data" --annotation=plat=win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x238,0x23c,0x240,0x234,0x244,0x7fff3c53a960,0x7fff3c53a970,0x7fff3c53a980
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe c:\users\user\pcappstore\nwjs\nw_store.exe --type=crashpad-handler "--user-data-dir=c:\users\user\appdata\local\pc_app_store\user data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\pc_app_store\user data\crashpad" --annotation=plat=win64 --annotation=prod=pc_app_store --annotation=ver=0.1.0 --initial-client-data=0x1a4,0x1a8,0x1ac,0x138,0x1b0,0x7ff6f6438a60,0x7ff6f6438a70,0x7ff6f6438a80
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "c:\users\user\pcappstore\nwjs\nw_store.exe" --type=gpu-process --no-sandbox --user-data-dir="c:\users\user\appdata\local\pc_app_store\user data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1940 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "c:\users\user\pcappstore\nwjs\nw_store.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --no-sandbox --user-data-dir="c:\users\user\appdata\local\pc_app_store\user data" --nwapp-path=".\ui\." --no-appcompat-clear --start-stack-profiler --mojo-platform-channel-handle=2976 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:3
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "c:\users\user\pcappstore\nwjs\nw_store.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-gb --service-sandbox-type=service --no-sandbox --user-data-dir="c:\users\user\appdata\local\pc_app_store\user data" --nwapp-path=".\ui\." --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:8
Source: C:\Users\user\PCAppStore\nwjs\NW_store.exe	Process created: C:\Users\user\PCAppStore\nwjs\NW_store.exe "c:\users\user\pcappstore\nwjs\nw_store.exe" --type=renderer --user-data-dir="c:\users\user\appdata\local\pc_app_store\user data" --nwapp-path=".\ui\." --nwjs --extension-process --no-appcompat-clear --no-sandbox --file-url-path-alias="/gen=c:\users\user\pcappstore\nwjs\gen" --no-zygote --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1718721378693304 --launch-time-ticks=5930592217 --mojo-platform-channel-handle=3316 --field-trial-handle=1948,i,11577703543776296676,4197277004636328407,262144 --variations-seed-version /prefetch:2

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp

Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\Desktop\Setup (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select displayName from FirewallProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	23 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	111 Registry Run Keys / Startup Folder	11 Process Injection	121 Virtualization/Sandbox Evasion	LSASS Memory	121 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	111 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Search Order Hijacking	1 DLL Side-Loading	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	LSA Secrets	132 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\inetc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsJSON.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp	13%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\PCAppStore\nwjs\NW_store.exe	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\libEGL.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\node.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\notification_helper.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nseCD34.tmp\Math.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\AutoUpdater.exe	18%	ReversingLabs
C:\Users\user\PCAppStore\PcAppStore.exe	25%	ReversingLabs
C:\Users\user\PCAppStore\PcAppStoreWatchdog.exe	8%	ReversingLabs
C:\Users\user\PCAppStore\Uninstaller.exe	58%	ReversingLabs	Win32.Trojan.Nemesis
C:\Users\user\PCAppStore\nwjs\nw.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\nw_elf.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\PCAppStore\nwjs\vulkan-1.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
1715720427.rsc.cdn77.org	195.181.170.19	true	false	unknown
t-9999.t-msedge.net	13.107.246.254	true	false	unknown
google.com	216.58.206.78	true	false	unknown
analytics-alv.google.com	216.239.36.181	true	false	unknown
googleads.g.doubleclick.net	216.58.212.162	true	false	unknown
1285660440.rsc.cdn77.org	156.146.33.138	true	false	unknown
c-9999.c-msedge.net	13.107.4.254	true	false	unknown
td.doubleclick.net	142.250.186.34	true	false	unknown
www.google.com	142.250.185.164	true	false	unknown
pcapp.store	104.248.126.225	true	false	unknown
d74queuslupub.cloudfront.net	18.239.94.126	true	false	unknown
stats.g.doubleclick.net	66.102.1.155	true	false	unknown
repository.pcapp.store	unknown	unknown	false	unknown
48bd8c19a5fd0a97afed493c575e3391.azr.footprintdns.com	unknown	unknown	false	unknown
analytics.google.com	unknown	unknown	false	unknown
delivery.pcapp.store	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pcapp.store/?p=lpd_installing_r2&guid=0CC82742-52E4-CC1D-A08F-D3A4823E8F04&_fcid=1718724052798659&_winver=19045&version=fa.1091o	false		unknown
https://td.doubleclick.net/td/ga/rul?tid=G-VFQWFX3X1C&gacid=1112610034.1718727199&gtm=45je46c0v898645365za200zb9103256652&dma=0&gcd=13l3l3l3l1&npa=0&pscdl=noapi&aip=1&fledge=1&frm=0&z=367992183	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.239.34.181	unknown	United States	15169	GOOGLEUS	false
172.217.18.14	unknown	United States	15169	GOOGLEUS	false
216.58.206.78	google.com	United States	15169	GOOGLEUS	false
173.194.76.84	unknown	United States	15169	GOOGLEUS	false
142.250.185.100	unknown	United States	15169	GOOGLEUS	false
66.102.1.155	stats.g.doubleclick.net	United States	15169	GOOGLEUS	false
142.250.185.164	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.142	unknown	United States	15169	GOOGLEUS	false
156.146.33.138	1285660440.rsc.cdn77.org	United States	3743	ARCEL-2US	false
104.248.126.225	pcapp.store	United States	14061	DIGITALOCEAN-ASNUS	false
212.102.56.181	unknown	Italy	60068	CDN77GB	false
142.250.186.35	unknown	United States	15169	GOOGLEUS	false
142.250.186.34	td.doubleclick.net	United States	15169	GOOGLEUS	false
216.239.36.181	analytics-alv.google.com	United States	15169	GOOGLEUS	false
18.239.94.126	d74queuslupub.cloudfront.net	United States	16509	AMAZON-02US	false
195.181.170.19	1715720427.rsc.cdn77.org	United Kingdom	60068	CDN77GB	false
216.58.206.67	unknown	United States	15169	GOOGLEUS	false
216.58.206.68	unknown	United States	15169	GOOGLEUS	false
142.250.185.170	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
216.58.212.162	googleads.g.doubleclick.net	United States	15169	GOOGLEUS	false
45.32.1.23	unknown	United States	20473	AS-CHOOPAUS	false
142.250.186.168	unknown	United States	15169	GOOGLEUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1459003
Start date and time:	2024-06-18 18:12:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Sample name:	Setup (1).exe
Detection:	MAL
Classification:	mal42.evad.winEXE@34/190@30/150
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 172.217.16.195, 172.217.18.14, 173.194.76.84, 34.104.35.123, 142.250.185.170, 142.250.186.168, 142.250.186.35
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, www.googletagmanager.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: Setup (1).exe

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	112552
Entropy (8bit):	4.026956130401378
Encrypted:	false
SSDEEP:
MD5:	1A84D8FF2E93805654D6F039C50D8A4A
SHA1:	550C95F425277FDD1DEB41687E8FDF8C6C164AA4
SHA-256:	F4436CB4F87FADA79FDCEA6FEDBDD8176B28E7031CC1A3D2BCA81A8A14AE998C
SHA-512:	DD580EA452C48FA7473B9C241EDDA6DF1EC33C87C90AC72494A47936CBB045C8AE7A0E559D1A5125D16C3699DD2CE5D2F0D0B2DE984431FC3F399B28EEB4F549
Malicious:	false
Reputation:	unknown
Preview:	....h... ...............P..............._...x...d......................].......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................... ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................c.a.l.i..

Process:	C:\Users\user\Desktop\Setup (1).exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 18 15:13:17 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9886962260487464
Encrypted:	false
SSDEEP:
MD5:	D86B2F4F19C45554B7A9BD46DB772D6D
SHA1:	27D7323DA070BCBA5C97231DC41AB5139E845B3F
SHA-256:	8465EE5F9658953E6B08F8A1AC76874C27A86CF3077BA842EA11E373C05772AD
SHA-512:	15AFF79E2027BFE0752A5425CA971ECE0091A8D9604D975B0EE4702E19DFD3CDF6C51E78A696B425A8E7DF6E509BCCFD0D22092D50D44724971B710CF6073620
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....$ n....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.224275176653949
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup (1).exe
File size:	120'376 bytes
MD5:	98bf362b34475d3757430ba89833f3be
SHA1:	73e7982f3df186d24ef81597e2f8b3ca1704f4da
SHA256:	a74f9c40ffa5d7ac67acfd5dcf93cdb351866105dfb6050e5bef181421aa7666
SHA512:	7eb881b10939de3b97539abcb4621a60523873dc9e1cf25368f8e570ede9a5ad0d55a58c89646262ff060f3ec114e3955efc633ad4ee4e87f15e8c776fa2b4d8
SSDEEP:	3072:ZbG7N2kDTHUpouUPScWxAPzy5n+/mGCKEUm:ZbE/HUMPGqry5nmJm
TLSH:	ECC3D05052D0D422D8A28B3079B93E779EB6DD2157709E4313107F587E7EE82A71E3A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	08/05/2024 02:00:00 14/02/2025 00:59:59
Subject Chain	CN=FAST CORPORATION LTD, O=FAST CORPORATION LTD, L=Ra'anana, C=IL, SERIALNUMBER=515636181, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	04786BD703B906E22AECB2AD38CE4D94
Thumbprint SHA-1:	07BE42727905BE32C822A638502C1B8FAAE6540A
Thumbprint SHA-256:	FDB017BB88E5D453E22A73810690C72534F58EFB109EA0D4494EC393F2307DBC
Serial:	0E5C655E1CBE9A8879372F58A5BC0302

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x4f40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1acc8	0x2970	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x36000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x4f40	0x5000	1a1ffa641428f7186726489633846f21	False	0.101513671875	data	2.760708040507546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c208	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	English	United States	0.036372224846480866
RT_DIALOG	0x70430	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x70638	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x70730	0xa0	data	English	United States	0.60625
RT_DIALOG	0x707d0	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x708c0	0x14	data	English	United States	1.1
RT_VERSION	0x708d8	0x240	data	English	United States	0.4878472222222222
RT_MANIFEST	0x70b18	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\p[2].gif

C:\Users\user\AppData\Local\Temp\nseCD34.tmp\Math.dll

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\image.gif

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\inetc.dll

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsg94B3.tmp\nsJSON.dll

C:\Users\user\AppData\Local\Temp\nsgBA2E.tmp

C:\Users\user\AppData\Local\Temp\nszCD14.tmp

C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad\metadata

C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad\reports\e7425a25-44d0-4f7e-9000-180507e9b50e.dmp

C:\Users\user\AppData\Local\pc_app_store\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\10156d2b-7ba4-46ba-af08-0428551c3386.tmp

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\Code Cache\js\index-dir\temp-index

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\Code Cache\wasm\index-dir\temp-index

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\DawnCache\data_2

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\DawnCache\index

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\GPUCache\data_3

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\GPUCache\index

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\README

C:\Users\user\AppData\Local\pc_app_store\User Data\Default\Shared Dictionary\cache\index-dir\temp-index

C:\Users\user\AppData\Local\pc_app_store\User Data\GrShaderCache\data_1

C:\Users\user\AppData\Local\pc_app_store\User Data\GrShaderCache\index

C:\Users\user\AppData\Local\pc_app_store\User Data\GraphiteDawnCache\index

C:\Users\user\AppData\Local\pc_app_store\User Data\Last Version

Windows Analysis Report
Setup (1).exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre